Vawtrak

Category: banking_trojan · Aliases: neverquest, snifula, win32.vawtrak, vawtrak.a, vawtrak.b · Sample count (EMBER 2018): 50 · Enrichment: expert-seo · Updated: 2026-06-09

Overview

Trojan:Win32/Vawtrak (also known as Neverquest) is an advanced, highly modular banking trojan focused on intercepting financial credentials, stealing digital certificates, and bypassing multi-factor authentication.

Understanding Vawtrak
For consumers, Vawtrak operates invisibly until fraudulent wire transfers deplete their bank accounts. For threat intelligence analysts, Vawtrak is a premium Cybercrime-as-a-Service (CaaS) tool. It differentiates itself through its deep integration of web injects, keylogging, video capture, and a hidden VNC server module, allowing remote attackers to perform transactions directly from the victim's compromised, pre-authenticated IP address.

Execution and Evasion Strategies
Vawtrak is typically distributed via exploit kits (like Angler) or massive spam campaigns utilizing macros or weaponized ZIP attachments. Upon execution, it disables anti-virus software by modifying the registry and terminating security processes (using a Software Restriction Policy bypass). It then injects its core DLL into explorer.exe and all running web browsers. The malware utilizes steganography, downloading updated configuration files hidden within seemingly innocuous image files (like favicons) hosted on compromised websites.

Indicators of Compromise & Impact
Incident responders should look for heavily obfuscated DLLs injected into browser processes and the presence of encrypted .dat files in the %AppData% folder. Anomalous outbound traffic requesting small image files from unknown domains, combined with unauthorized VNC connections (often brokered through reverse proxies), are strong IoCs. The financial impact is often severe, as Vawtrak's web injects can dynamically alter account balances to hide the theft from the user in real-time.

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1185Browser Session HijackingCollection
T1055.001Process Injection: Dynamic-link Library InjectionDefense Evasion
T1022Data Encrypted for ImpactImpact
T1562.001Impair Defenses: Disable or Modify ToolsDefense Evasion
T1027.003Obfuscated Files or Information: SteganographyDefense Evasion

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_VAWTRAK {
    meta:
        description = "Detects Vawtrak (banking_trojan)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "vawtrak" ascii wide nocase
        $s2 = "neverquest" ascii wide nocase
        $s3 = "snifula" ascii wide nocase
        $s4 = "win32.vawtrak" ascii wide nocase
        $s5 = "vawtrak.a" ascii wide nocase
        $s6 = "vawtrak.b" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Vawtrak Activity
id: 8665c0c7a951e6e9cf68d9bc06395a64
status: experimental
description: Detects generic indicators of the vawtrak malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*vawtrak*"
            - "*neverquest*"
            - "*snifula*"
            - "*win32.vawtrak*"
            - "*vawtrak.a*"
            - "*vawtrak.b*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Disconnect the endpoint immediately to terminate the attacker's hidden VNC session and halt financial transactions.
  2. Force a password reset for all financial institutions, ensuring the user logs in from a known-clean device.
  3. Capture a memory dump before powering down the machine to extract Vawtrak's decrypted web inject configuration and steganographic payload.
  4. Deploy Endpoint Detection and Response (EDR) rules to hunt for unauthorized DLL injections within <code>explorer.exe</code>.

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not assume two-factor authentication (2FA) via SMS is sufficient protection; Vawtrak's web injects will dynamically prompt the user for the code and steal it.
  2. Avoid relying on static signatures, as Vawtrak frequently updates its packed modules and obfuscates its C2 traffic.

References & External Analysis

Frequently Asked Questions

What is Vawtrak?

A banking trojan that steals financial credentials using web injection.

How was Vawtrak distributed?

Through phishing and as a payload from other malware such as downloaders.

What is another name for Vawtrak?

It is also known as Neverquest.

Related Families (Category: banking_trojan)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/vawtrak.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.