SYMBOLCOMMON_NAMEaka. SYNONYMS
win.chthonic (Back to overview)

Chthonic

aka: AndroKINS
URLhaus    

There is no description at this point.

References
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2017-08-24Blaze's Security BlogBartBlaze
@online{bartblaze:20170824:crystal:16adb4a, author = {BartBlaze}, title = {{Crystal Finance Millennium used to spread malware}}, date = {2017-08-24}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html}, language = {English}, urldate = {2020-02-01} } Crystal Finance Millennium used to spread malware
Chthonic SmokeLoader
2016-07-26ProofpointProofpoint
@online{proofpoint:20160726:threat:076e87a, author = {Proofpoint}, title = {{Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan}}, date = {2016-07-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan}, language = {English}, urldate = {2019-07-09} } Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan
Azorult Chthonic
Yara Rules
[TLP:WHITE] win_chthonic_auto (20230125 | Detects win.chthonic.)
rule win_chthonic_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.chthonic."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chthonic"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 81cf00ffffff 47 8a01 8845ff 8d84bdfcfbffff }
            // n = 5, score = 600
            //   81cf00ffffff         | or                  edi, 0xffffff00
            //   47                   | inc                 edi
            //   8a01                 | mov                 al, byte ptr [ecx]
            //   8845ff               | mov                 byte ptr [ebp - 1], al
            //   8d84bdfcfbffff       | lea                 eax, [ebp + edi*4 - 0x404]

        $sequence_1 = { 81e1ff00ff00 0bc1 89470c 5f }
            // n = 4, score = 600
            //   81e1ff00ff00         | and                 ecx, 0xff00ff
            //   0bc1                 | or                  eax, ecx
            //   89470c               | mov                 dword ptr [edi + 0xc], eax
            //   5f                   | pop                 edi

        $sequence_2 = { 83c410 f60680 7408 8a06 32c3 247f }
            // n = 6, score = 600
            //   83c410               | add                 esp, 0x10
            //   f60680               | test                byte ptr [esi], 0x80
            //   7408                 | je                  0xa
            //   8a06                 | mov                 al, byte ptr [esi]
            //   32c3                 | xor                 al, bl
            //   247f                 | and                 al, 0x7f

        $sequence_3 = { 5f c1ee1f eba3 8b041a 6a1f }
            // n = 5, score = 600
            //   5f                   | pop                 edi
            //   c1ee1f               | shr                 esi, 0x1f
            //   eba3                 | jmp                 0xffffffa5
            //   8b041a               | mov                 eax, dword ptr [edx + ebx]
            //   6a1f                 | push                0x1f

        $sequence_4 = { 81ce00ffffff 46 8d84b5fcfbffff 8b08 }
            // n = 4, score = 600
            //   81ce00ffffff         | or                  esi, 0xffffff00
            //   46                   | inc                 esi
            //   8d84b5fcfbffff       | lea                 eax, [ebp + esi*4 - 0x404]
            //   8b08                 | mov                 ecx, dword ptr [eax]

        $sequence_5 = { 016e04 83c703 013e 8b36 83c410 f60680 7408 }
            // n = 7, score = 600
            //   016e04               | add                 dword ptr [esi + 4], ebp
            //   83c703               | add                 edi, 3
            //   013e                 | add                 dword ptr [esi], edi
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   83c410               | add                 esp, 0x10
            //   f60680               | test                byte ptr [esi], 0x80
            //   7408                 | je                  0xa

        $sequence_6 = { 8bc1 c1c808 2500ff00ff c1c108 81e1ff00ff00 0bc1 89470c }
            // n = 7, score = 600
            //   8bc1                 | mov                 eax, ecx
            //   c1c808               | ror                 eax, 8
            //   2500ff00ff           | and                 eax, 0xff00ff00
            //   c1c108               | rol                 ecx, 8
            //   81e1ff00ff00         | and                 ecx, 0xff00ff
            //   0bc1                 | or                  eax, ecx
            //   89470c               | mov                 dword ptr [edi + 0xc], eax

        $sequence_7 = { c1ee1f eba3 8b041a 6a1f 8bf0 }
            // n = 5, score = 600
            //   c1ee1f               | shr                 esi, 0x1f
            //   eba3                 | jmp                 0xffffffa5
            //   8b041a               | mov                 eax, dword ptr [edx + ebx]
            //   6a1f                 | push                0x1f
            //   8bf0                 | mov                 esi, eax

        $sequence_8 = { 016e04 83c703 013e 8b36 83c410 }
            // n = 5, score = 600
            //   016e04               | add                 dword ptr [esi + 4], ebp
            //   83c703               | add                 edi, 3
            //   013e                 | add                 dword ptr [esi], edi
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   83c410               | add                 esp, 0x10

        $sequence_9 = { 7908 4f 81cf00ffffff 47 8a01 8845ff 8d84bdfcfbffff }
            // n = 7, score = 600
            //   7908                 | jns                 0xa
            //   4f                   | dec                 edi
            //   81cf00ffffff         | or                  edi, 0xffffff00
            //   47                   | inc                 edi
            //   8a01                 | mov                 al, byte ptr [ecx]
            //   8845ff               | mov                 byte ptr [ebp - 1], al
            //   8d84bdfcfbffff       | lea                 eax, [ebp + edi*4 - 0x404]

    condition:
        7 of them and filesize < 425984
}
Download all Yara Rules