SYMBOLCOMMON_NAMEaka. SYNONYMS
win.chthonic (Back to overview)

Chthonic

aka: AndroKINS
URLhaus    

There is no description at this point.

References
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2017-08-24Blaze's Security BlogBartBlaze
@online{bartblaze:20170824:crystal:16adb4a, author = {BartBlaze}, title = {{Crystal Finance Millennium used to spread malware}}, date = {2017-08-24}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html}, language = {English}, urldate = {2020-02-01} } Crystal Finance Millennium used to spread malware
Chthonic SmokeLoader
2016-07-26ProofpointProofpoint
@online{proofpoint:20160726:threat:076e87a, author = {Proofpoint}, title = {{Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan}}, date = {2016-07-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan}, language = {English}, urldate = {2019-07-09} } Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan
Azorult Chthonic
Yara Rules
[TLP:WHITE] win_chthonic_auto (20221125 | Detects win.chthonic.)
rule win_chthonic_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.chthonic."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chthonic"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c1e91f 5f 894dfc e9???????? 0fb60c1a 83c6fd c1e608 }
            // n = 7, score = 600
            //   c1e91f               | shr                 ecx, 0x1f
            //   5f                   | pop                 edi
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   e9????????           |                     
            //   0fb60c1a             | movzx               ecx, byte ptr [edx + ebx]
            //   83c6fd               | add                 esi, -3
            //   c1e608               | shl                 esi, 8

        $sequence_1 = { 8d8cbdfcfbffff 8b11 8910 0fb655ff 8911 8b00 8b4d08 }
            // n = 7, score = 600
            //   8d8cbdfcfbffff       | lea                 ecx, [ebp + edi*4 - 0x404]
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   8910                 | mov                 dword ptr [eax], edx
            //   0fb655ff             | movzx               edx, byte ptr [ebp - 1]
            //   8911                 | mov                 dword ptr [ecx], edx
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]

        $sequence_2 = { c1ee1f e9???????? 8b041a 6a1f 8bf0 83c204 5f }
            // n = 7, score = 600
            //   c1ee1f               | shr                 esi, 0x1f
            //   e9????????           |                     
            //   8b041a               | mov                 eax, dword ptr [edx + ebx]
            //   6a1f                 | push                0x1f
            //   8bf0                 | mov                 esi, eax
            //   83c204               | add                 edx, 4
            //   5f                   | pop                 edi

        $sequence_3 = { 0d00ffffff 40 8a8485fcfbffff 300419 }
            // n = 4, score = 600
            //   0d00ffffff           | or                  eax, 0xffffff00
            //   40                   | inc                 eax
            //   8a8485fcfbffff       | mov                 al, byte ptr [ebp + eax*4 - 0x404]
            //   300419               | xor                 byte ptr [ecx + ebx], al

        $sequence_4 = { 80e17f 8808 b001 5b c3 55 }
            // n = 6, score = 600
            //   80e17f               | and                 cl, 0x7f
            //   8808                 | mov                 byte ptr [eax], cl
            //   b001                 | mov                 al, 1
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   55                   | push                ebp

        $sequence_5 = { 0f8409000000 41 894df0 e9???????? 8b4514 }
            // n = 5, score = 600
            //   0f8409000000         | je                  0xf
            //   41                   | inc                 ecx
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   e9????????           |                     
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]

        $sequence_6 = { 0f848d010000 4f 8bf0 8bcf d3ee }
            // n = 5, score = 600
            //   0f848d010000         | je                  0x193
            //   4f                   | dec                 edi
            //   8bf0                 | mov                 esi, eax
            //   8bcf                 | mov                 ecx, edi
            //   d3ee                 | shr                 esi, cl

        $sequence_7 = { 8bc8 83c204 6a1f c1e91f 5f 894dfc e9???????? }
            // n = 7, score = 600
            //   8bc8                 | mov                 ecx, eax
            //   83c204               | add                 edx, 4
            //   6a1f                 | push                0x1f
            //   c1e91f               | shr                 ecx, 0x1f
            //   5f                   | pop                 edi
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   e9????????           |                     

        $sequence_8 = { eb00 85f6 7415 8a0c1a 8b5df4 8b7510 }
            // n = 6, score = 600
            //   eb00                 | jmp                 2
            //   85f6                 | test                esi, esi
            //   7415                 | je                  0x17
            //   8a0c1a               | mov                 cl, byte ptr [edx + ebx]
            //   8b5df4               | mov                 ebx, dword ptr [ebp - 0xc]
            //   8b7510               | mov                 esi, dword ptr [ebp + 0x10]

        $sequence_9 = { eb00 85ff 0f84bd000000 4f 8bf0 }
            // n = 5, score = 600
            //   eb00                 | jmp                 2
            //   85ff                 | test                edi, edi
            //   0f84bd000000         | je                  0xc3
            //   4f                   | dec                 edi
            //   8bf0                 | mov                 esi, eax

    condition:
        7 of them and filesize < 425984
}
Download all Yara Rules