SYMBOLCOMMON_NAMEaka. SYNONYMS
win.chthonic (Back to overview)

Chthonic

aka: AndroKINS
URLhaus    

There is no description at this point.

References
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2017-08-24Blaze's Security BlogBartBlaze
@online{bartblaze:20170824:crystal:16adb4a, author = {BartBlaze}, title = {{Crystal Finance Millennium used to spread malware}}, date = {2017-08-24}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html}, language = {English}, urldate = {2020-02-01} } Crystal Finance Millennium used to spread malware
Chthonic SmokeLoader
2016-07-26ProofpointProofpoint
@online{proofpoint:20160726:threat:076e87a, author = {Proofpoint}, title = {{Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan}}, date = {2016-07-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan}, language = {English}, urldate = {2019-07-09} } Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan
Azorult Chthonic
Yara Rules
[TLP:WHITE] win_chthonic_auto (20220516 | Detects win.chthonic.)
rule win_chthonic_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.chthonic."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chthonic"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 53 ff7510 ff7508 e8???????? 85c0 7502 b301 }
            // n = 7, score = 600
            //   53                   | push                ebx
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7502                 | jne                 4
            //   b301                 | mov                 bl, 1

        $sequence_1 = { 4f 81cf00ffffff 47 8a01 8845ff }
            // n = 5, score = 600
            //   4f                   | dec                 edi
            //   81cf00ffffff         | or                  edi, 0xffffff00
            //   47                   | inc                 edi
            //   8a01                 | mov                 al, byte ptr [ecx]
            //   8845ff               | mov                 byte ptr [ebp - 1], al

        $sequence_2 = { 3bc3 7cf4 33f6 33d2 8bc6 f77514 }
            // n = 6, score = 600
            //   3bc3                 | cmp                 eax, ebx
            //   7cf4                 | jl                  0xfffffff6
            //   33f6                 | xor                 esi, esi
            //   33d2                 | xor                 edx, edx
            //   8bc6                 | mov                 eax, esi
            //   f77514               | div                 dword ptr [ebp + 0x14]

        $sequence_3 = { eb00 8b4dfc 8d0c4e 894dfc 85ff }
            // n = 5, score = 600
            //   eb00                 | jmp                 2
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8d0c4e               | lea                 ecx, [esi + ecx*2]
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   85ff                 | test                edi, edi

        $sequence_4 = { c3 8b442404 8b08 41 8a11 8908 8b09 }
            // n = 7, score = 600
            //   c3                   | ret                 
            //   8b442404             | mov                 eax, dword ptr [esp + 4]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   41                   | inc                 ecx
            //   8a11                 | mov                 dl, byte ptr [ecx]
            //   8908                 | mov                 dword ptr [eax], ecx
            //   8b09                 | mov                 ecx, dword ptr [ecx]

        $sequence_5 = { 83c410 f60680 7408 8a06 32c3 }
            // n = 5, score = 600
            //   83c410               | add                 esp, 0x10
            //   f60680               | test                byte ptr [esi], 0x80
            //   7408                 | je                  0xa
            //   8a06                 | mov                 al, byte ptr [esi]
            //   32c3                 | xor                 al, bl

        $sequence_6 = { 8a08 32cb 80e17f 8808 b001 5b c3 }
            // n = 7, score = 600
            //   8a08                 | mov                 cl, byte ptr [eax]
            //   32cb                 | xor                 cl, bl
            //   80e17f               | and                 cl, 0x7f
            //   8808                 | mov                 byte ptr [eax], cl
            //   b001                 | mov                 al, 1
            //   5b                   | pop                 ebx
            //   c3                   | ret                 

        $sequence_7 = { 894dfc 85ff 7459 4f 8bf0 }
            // n = 5, score = 600
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   85ff                 | test                edi, edi
            //   7459                 | je                  0x5b
            //   4f                   | dec                 edi
            //   8bf0                 | mov                 esi, eax

        $sequence_8 = { 894df0 e9???????? 8b4514 8b4df4 8908 33c0 3b550c }
            // n = 7, score = 600
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   e9????????           |                     
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   8908                 | mov                 dword ptr [eax], ecx
            //   33c0                 | xor                 eax, eax
            //   3b550c               | cmp                 edx, dword ptr [ebp + 0xc]

        $sequence_9 = { 5f 894dfc e9???????? 0fb60c1a 83c6fd c1e608 }
            // n = 6, score = 600
            //   5f                   | pop                 edi
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   e9????????           |                     
            //   0fb60c1a             | movzx               ecx, byte ptr [edx + ebx]
            //   83c6fd               | add                 esi, -3
            //   c1e608               | shl                 esi, 8

    condition:
        7 of them and filesize < 425984
}
Download all Yara Rules