win.chthonic (Back to overview)

Chthonic

aka: AndroKINS
URLhaus    

There is no description at this point.

References
https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan
https://www.s21sec.com/en/blog/2017/07/androkins/
https://securelist.com/chthonic-a-new-modification-of-zeus/68176/
Yara Rules
[TLP:WHITE] win_chthonic_auto (20180607 | autogenerated rule brought to you by yara-signator)
rule win_chthonic_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2018-11-23"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chthonic"
        malpedia_version = "20180607"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { f7d7 23fa c1c00e 03c2 }
            // n = 4, score = 4000
            //   f7d7                 | not                 edi
            //   23fa                 | and                 edi, edx
            //   c1c00e               | rol                 eax, 0xe
            //   03c2                 | add                 eax, edx

        $sequence_1 = { 035de4 8d9413c3595b65 c1c206 03d0 }
            // n = 4, score = 4000
            //   035de4               | add                 ebx, dword ptr [ebp - 0x1c]
            //   8d9413c3595b65       | lea                 edx, dword ptr [ebx + edx + 0x655b59c3]
            //   c1c206               | rol                 edx, 6
            //   03d0                 | add                 edx, eax

        $sequence_2 = { 8b4904 57 56 83e908 }
            // n = 4, score = 4000
            //   8b4904               | mov                 ecx, dword ptr [ecx + 4]
            //   57                   | push                edi
            //   56                   | push                esi
            //   83e908               | sub                 ecx, 8

        $sequence_3 = { 8d9c1ffa27a1ea c1c30b 03da 8bfb }
            // n = 4, score = 4000
            //   8d9c1ffa27a1ea       | lea                 ebx, dword ptr [edi + ebx - 0x155ed806]
            //   c1c30b               | rol                 ebx, 0xb
            //   03da                 | add                 ebx, edx
            //   8bfb                 | mov                 edi, ebx

        $sequence_4 = { 23df 0bf3 0375d4 8b5df8 }
            // n = 4, score = 4000
            //   23df                 | and                 ebx, edi
            //   0bf3                 | or                  esi, ebx
            //   0375d4               | add                 esi, dword ptr [ebp - 0x2c]
            //   8b5df8               | mov                 ebx, dword ptr [ebp - 8]

        $sequence_5 = { c1c60b 03f2 8bde 33d8 }
            // n = 4, score = 4000
            //   c1c60b               | rol                 esi, 0xb
            //   03f2                 | add                 esi, edx
            //   8bde                 | mov                 ebx, esi
            //   33d8                 | xor                 ebx, eax

        $sequence_6 = { f7d6 23f7 0bf3 0375e0 }
            // n = 4, score = 4000
            //   f7d6                 | not                 esi
            //   23f7                 | and                 esi, edi
            //   0bf3                 | or                  esi, ebx
            //   0375e0               | add                 esi, dword ptr [ebp - 0x20]

        $sequence_7 = { 035db4 8d9413442229f4 c1c206 03d0 }
            // n = 4, score = 4000
            //   035db4               | add                 ebx, dword ptr [ebp - 0x4c]
            //   8d9413442229f4       | lea                 edx, dword ptr [ebx + edx - 0xbd6ddbc]
            //   c1c206               | rol                 edx, 6
            //   03d0                 | add                 edx, eax

        $sequence_8 = { b900ff00ff 23d9 c1c608 b8ff00ff00 }
            // n = 4, score = 4000
            //   b900ff00ff           | mov                 ecx, 0xff00ff00
            //   23d9                 | and                 ebx, ecx
            //   c1c608               | rol                 esi, 8
            //   b8ff00ff00           | mov                 eax, 0xff00ff

        $sequence_9 = { 50 53 83c10c 53 }
            // n = 4, score = 4000
            //   50                   | push                eax
            //   53                   | push                ebx
            //   83c10c               | add                 ecx, 0xc
            //   53                   | push                ebx

    condition:
        7 of them
}
Download all Yara Rules