SYMBOLCOMMON_NAMEaka. SYNONYMS
win.chthonic (Back to overview)

Chthonic

aka: AndroKINS
URLhaus    

There is no description at this point.

References
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2017-08-24Blaze's Security BlogBartBlaze
@online{bartblaze:20170824:crystal:16adb4a, author = {BartBlaze}, title = {{Crystal Finance Millennium used to spread malware}}, date = {2017-08-24}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html}, language = {English}, urldate = {2020-02-01} } Crystal Finance Millennium used to spread malware
Chthonic SmokeLoader
2016-07-26ProofpointProofpoint
@online{proofpoint:20160726:threat:076e87a, author = {Proofpoint}, title = {{Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan}}, date = {2016-07-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan}, language = {English}, urldate = {2019-07-09} } Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan
Azorult Chthonic
Yara Rules
[TLP:WHITE] win_chthonic_auto (20230715 | Detects win.chthonic.)
rule win_chthonic_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.chthonic."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chthonic"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { d3ee 83e601 8975fc eb00 85ff 0f84bd000000 4f }
            // n = 7, score = 600
            //   d3ee                 | shr                 esi, cl
            //   83e601               | and                 esi, 1
            //   8975fc               | mov                 dword ptr [ebp - 4], esi
            //   eb00                 | jmp                 2
            //   85ff                 | test                edi, edi
            //   0f84bd000000         | je                  0xc3
            //   4f                   | dec                 edi

        $sequence_1 = { eb00 85f6 74cb 8b75f8 }
            // n = 4, score = 600
            //   eb00                 | jmp                 2
            //   85f6                 | test                esi, esi
            //   74cb                 | je                  0xffffffcd
            //   8b75f8               | mov                 esi, dword ptr [ebp - 8]

        $sequence_2 = { 83c703 013e 8b36 83c410 f60680 }
            // n = 5, score = 600
            //   83c703               | add                 edi, 3
            //   013e                 | add                 dword ptr [esi], edi
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   83c410               | add                 esp, 0x10
            //   f60680               | test                byte ptr [esi], 0x80

        $sequence_3 = { 8845ff 8d84bdfcfbffff 8b10 8911 }
            // n = 4, score = 600
            //   8845ff               | mov                 byte ptr [ebp - 1], al
            //   8d84bdfcfbffff       | lea                 eax, [ebp + edi*4 - 0x404]
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   8911                 | mov                 dword ptr [ecx], edx

        $sequence_4 = { 0301 03f8 81e7ff000080 7908 4f 81cf00ffffff }
            // n = 6, score = 600
            //   0301                 | add                 eax, dword ptr [ecx]
            //   03f8                 | add                 edi, eax
            //   81e7ff000080         | and                 edi, 0x800000ff
            //   7908                 | jns                 0xa
            //   4f                   | dec                 edi
            //   81cf00ffffff         | or                  edi, 0xffffff00

        $sequence_5 = { 83e601 eb00 8b4df8 8d0c4e }
            // n = 4, score = 600
            //   83e601               | and                 esi, 1
            //   eb00                 | jmp                 2
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   8d0c4e               | lea                 ecx, [esi + ecx*2]

        $sequence_6 = { 6a2a 58 ff7508 66894108 b8ecff0000 }
            // n = 5, score = 600
            //   6a2a                 | push                0x2a
            //   58                   | pop                 eax
            //   ff7508               | push                dword ptr [ebp + 8]
            //   66894108             | mov                 word ptr [ecx + 8], ax
            //   b8ecff0000           | mov                 eax, 0xffec

        $sequence_7 = { d3ee 83e601 eb00 85f6 74cb 8b75f8 83fe02 }
            // n = 7, score = 600
            //   d3ee                 | shr                 esi, cl
            //   83e601               | and                 esi, 1
            //   eb00                 | jmp                 2
            //   85f6                 | test                esi, esi
            //   74cb                 | je                  0xffffffcd
            //   8b75f8               | mov                 esi, dword ptr [ebp - 8]
            //   83fe02               | cmp                 esi, 2

        $sequence_8 = { 013e 8b36 83c410 f60680 7408 }
            // n = 5, score = 600
            //   013e                 | add                 dword ptr [esi], edi
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   83c410               | add                 esp, 0x10
            //   f60680               | test                byte ptr [esi], 0x80
            //   7408                 | je                  0xa

        $sequence_9 = { 46 8908 3bf3 7cbc 33db 33f6 33ff }
            // n = 7, score = 600
            //   46                   | inc                 esi
            //   8908                 | mov                 dword ptr [eax], ecx
            //   3bf3                 | cmp                 esi, ebx
            //   7cbc                 | jl                  0xffffffbe
            //   33db                 | xor                 ebx, ebx
            //   33f6                 | xor                 esi, esi
            //   33ff                 | xor                 edi, edi

    condition:
        7 of them and filesize < 425984
}
Download all Yara Rules