SYMBOLCOMMON_NAMEaka. SYNONYMS
win.houdini (Back to overview)

Houdini

aka: Hworm, Njw0rm, Jenxcus, Kognito, WSHRAT

Houdini is a VBS-based RAT dating back to 2013. Past in the days, it used to be wrapped in an .exe but started being spamvertized or downloaded by other malware directly as .vbs in 2018. In 2019, WSHRAT appeared, a Javascript-based version of Houdini, recoded by the name of Kognito.

References
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
2020-01-15AT&T CybersecurityFernando Martinez
@online{martinez:20200115:alien:a57585f, author = {Fernando Martinez}, title = {{Alien Labs 2019 Analysis of Threat Groups Molerats and APT-C-37}}, date = {2020-01-15}, organization = {AT&T Cybersecurity}, url = {https://cybersecurity.att.com/blogs/labs-research/alien-labs-2019-analysis-of-threat-groups-molerats-and-apt-c-37}, language = {English}, urldate = {2020-01-22} } Alien Labs 2019 Analysis of Threat Groups Molerats and APT-C-37
Houdini
2019-12-23YouTubeKindred Security
@online{security:20191223:video:c52156f, author = {Kindred Security}, title = {{Video: Malware Analysis | WSHRAT Visual Basic RAT (C2 Replication)}}, date = {2019-12-23}, organization = {YouTube}, url = {https://www.youtube.com/watch?v=h3KLKCdMUUY}, language = {English}, urldate = {2020-01-08} } Video: Malware Analysis | WSHRAT Visual Basic RAT (C2 Replication)
Houdini
2019-11-11Binary DefenseBinary Defense
@online{defense:20191111:revenge:114921b, author = {Binary Defense}, title = {{Revenge Is A Dish Best Served… Obfuscated?}}, date = {2019-11-11}, organization = {Binary Defense}, url = {https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated}, language = {English}, urldate = {2020-01-09} } Revenge Is A Dish Best Served… Obfuscated?
Houdini Revenge RAT
2019-09-14Github (jeFF0Falltrades)Jeff Archer
@online{archer:20190914:wsh:103aefa, author = {Jeff Archer}, title = {{WSH RAT (A variant of H-Worm/Houdini)}}, date = {2019-09-14}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/wsh_rat.md}, language = {English}, urldate = {2020-01-06} } WSH RAT (A variant of H-Worm/Houdini)
Houdini
2019-06-25MyOnlineSecurityMyOnlineSecurity
@online{myonlinesecurity:20190625:more:a611b77, author = {MyOnlineSecurity}, title = {{More AgentTesla keylogger and Nanocore RAT in one bundle}}, date = {2019-06-25}, organization = {MyOnlineSecurity}, url = {https://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/}, language = {English}, urldate = {2019-11-27} } More AgentTesla keylogger and Nanocore RAT in one bundle
Houdini
2019-06-14CofenseNick Guarino, Aaron Riley
@online{guarino:20190614:houdini:d6c63fa, author = {Nick Guarino and Aaron Riley}, title = {{Houdini Worm Transformed in New Phishing Attack}}, date = {2019-06-14}, organization = {Cofense}, url = {https://cofense.com/houdini-worm-transformed-new-phishing-attack/}, language = {English}, urldate = {2020-01-08} } Houdini Worm Transformed in New Phishing Attack
Houdini
2019-05-13MorphisecArnold Osipov
@online{osipov:20190513:look:7526002, author = {Arnold Osipov}, title = {{A Look At Hworm / Houdini aka Njrat}}, date = {2019-05-13}, organization = {Morphisec}, url = {http://blog.morphisec.com/hworm-houdini-aka-njrat}, language = {English}, urldate = {2020-01-05} } A Look At Hworm / Houdini aka Njrat
Houdini
2019-03-25360 Core Securityzhanghao-ms
@online{zhanghaoms:20190325:patting:92fda17, author = {zhanghao-ms}, title = {{Patting the Bear (APT-C-37): Exposure of Continued Attacks Against an Armed Organization}}, date = {2019-03-25}, organization = {360 Core Security}, url = {http://blogs.360.cn/post/analysis-of-apt-c-37.html}, language = {Chinese}, urldate = {2020-01-08} } Patting the Bear (APT-C-37): Exposure of Continued Attacks Against an Armed Organization
Houdini NjRAT
2016-10-26UnknownChris Doman
@online{doman:20161026:moonlight:1edffaa, author = {Chris Doman}, title = {{Moonlight – Targeted attacks in the Middle East}}, date = {2016-10-26}, organization = {Unknown}, url = {https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks}, language = {English}, urldate = {2020-04-06} } Moonlight – Targeted attacks in the Middle East
Houdini NjRAT Molerats
2016-10-25Palo Alto Networks Unit 42Anthony Kasza
@online{kasza:20161025:houdinis:d57d422, author = {Anthony Kasza}, title = {{Houdini’s Magic Reappearance}}, date = {2016-10-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/}, language = {English}, urldate = {2019-11-17} } Houdini’s Magic Reappearance
Houdini
2013-09-24FireEyeThoufique Haq, Ned Moran
@online{haq:20130924:now:3cc13be, author = {Thoufique Haq and Ned Moran}, title = {{Now You See Me - H-worm by Houdini}}, date = {2013-09-24}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html}, language = {English}, urldate = {2019-12-20} } Now You See Me - H-worm by Houdini
Houdini
Yara Rules
[TLP:WHITE] win_houdini_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_houdini_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.houdini"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b45bc e8???????? 50 8d45b8 8b5508 b900000000 }
            // n = 6, score = 100
            //   8b45bc               | mov                 eax, dword ptr [ebp - 0x44]
            //   e8????????           |                     
            //   50                   | push                eax
            //   8d45b8               | lea                 eax, [ebp - 0x48]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   b900000000           | mov                 ecx, 0

