SYMBOLCOMMON_NAMEaka. SYNONYMS
win.htran (Back to overview)

HTran

aka: HUC Packet Transmit Tool

Actor(s): GALLIUM, UPS


There is no description at this point.

References
2021-09-03FireEyeAdrian Sanchez Hernandez, Govand Sinjari, Joshua Goddard, Brendan McKeague, John Wolfram, Alex Pennino, Andrew Rector, Harris Ansari, Yash Gupta
@online{hernandez:20210903:pst:a8de902, author = {Adrian Sanchez Hernandez and Govand Sinjari and Joshua Goddard and Brendan McKeague and John Wolfram and Alex Pennino and Andrew Rector and Harris Ansari and Yash Gupta}, title = {{PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers}}, date = {2021-09-03}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html}, language = {English}, urldate = {2021-09-06} } PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers
CHINACHOPPER HTran
2020-05-21ESET ResearchMathieu Tartare, Martin Smolár
@online{tartare:20200521:no:016fc6c, author = {Mathieu Tartare and Martin Smolár}, title = {{No “Game over” for the Winnti Group}}, date = {2020-05-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/}, language = {English}, urldate = {2020-05-23} } No “Game over” for the Winnti Group
ACEHASH HTran MimiKatz
2020-05-14Lab52Dex
@online{dex:20200514:energy:43e92b4, author = {Dex}, title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}}, date = {2020-05-14}, organization = {Lab52}, url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/}, language = {English}, urldate = {2020-06-10} } The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey
Cobalt Strike HTran MimiKatz PlugX Quasar RAT
2020-02-21ADEO DFIRADEO DFIR
@techreport{dfir:20200221:apt10:e9c3328, author = {ADEO DFIR}, title = {{APT10 Threat Analysis Report}}, date = {2020-02-21}, institution = {ADEO DFIR}, url = {https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf}, language = {English}, urldate = {2020-03-03} } APT10 Threat Analysis Report
CHINACHOPPER HTran MimiKatz PlugX Quasar RAT
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:b55f797, author = {SecureWorks}, title = {{BRONZE MAYFAIR}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-mayfair}, language = {English}, urldate = {2020-05-23} } BRONZE MAYFAIR
HTran pirpi UPS
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4118462, author = {SecureWorks}, title = {{BRONZE ATLAS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas}, language = {English}, urldate = {2020-05-23} } BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti Axiom
2019-12-12MicrosoftMicrosoft Threat Intelligence Center
@online{center:20191212:gallium:79f6460, author = {Microsoft Threat Intelligence Center}, title = {{GALLIUM: Targeting global telecom}}, date = {2019-12-12}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/}, language = {English}, urldate = {2020-01-07} } GALLIUM: Targeting global telecom
Ghost RAT HTran GALLIUM
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb, author = {Kelli Vanderlee and Nalani Fraser}, title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}}, date = {2019-11-19}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf}, language = {English}, urldate = {2021-03-02} } Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2013-03-04Trend MicroKyle Wilhoit
@online{wilhoit:20130304:indepth:ebccc8b, author = {Kyle Wilhoit}, title = {{In-Depth Look: APT Attack Tools of the Trade}}, date = {2013-03-04}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/}, language = {English}, urldate = {2019-07-11} } In-Depth Look: APT Attack Tools of the Trade
HTran
2011-08-03SecureworksJoe Stewart
@online{stewart:20110803:htran:7a67164, author = {Joe Stewart}, title = {{HTran and the Advanced Persistent Threat}}, date = {2011-08-03}, organization = {Secureworks}, url = {https://www.secureworks.com/research/htran}, language = {English}, urldate = {2020-01-08} } HTran and the Advanced Persistent Threat
HTran
Yara Rules
[TLP:WHITE] win_htran_auto (20211008 | Detects win.htran.)
rule win_htran_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.htran."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.htran"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb05 68???????? e8???????? 83c404 8b5c2414 8b442418 8b35???????? }
            // n = 7, score = 200
            //   eb05                 | jmp                 7
            //   68????????           |                     
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8b5c2414             | mov                 ebx, dword ptr [esp + 0x14]
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   8b35????????         |                     

        $sequence_1 = { 8d542418 8d442410 89742410 52 6a00 }
            // n = 5, score = 200
            //   8d542418             | lea                 edx, dword ptr [esp + 0x18]
            //   8d442410             | lea                 eax, dword ptr [esp + 0x10]
            //   89742410             | mov                 dword ptr [esp + 0x10], esi
            //   52                   | push                edx
            //   6a00                 | push                0

        $sequence_2 = { 894c2420 89442430 55 894c2428 }
            // n = 4, score = 200
            //   894c2420             | mov                 dword ptr [esp + 0x20], ecx
            //   89442430             | mov                 dword ptr [esp + 0x30], eax
            //   55                   | push                ebp
            //   894c2428             | mov                 dword ptr [esp + 0x28], ecx

        $sequence_3 = { 8b750c 8b7d08 8d057cc24000 83780800 753b }
            // n = 5, score = 200
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   8d057cc24000         | lea                 eax, dword ptr [0x40c27c]
            //   83780800             | cmp                 dword ptr [eax + 8], 0
            //   753b                 | jne                 0x3d

        $sequence_4 = { 6a01 58 c20400 8b542404 }
            // n = 4, score = 200
            //   6a01                 | push                1
            //   58                   | pop                 eax
            //   c20400               | ret                 4
            //   8b542404             | mov                 edx, dword ptr [esp + 4]

        $sequence_5 = { ff15???????? 8bd8 85db 0f8446020000 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   85db                 | test                ebx, ebx
            //   0f8446020000         | je                  0x24c

        $sequence_6 = { 68???????? e8???????? 83c404 33c0 c3 83ec14 8b4c241c }
            // n = 7, score = 200
            //   68????????           |                     
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   33c0                 | xor                 eax, eax
            //   c3                   | ret                 
            //   83ec14               | sub                 esp, 0x14
            //   8b4c241c             | mov                 ecx, dword ptr [esp + 0x1c]

        $sequence_7 = { c1f905 83e21f 8b0c8d00c54000 f644d10401 7425 }
            // n = 5, score = 200
            //   c1f905               | sar                 ecx, 5
            //   83e21f               | and                 edx, 0x1f
            //   8b0c8d00c54000       | mov                 ecx, dword ptr [ecx*4 + 0x40c500]
            //   f644d10401           | test                byte ptr [ecx + edx*8 + 4], 1
            //   7425                 | je                  0x27

        $sequence_8 = { 33c0 8dbc24ec520000 f3ab 8d9424e4000000 52 53 }
            // n = 6, score = 200
            //   33c0                 | xor                 eax, eax
            //   8dbc24ec520000       | lea                 edi, dword ptr [esp + 0x52ec]
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   8d9424e4000000       | lea                 edx, dword ptr [esp + 0xe4]
            //   52                   | push                edx
            //   53                   | push                ebx

        $sequence_9 = { 0f85ba030000 85c0 0f84c1030000 8d8c24e8010000 51 56 e8???????? }
            // n = 7, score = 200
            //   0f85ba030000         | jne                 0x3c0
            //   85c0                 | test                eax, eax
            //   0f84c1030000         | je                  0x3c7
            //   8d8c24e8010000       | lea                 ecx, dword ptr [esp + 0x1e8]
            //   51                   | push                ecx
            //   56                   | push                esi
            //   e8????????           |                     

    condition:
        7 of them and filesize < 114688
}
Download all Yara Rules