SYMBOLCOMMON_NAMEaka. SYNONYMS
win.houdini (Back to overview)

Houdini

aka: Hworm, Njw0rm, Jenxcus, Kognito, WSHRAT

Houdini is a VBS-based RAT dating back to 2013. Past in the days, it used to be wrapped in an .exe but started being spamvertized or downloaded by other malware directly as .vbs in 2018. In 2019, WSHRAT appeared, a Javascript-based version of Houdini, recoded by the name of Kognito.

References
2020-01-15AT&T CybersecurityFernando Martinez
@online{martinez:20200115:alien:a57585f, author = {Fernando Martinez}, title = {{Alien Labs 2019 Analysis of Threat Groups Molerats and APT-C-37}}, date = {2020-01-15}, organization = {AT&T Cybersecurity}, url = {https://cybersecurity.att.com/blogs/labs-research/alien-labs-2019-analysis-of-threat-groups-molerats-and-apt-c-37}, language = {English}, urldate = {2020-01-22} } Alien Labs 2019 Analysis of Threat Groups Molerats and APT-C-37
Houdini
2019-12-23YouTubeKindred Security
@online{security:20191223:video:c52156f, author = {Kindred Security}, title = {{Video: Malware Analysis | WSHRAT Visual Basic RAT (C2 Replication)}}, date = {2019-12-23}, organization = {YouTube}, url = {https://www.youtube.com/watch?v=h3KLKCdMUUY}, language = {English}, urldate = {2020-01-08} } Video: Malware Analysis | WSHRAT Visual Basic RAT (C2 Replication)
Houdini
2019-11-11Binary DefenseBinary Defense
@online{defense:20191111:revenge:114921b, author = {Binary Defense}, title = {{Revenge Is A Dish Best Served… Obfuscated?}}, date = {2019-11-11}, organization = {Binary Defense}, url = {https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated}, language = {English}, urldate = {2020-01-09} } Revenge Is A Dish Best Served… Obfuscated?
Houdini Revenge RAT
2019-09-14Github (jeFF0Falltrades)Jeff Archer
@online{archer:20190914:wsh:103aefa, author = {Jeff Archer}, title = {{WSH RAT (A variant of H-Worm/Houdini)}}, date = {2019-09-14}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/wsh_rat.md}, language = {English}, urldate = {2020-01-06} } WSH RAT (A variant of H-Worm/Houdini)
Houdini
2019-06-25MyOnlineSecurityMyOnlineSecurity
@online{myonlinesecurity:20190625:more:a611b77, author = {MyOnlineSecurity}, title = {{More AgentTesla keylogger and Nanocore RAT in one bundle}}, date = {2019-06-25}, organization = {MyOnlineSecurity}, url = {https://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/}, language = {English}, urldate = {2019-11-27} } More AgentTesla keylogger and Nanocore RAT in one bundle
Houdini
2019-06-14CofenseNick Guarino, Aaron Riley
@online{guarino:20190614:houdini:d6c63fa, author = {Nick Guarino and Aaron Riley}, title = {{Houdini Worm Transformed in New Phishing Attack}}, date = {2019-06-14}, organization = {Cofense}, url = {https://cofense.com/houdini-worm-transformed-new-phishing-attack/}, language = {English}, urldate = {2020-01-08} } Houdini Worm Transformed in New Phishing Attack
Houdini
2019-05-13MorphisecArnold Osipov
@online{osipov:20190513:look:7526002, author = {Arnold Osipov}, title = {{A Look At Hworm / Houdini aka Njrat}}, date = {2019-05-13}, organization = {Morphisec}, url = {http://blog.morphisec.com/hworm-houdini-aka-njrat}, language = {English}, urldate = {2020-01-05} } A Look At Hworm / Houdini aka Njrat
Houdini
2019-03-25360 Core Securityzhanghao-ms
@online{zhanghaoms:20190325:patting:92fda17, author = {zhanghao-ms}, title = {{Patting the Bear (APT-C-37): Exposure of Continued Attacks Against an Armed Organization}}, date = {2019-03-25}, organization = {360 Core Security}, url = {http://blogs.360.cn/post/analysis-of-apt-c-37.html}, language = {Chinese}, urldate = {2020-01-08} } Patting the Bear (APT-C-37): Exposure of Continued Attacks Against an Armed Organization
Houdini NjRAT
2016-10-25Palo Alto Networks Unit 42Anthony Kasza
@online{kasza:20161025:houdinis:d57d422, author = {Anthony Kasza}, title = {{Houdini’s Magic Reappearance}}, date = {2016-10-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/}, language = {English}, urldate = {2019-11-17} } Houdini’s Magic Reappearance
Houdini
2013-09-24FireEyeThoufique Haq, Ned Moran
@online{haq:20130924:now:3cc13be, author = {Thoufique Haq and Ned Moran}, title = {{Now You See Me - H-worm by Houdini}}, date = {2013-09-24}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html}, language = {English}, urldate = {2019-12-20} } Now You See Me - H-worm by Houdini
Houdini
Yara Rules
[TLP:WHITE] win_houdini_auto (20190620 | autogenerated rule brought to you by yara-signator)
rule win_houdini_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-07-05"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.2a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hworm"
        malpedia_version = "20190620"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 33c0 5a 59 59 648910 68de465300 8d45f0 }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   5a                   | pop                 edx
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   648910               | mov                 dword ptr fs:[eax], edx
            //   68de465300           | push                0x5346de
            //   8d45f0               | lea                 eax, [ebp - 0x10]