        $sequence_1 = { 8bfa 8bd8 8b4604 50 8b0e 8bd7 8bc3 }
            // n = 7, score = 100
            //   8bfa                 | mov                 edi, edx
            //   8bd8                 | mov                 ebx, eax
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   50                   | push                eax
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   8bd7                 | mov                 edx, edi
            //   8bc3                 | mov                 eax, ebx

        $sequence_2 = { f6d8 1bc0 c3 83780403 0f94c0 f6d8 1bc0 }
            // n = 7, score = 100
            //   f6d8                 | neg                 al
            //   1bc0                 | sbb                 eax, eax
            //   c3                   | ret                 
            //   83780403             | cmp                 dword ptr [eax + 4], 3
            //   0f94c0               | sete                al
            //   f6d8                 | neg                 al
            //   1bc0                 | sbb                 eax, eax

        $sequence_3 = { 51 8bd8 33f6 54 8b4304 50 e8???????? }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   8bd8                 | mov                 ebx, eax
            //   33f6                 | xor                 esi, esi
            //   54                   | push                esp
            //   8b4304               | mov                 eax, dword ptr [ebx + 4]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_4 = { 5b c3 8d4604 50 8b4304 50 }
            // n = 6, score = 100
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   8d4604               | lea                 eax, [esi + 4]
            //   50                   | push                eax
            //   8b4304               | mov                 eax, dword ptr [ebx + 4]
            //   50                   | push                eax

        $sequence_5 = { 00745b5b 00745b5b 007c5b5b 007c5b5b 00845b5b00845b 5b 008c5b5b008c5b }
            // n = 7, score = 100
            //   00745b5b             | add                 byte ptr [ebx + ebx*2 + 0x5b], dh
            //   00745b5b             | add                 byte ptr [ebx + ebx*2 + 0x5b], dh
            //   007c5b5b             | add                 byte ptr [ebx + ebx*2 + 0x5b], bh
            //   007c5b5b             | add                 byte ptr [ebx + ebx*2 + 0x5b], bh
            //   00845b5b00845b       | add                 byte ptr [ebx + ebx*2 + 0x5b84005b], al
            //   5b                   | pop                 ebx
            //   008c5b5b008c5b       | add                 byte ptr [ebx + ebx*2 + 0x5b8c005b], cl

        $sequence_6 = { 896b08 85ed 750e ba03000000 8bc7 e8???????? eb44 }
            // n = 7, score = 100
            //   896b08               | mov                 dword ptr [ebx + 8], ebp
            //   85ed                 | test                ebp, ebp
            //   750e                 | jne                 0x10
            //   ba03000000           | mov                 edx, 3
            //   8bc7                 | mov                 eax, edi
            //   e8????????           |                     
            //   eb44                 | jmp                 0x46

        $sequence_7 = { 8bf2 8bd8 54 56 8b4304 50 e8???????? }
            // n = 7, score = 100
            //   8bf2                 | mov                 esi, edx
            //   8bd8                 | mov                 ebx, eax
            //   54                   | push                esp
            //   56                   | push                esi
            //   8b4304               | mov                 eax, dword ptr [ebx + 4]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_8 = { 83780403 0f93c0 f6d8 1bc0 c3 83780404 }
            // n = 6, score = 100
            //   83780403             | cmp                 dword ptr [eax + 4], 3
            //   0f93c0               | setae               al
            //   f6d8                 | neg                 al
            //   1bc0                 | sbb                 eax, eax
            //   c3                   | ret                 
            //   83780404             | cmp                 dword ptr [eax + 4], 4

        $sequence_9 = { 8b45fc b901000000 8b55f8 e8???????? ff4df8 837df800 75b6 }
            // n = 7, score = 100
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   b901000000           | mov                 ecx, 1
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   e8????????           |                     
            //   ff4df8               | dec                 dword ptr [ebp - 8]
            //   837df800             | cmp                 dword ptr [ebp - 8], 0
            //   75b6                 | jne                 0xffffffb8

    condition:
        7 of them and filesize < 6307840
}
Download all Yara Rules