Trojan:Win32/Vawtrak (also known as Neverquest) is an advanced, highly modular banking trojan focused on intercepting financial credentials, stealing digital certificates, and bypassing multi-factor authentication.
Understanding Vawtrak
For consumers, Vawtrak operates invisibly until fraudulent wire transfers deplete their bank accounts. For threat intelligence analysts, Vawtrak is a premium Cybercrime-as-a-Service (CaaS) tool. It differentiates itself through its deep integration of web injects, keylogging, video capture, and a hidden VNC server module, allowing remote attackers to perform transactions directly from the victim's compromised, pre-authenticated IP address.
Execution and Evasion Strategies
Vawtrak is typically distributed via exploit kits (like Angler) or massive spam campaigns utilizing macros or weaponized ZIP attachments. Upon execution, it disables anti-virus software by modifying the registry and terminating security processes (using a Software Restriction Policy bypass). It then injects its core DLL into explorer.exe and all running web browsers. The malware utilizes steganography, downloading updated configuration files hidden within seemingly innocuous image files (like favicons) hosted on compromised websites.
Indicators of Compromise & Impact
Incident responders should look for heavily obfuscated DLLs injected into browser processes and the presence of encrypted .dat files in the %AppData% folder. Anomalous outbound traffic requesting small image files from unknown domains, combined with unauthorized VNC connections (often brokered through reverse proxies), are strong IoCs. The financial impact is often severe, as Vawtrak's web injects can dynamically alter account balances to hide the theft from the user in real-time.
Threat reports may refer to this family under multiple names:
Observed techniques used by this family, mapped to the MITRE ATT&CK framework:
| Technique | Name | Tactic |
|---|---|---|
T1185 | Browser Session Hijacking | Collection |
T1055.001 | Process Injection: Dynamic-link Library Injection | Defense Evasion |
T1022 | Data Encrypted for Impact | Impact |
T1562.001 | Impair Defenses: Disable or Modify Tools | Defense Evasion |
T1027.003 | Obfuscated Files or Information: Steganography | Defense Evasion |
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_VAWTRAK {
meta:
description = "Detects Vawtrak (banking_trojan)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "vawtrak" ascii wide nocase
$s2 = "neverquest" ascii wide nocase
$s3 = "snifula" ascii wide nocase
$s4 = "win32.vawtrak" ascii wide nocase
$s5 = "vawtrak.a" ascii wide nocase
$s6 = "vawtrak.b" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Vawtrak Activity
id: 8665c0c7a951e6e9cf68d9bc06395a64
status: experimental
description: Detects generic indicators of the vawtrak malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*vawtrak*"
- "*neverquest*"
- "*snifula*"
- "*win32.vawtrak*"
- "*vawtrak.a*"
- "*vawtrak.b*"
condition: selection
level: mediumOrdered checklist for responders. Adapt to your environment and engage professional support for active incidents.
Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.
A banking trojan that steals financial credentials using web injection.
Through phishing and as a payload from other malware such as downloaders.
It is also known as Neverquest.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/vawtrak.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.