        $sequence_1 = { 8bd0 8b45fc 8b00 e8???????? 59 5d c3 }
            // n = 7, score = 100
            //   8bd0                 | mov                 edx, eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_2 = { 59 59 648910 68fe095900 8d45f8 8b15???????? }
            // n = 6, score = 100
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   648910               | mov                 dword ptr fs:[eax], edx
            //   68fe095900           | push                0x5909fe
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   8b15????????         |                     

        $sequence_3 = { 5b 00fc 5e 5b 00045f 5b 00045f }
            // n = 7, score = 100
            //   5b                   | pop                 ebx
            //   00fc                 | add                 ah, bh
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   00045f               | add                 byte ptr [edi + ebx*2], al
            //   5b                   | pop                 ebx
            //   00045f               | add                 byte ptr [edi + ebx*2], al

        $sequence_4 = { 8bd8 33c0 55 6865c45600 64ff30 648920 8bc6 }
            // n = 7, score = 100
            //   8bd8                 | mov                 ebx, eax
            //   33c0                 | xor                 eax, eax
            //   55                   | push                ebp
            //   6865c45600           | push                0x56c465
            //   64ff30               | push                dword ptr fs:[eax]
            //   648920               | mov                 dword ptr fs:[eax], esp
            //   8bc6                 | mov                 eax, esi

        $sequence_5 = { 8bd8 33c0 5a 59 59 648910 682df14e00 }
            // n = 7, score = 100
            //   8bd8                 | mov                 ebx, eax
            //   33c0                 | xor                 eax, eax
            //   5a                   | pop                 edx
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   648910               | mov                 dword ptr fs:[eax], edx
            //   682df14e00           | push                0x4ef12d

        $sequence_6 = { 8b45fc e8???????? 33c0 55 68c7d44000 64ff30 648920 }
            // n = 7, score = 100
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   e8????????           |                     
            //   33c0                 | xor                 eax, eax
            //   55                   | push                ebp
            //   68c7d44000           | push                0x40d4c7
            //   64ff30               | push                dword ptr fs:[eax]
            //   648920               | mov                 dword ptr fs:[eax], esp

        $sequence_7 = { 83c4f0 e8???????? 8bda 8bf0 33c0 55 6818734c00 }
            // n = 7, score = 100
            //   83c4f0               | add                 esp, -0x10
            //   e8????????           |                     
            //   8bda                 | mov                 ebx, edx
            //   8bf0                 | mov                 esi, eax
            //   33c0                 | xor                 eax, eax
            //   55                   | push                ebp
            //   6818734c00           | push                0x4c7318

        $sequence_8 = { c783d000000000800000 c783b800000000400000 c783b0000000ffffffff c6839800000000 c783c8000000ffffffff 53 6868ac5000 }
            // n = 7, score = 100
            //   c783d000000000800000     | mov    dword ptr [ebx + 0xd0], 0x8000
            //   c783b800000000400000     | mov    dword ptr [ebx + 0xb8], 0x4000
            //   c783b0000000ffffffff     | mov    dword ptr [ebx + 0xb0], 0xffffffff
            //   c6839800000000       | mov                 byte ptr [ebx + 0x98], 0
            //   c783c8000000ffffffff     | mov    dword ptr [ebx + 0xc8], 0xffffffff
            //   53                   | push                ebx
            //   6868ac5000           | push                0x50ac68

        $sequence_9 = { e8???????? 8bf1 8bda 8bf8 33c0 55 68b56e4600 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8bf1                 | mov                 esi, ecx
            //   8bda                 | mov                 ebx, edx
            //   8bf8                 | mov                 edi, eax
            //   33c0                 | xor                 eax, eax
            //   55                   | push                ebp
            //   68b56e4600           | push                0x466eb5

    condition:
        7 of them
}
Download all Yara Rules