SYMBOLCOMMON_NAMEaka. SYNONYMS
win.chthonic (Back to overview)

Chthonic

aka: AndroKINS
URLhaus    

There is no description at this point.

References
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2017-08-24Blaze's Security BlogBartBlaze
@online{bartblaze:20170824:crystal:16adb4a, author = {BartBlaze}, title = {{Crystal Finance Millennium used to spread malware}}, date = {2017-08-24}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html}, language = {English}, urldate = {2020-02-01} } Crystal Finance Millennium used to spread malware
Chthonic SmokeLoader
2016-07-26ProofpointProofpoint
@online{proofpoint:20160726:threat:076e87a, author = {Proofpoint}, title = {{Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan}}, date = {2016-07-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan}, language = {English}, urldate = {2019-07-09} } Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan
Azorult Chthonic
Yara Rules
[TLP:WHITE] win_chthonic_auto (20210616 | Detects win.chthonic.)
rule win_chthonic_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.chthonic."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chthonic"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 884dff 8d8cbdfcfbffff 8b11 8910 0fb655ff 8911 }
            // n = 6, score = 600
            //   884dff               | mov                 byte ptr [ebp - 1], cl
            //   8d8cbdfcfbffff       | lea                 ecx, dword ptr [ebp + edi*4 - 0x404]
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   8910                 | mov                 dword ptr [eax], edx
            //   0fb655ff             | movzx               edx, byte ptr [ebp - 1]
            //   8911                 | mov                 dword ptr [ecx], edx

        $sequence_1 = { 7cf4 33f6 33d2 8bc6 f77514 }
            // n = 5, score = 600
            //   7cf4                 | jl                  0xfffffff6
            //   33f6                 | xor                 esi, esi
            //   33d2                 | xor                 edx, edx
            //   8bc6                 | mov                 eax, esi
            //   f77514               | div                 dword ptr [ebp + 0x14]

        $sequence_2 = { 03f8 81e7ff000080 7908 4f 81cf00ffffff 47 8a01 }
            // n = 7, score = 600
            //   03f8                 | add                 edi, eax
            //   81e7ff000080         | and                 edi, 0x800000ff
            //   7908                 | jns                 0xa
            //   4f                   | dec                 edi
            //   81cf00ffffff         | or                  edi, 0xffffff00
            //   47                   | inc                 edi
            //   8a01                 | mov                 al, byte ptr [ecx]

        $sequence_3 = { e9???????? 0fb60c1a 83c6fd c1e608 03ce 42 }
            // n = 6, score = 600
            //   e9????????           |                     
            //   0fb60c1a             | movzx               ecx, byte ptr [edx + ebx]
            //   83c6fd               | add                 esi, -3
            //   c1e608               | shl                 esi, 8
            //   03ce                 | add                 ecx, esi
            //   42                   | inc                 edx

        $sequence_4 = { e9???????? 0fb60c1a 83c6fd c1e608 03ce 42 83f9ff }
            // n = 7, score = 600
            //   e9????????           |                     
            //   0fb60c1a             | movzx               ecx, byte ptr [edx + ebx]
            //   83c6fd               | add                 esi, -3
            //   c1e608               | shl                 esi, 8
            //   03ce                 | add                 ecx, esi
            //   42                   | inc                 edx
            //   83f9ff               | cmp                 ecx, -1

        $sequence_5 = { c3 8b442404 8b08 8a5102 56 0fb67101 }
            // n = 6, score = 600
            //   c3                   | ret                 
            //   8b442404             | mov                 eax, dword ptr [esp + 4]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   8a5102               | mov                 dl, byte ptr [ecx + 2]
            //   56                   | push                esi
            //   0fb67101             | movzx               esi, byte ptr [ecx + 1]

        $sequence_6 = { 0bc1 89470c 5f 5e }
            // n = 4, score = 600
            //   0bc1                 | or                  eax, ecx
            //   89470c               | mov                 dword ptr [edi + 0xc], eax
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_7 = { 8a01 3c5a 7f08 3c41 7c04 0420 8801 }
            // n = 7, score = 600
            //   8a01                 | mov                 al, byte ptr [ecx]
            //   3c5a                 | cmp                 al, 0x5a
            //   7f08                 | jg                  0xa
            //   3c41                 | cmp                 al, 0x41
            //   7c04                 | jl                  6
            //   0420                 | add                 al, 0x20
            //   8801                 | mov                 byte ptr [ecx], al

        $sequence_8 = { 8911 8b00 8b4d08 03c2 25ff000080 7907 48 }
            // n = 7, score = 600
            //   8911                 | mov                 dword ptr [ecx], edx
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   03c2                 | add                 eax, edx
            //   25ff000080           | and                 eax, 0x800000ff
            //   7907                 | jns                 9
            //   48                   | dec                 eax

        $sequence_9 = { 6a2a 58 ff7508 66894108 }
            // n = 4, score = 600
            //   6a2a                 | push                0x2a
            //   58                   | pop                 eax
            //   ff7508               | push                dword ptr [ebp + 8]
            //   66894108             | mov                 word ptr [ecx + 8], ax

    condition:
        7 of them and filesize < 425984
}
Download all Yara Rules