SYMBOLCOMMON_NAMEaka. SYNONYMS
win.htran (Back to overview)

HTran

aka: HUC Packet Transmit Tool

Actor(s): GALLIUM, UPS


There is no description at this point.

References
2020-05-21ESET ResearchMathieu Tartare, Martin Smolár
@online{tartare:20200521:no:016fc6c, author = {Mathieu Tartare and Martin Smolár}, title = {{No “Game over” for the Winnti Group}}, date = {2020-05-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/}, language = {English}, urldate = {2020-05-23} } No “Game over” for the Winnti Group
ACEHASH HTran MimiKatz
2020-05-14Lab52Dex
@online{dex:20200514:energy:43e92b4, author = {Dex}, title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}}, date = {2020-05-14}, organization = {Lab52}, url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/}, language = {English}, urldate = {2020-06-10} } The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey
Cobalt Strike HTran MimiKatz PlugX Quasar RAT
2020-02-21ADEO DFIRADEO DFIR
@techreport{dfir:20200221:apt10:e9c3328, author = {ADEO DFIR}, title = {{APT10 Threat Analysis Report}}, date = {2020-02-21}, institution = {ADEO DFIR}, url = {https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf}, language = {English}, urldate = {2020-03-03} } APT10 Threat Analysis Report
CHINACHOPPER HTran MimiKatz PlugX Quasar RAT
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:b55f797, author = {SecureWorks}, title = {{BRONZE MAYFAIR}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-mayfair}, language = {English}, urldate = {2020-05-23} } BRONZE MAYFAIR
HTran pirpi UPS
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4118462, author = {SecureWorks}, title = {{BRONZE ATLAS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas}, language = {English}, urldate = {2020-05-23} } BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti Axiom
2019-12-12MicrosoftMicrosoft Threat Intelligence Center
@online{center:20191212:gallium:79f6460, author = {Microsoft Threat Intelligence Center}, title = {{GALLIUM: Targeting global telecom}}, date = {2019-12-12}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/}, language = {English}, urldate = {2020-01-07} } GALLIUM: Targeting global telecom
Ghost RAT HTran GALLIUM
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb, author = {Kelli Vanderlee and Nalani Fraser}, title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}}, date = {2019-11-19}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf}, language = {English}, urldate = {2021-03-02} } Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2013-03-04Trend MicroKyle Wilhoit
@online{wilhoit:20130304:indepth:ebccc8b, author = {Kyle Wilhoit}, title = {{In-Depth Look: APT Attack Tools of the Trade}}, date = {2013-03-04}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/}, language = {English}, urldate = {2019-07-11} } In-Depth Look: APT Attack Tools of the Trade
HTran
2011-08-03SecureworksJoe Stewart
@online{stewart:20110803:htran:7a67164, author = {Joe Stewart}, title = {{HTran and the Advanced Persistent Threat}}, date = {2011-08-03}, organization = {Secureworks}, url = {https://www.secureworks.com/research/htran}, language = {English}, urldate = {2020-01-08} } HTran and the Advanced Persistent Threat
HTran
Yara Rules
[TLP:WHITE] win_htran_auto (20210616 | Detects win.htran.)
rule win_htran_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.htran."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.htran"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb05 68???????? e8???????? 83c404 8b5c2414 8b442418 8b35???????? }
            // n = 7, score = 200
            //   eb05                 | jmp                 7
            //   68????????           |                     
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8b5c2414             | mov                 ebx, dword ptr [esp + 0x14]
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   8b35????????         |                     

        $sequence_1 = { 51 ff15???????? 25ffff0000 89442420 8b4c2414 8d542450 8d442470 }
            // n = 7, score = 200
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   25ffff0000           | and                 eax, 0xffff
            //   89442420             | mov                 dword ptr [esp + 0x20], eax
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]
            //   8d542450             | lea                 edx, dword ptr [esp + 0x50]
            //   8d442470             | lea                 eax, dword ptr [esp + 0x70]

        $sequence_2 = { 8d3449 8d34b5f09b4000 83c00c 3bc6 7305 }
            // n = 5, score = 200
            //   8d3449               | lea                 esi, dword ptr [ecx + ecx*2]
            //   8d34b5f09b4000       | lea                 esi, dword ptr [esi*4 + 0x409bf0]
            //   83c00c               | add                 eax, 0xc
            //   3bc6                 | cmp                 eax, esi
            //   7305                 | jae                 7

        $sequence_3 = { 89442420 ff15???????? 8d442408 6a10 50 56 }
            // n = 6, score = 200
            //   89442420             | mov                 dword ptr [esp + 0x20], eax
            //   ff15????????         |                     
            //   8d442408             | lea                 eax, dword ptr [esp + 8]
            //   6a10                 | push                0x10
            //   50                   | push                eax
            //   56                   | push                esi

        $sequence_4 = { 0f84c1030000 8d8c24e8010000 51 56 e8???????? }
            // n = 5, score = 200
            //   0f84c1030000         | je                  0x3c7
            //   8d8c24e8010000       | lea                 ecx, dword ptr [esp + 0x1e8]
            //   51                   | push                ecx
            //   56                   | push                esi
            //   e8????????           |                     

        $sequence_5 = { 72f4 3bc2 7512 899c24f0010000 c78424e801000002000000 8d442458 8d8c24e4000000 }
            // n = 7, score = 200
            //   72f4                 | jb                  0xfffffff6
            //   3bc2                 | cmp                 eax, edx
            //   7512                 | jne                 0x14
            //   899c24f0010000       | mov                 dword ptr [esp + 0x1f0], ebx
            //   c78424e801000002000000     | mov    dword ptr [esp + 0x1e8], 2
            //   8d442458             | lea                 eax, dword ptr [esp + 0x58]
            //   8d8c24e4000000       | lea                 ecx, dword ptr [esp + 0xe4]

        $sequence_6 = { 85c0 0f84b2010000 7d0c 393d???????? 0f856f020000 8b4c241c }
            // n = 6, score = 200
            //   85c0                 | test                eax, eax
            //   0f84b2010000         | je                  0x1b8
            //   7d0c                 | jge                 0xe
            //   393d????????         |                     
            //   0f856f020000         | jne                 0x275
            //   8b4c241c             | mov                 ecx, dword ptr [esp + 0x1c]

        $sequence_7 = { 5d 5b 83c43c c3 68???????? e8???????? }
            // n = 6, score = 200
            //   5d                   | pop                 ebp
            //   5b                   | pop                 ebx
            //   83c43c               | add                 esp, 0x3c
            //   c3                   | ret                 
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_8 = { 8bf0 85f6 8974241c 0f8478010000 e8???????? }
            // n = 5, score = 200
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   8974241c             | mov                 dword ptr [esp + 0x1c], esi
            //   0f8478010000         | je                  0x17e
            //   e8????????           |                     

        $sequence_9 = { ff15???????? ebb6 6a00 8d8c2424010000 6800500000 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   ebb6                 | jmp                 0xffffffb8
            //   6a00                 | push                0
            //   8d8c2424010000       | lea                 ecx, dword ptr [esp + 0x124]
            //   6800500000           | push                0x5000

    condition:
        7 of them and filesize < 114688
}
Download all Yara Rules