SYMBOLCOMMON_NAMEaka. SYNONYMS
win.htran (Back to overview)

HTran

aka: HUC Packet Transmit Tool, lcx

Actor(s): GALLIUM, UPS

VTCollection    

There is no description at this point.

References
2025-05-12SynacktivMaxence Fossat
Open-source toolset of an Ivanti CSA attacker
HTran iox reGeorg
2024-02-08Cisco TalosCisco Talos
New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization
HTran reGeorg Venom Proxy ZarDoor
2021-09-03FireEyeAdrian Sanchez Hernandez, Alex Pennino, Andrew Rector, Brendan McKeague, Govand Sinjari, Harris Ansari, John Wolfram, Joshua Goddard, Yash Gupta
PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers
CHINACHOPPER HTran
2020-05-21ESET ResearchMartin Smolár, Mathieu Tartare
No “Game over” for the Winnti Group
ACEHASH HTran MimiKatz PipeMon
2020-05-14Lab52Dex
The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey
Cobalt Strike HTran MimiKatz PlugX Quasar RAT
2020-02-21ADEO DFIRADEO DFIR
APT10 Threat Analysis Report
CHINACHOPPER HTran MimiKatz PlugX Quasar RAT
2020-01-01SecureworksSecureWorks
BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti APT41
2020-01-01SecureworksSecureWorks
BRONZE MAYFAIR
HTran pirpi APT3
2019-12-12MicrosoftMicrosoft Threat Intelligence Center
GALLIUM: Targeting global telecom
CHINACHOPPER Ghost RAT HTran MimiKatz Poison Ivy GALLIUM
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC POISONPLUG Poison Ivy pupy Quasar RAT ZXShell
2019-06-25CybereasonCybereason Nocturnus
OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS
CHINACHOPPER HTran MimiKatz Poison Ivy Operation Soft Cell
2013-03-04Trend MicroKyle Wilhoit
In-Depth Look: APT Attack Tools of the Trade
HTran
2011-08-03SecureworksJoe Stewart
HTran and the Advanced Persistent Threat
HTran
Yara Rules
[TLP:WHITE] win_htran_auto (20260504 | Detects win.htran.)
rule win_htran_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.htran."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.htran"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b542424 33c9 894c2408 52 894c2410 66c744240c0200 894c2414 }
            // n = 7, score = 200
            //   8b542424             | mov                 edx, dword ptr [esp + 0x24]
            //   33c9                 | xor                 ecx, ecx
            //   894c2408             | mov                 dword ptr [esp + 8], ecx
            //   52                   | push                edx
            //   894c2410             | mov                 dword ptr [esp + 0x10], ecx
            //   66c744240c0200       | mov                 word ptr [esp + 0xc], 2
            //   894c2414             | mov                 dword ptr [esp + 0x14], ecx

        $sequence_1 = { 33c9 894c2414 53 8b10 }
            // n = 4, score = 200
            //   33c9                 | xor                 ecx, ecx
            //   894c2414             | mov                 dword ptr [esp + 0x14], ecx
            //   53                   | push                ebx
            //   8b10                 | mov                 edx, dword ptr [eax]

        $sequence_2 = { 8d3449 8d34b5f09b4000 83c00c 3bc6 7305 }
            // n = 5, score = 200
            //   8d3449               | lea                 esi, [ecx + ecx*2]
            //   8d34b5f09b4000       | lea                 esi, [esi*4 + 0x409bf0]
            //   83c00c               | add                 eax, 0xc
            //   3bc6                 | cmp                 eax, esi
            //   7305                 | jae                 7

        $sequence_3 = { 51 52 53 ff15???????? b900010000 }
            // n = 5, score = 200
            //   51                   | push                ecx
            //   52                   | push                edx
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   b900010000           | mov                 ecx, 0x100

        $sequence_4 = { 89742410 52 6a00 50 68???????? }
            // n = 5, score = 200
            //   89742410             | mov                 dword ptr [esp + 0x10], esi
            //   52                   | push                edx
            //   6a00                 | push                0
            //   50                   | push                eax
            //   68????????           |                     

        $sequence_5 = { 72f4 3bc2 7512 899c24f0010000 c78424e801000002000000 8d442458 8d8c24e4000000 }
            // n = 7, score = 200
            //   72f4                 | jb                  0xfffffff6
            //   3bc2                 | cmp                 eax, edx
            //   7512                 | jne                 0x14
            //   899c24f0010000       | mov                 dword ptr [esp + 0x1f0], ebx
            //   c78424e801000002000000     | mov    dword ptr [esp + 0x1e8], 2
            //   8d442458             | lea                 eax, [esp + 0x58]
            //   8d8c24e4000000       | lea                 ecx, [esp + 0xe4]

        $sequence_6 = { ff15???????? 85c0 7d14 68???????? e8???????? 83c404 }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7d14                 | jge                 0x16
            //   68????????           |                     
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_7 = { c3 6a00 6a01 6a02 ff15???????? 85c0 }
            // n = 6, score = 200
            //   c3                   | ret                 
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   6a02                 | push                2
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_8 = { 8816 46 8a10 40 0fb6da f683c1c3400004 740c }
            // n = 7, score = 200
            //   8816                 | mov                 byte ptr [esi], dl
            //   46                   | inc                 esi
            //   8a10                 | mov                 dl, byte ptr [eax]
            //   40                   | inc                 eax
            //   0fb6da               | movzx               ebx, dl
            //   f683c1c3400004       | test                byte ptr [ebx + 0x40c3c1], 4
            //   740c                 | je                  0xe

        $sequence_9 = { 50 ff15???????? 50 68???????? e8???????? 83c40c e8???????? }
            // n = 7, score = 200
            //   50                   | push                eax
            //   ff15????????         |                     
            //   50                   | push                eax
            //   68????????           |                     
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   e8????????           |                     

    condition:
        7 of them and filesize < 114688
}
Download all Yara Rules