SYMBOLCOMMON_NAMEaka. SYNONYMS
win.htran (Back to overview)

HTran

aka: HUC Packet Transmit Tool

Actor(s): GALLIUM, UPS

There is no description at this point.

References
2021-09-03FireEyeAdrian Sanchez Hernandez, Govand Sinjari, Joshua Goddard, Brendan McKeague, John Wolfram, Alex Pennino, Andrew Rector, Harris Ansari, Yash Gupta
@online{hernandez:20210903:pst:a8de902, author = {Adrian Sanchez Hernandez and Govand Sinjari and Joshua Goddard and Brendan McKeague and John Wolfram and Alex Pennino and Andrew Rector and Harris Ansari and Yash Gupta}, title = {{PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers}}, date = {2021-09-03}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html}, language = {English}, urldate = {2021-09-06} } PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers
CHINACHOPPER HTran
2020-05-21ESET ResearchMathieu Tartare, Martin Smolár
@online{tartare:20200521:no:016fc6c, author = {Mathieu Tartare and Martin Smolár}, title = {{No “Game over” for the Winnti Group}}, date = {2020-05-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/}, language = {English}, urldate = {2020-05-23} } No “Game over” for the Winnti Group
ACEHASH HTran MimiKatz PipeMon
2020-05-14Lab52Dex
@online{dex:20200514:energy:43e92b4, author = {Dex}, title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}}, date = {2020-05-14}, organization = {Lab52}, url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/}, language = {English}, urldate = {2020-06-10} } The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey
Cobalt Strike HTran MimiKatz PlugX Quasar RAT
2020-02-21ADEO DFIRADEO DFIR
@techreport{dfir:20200221:apt10:e9c3328, author = {ADEO DFIR}, title = {{APT10 Threat Analysis Report}}, date = {2020-02-21}, institution = {ADEO DFIR}, url = {https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf}, language = {English}, urldate = {2020-03-03} } APT10 Threat Analysis Report
CHINACHOPPER HTran MimiKatz PlugX Quasar RAT
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4118462, author = {SecureWorks}, title = {{BRONZE ATLAS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas}, language = {English}, urldate = {2020-05-23} } BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti APT41
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:b55f797, author = {SecureWorks}, title = {{BRONZE MAYFAIR}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-mayfair}, language = {English}, urldate = {2020-05-23} } BRONZE MAYFAIR
HTran pirpi APT3
2019-12-12MicrosoftMicrosoft Threat Intelligence Center
@online{center:20191212:gallium:79f6460, author = {Microsoft Threat Intelligence Center}, title = {{GALLIUM: Targeting global telecom}}, date = {2019-12-12}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/}, language = {English}, urldate = {2022-06-15} } GALLIUM: Targeting global telecom
CHINACHOPPER Ghost RAT HTran MimiKatz Poison Ivy GALLIUM
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb, author = {Kelli Vanderlee and Nalani Fraser}, title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}}, date = {2019-11-19}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf}, language = {English}, urldate = {2021-03-02} } Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2019-06-25CybereasonCybereason Nocturnus
@online{nocturnus:20190625:operation:21efa8f, author = {Cybereason Nocturnus}, title = {{OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS}}, date = {2019-06-25}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers}, language = {English}, urldate = {2022-07-01} } OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS
CHINACHOPPER HTran MimiKatz Poison Ivy Operation Soft Cell
2013-03-04Trend MicroKyle Wilhoit
@online{wilhoit:20130304:indepth:ebccc8b, author = {Kyle Wilhoit}, title = {{In-Depth Look: APT Attack Tools of the Trade}}, date = {2013-03-04}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/}, language = {English}, urldate = {2019-07-11} } In-Depth Look: APT Attack Tools of the Trade
HTran
2011-08-03SecureworksJoe Stewart
@online{stewart:20110803:htran:7a67164, author = {Joe Stewart}, title = {{HTran and the Advanced Persistent Threat}}, date = {2011-08-03}, organization = {Secureworks}, url = {https://www.secureworks.com/research/htran}, language = {English}, urldate = {2020-01-08} } HTran and the Advanced Persistent Threat
HTran
Yara Rules
[TLP:WHITE] win_htran_auto (20221125 | Detects win.htran.)
rule win_htran_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.htran."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.htran"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b842440510000 55 50 53 e8???????? 83c420 85c0 }
            // n = 7, score = 200
            //   8b842440510000       | mov                 eax, dword ptr [esp + 0x5140]
            //   55                   | push                ebp
            //   50                   | push                eax
            //   53                   | push                ebx
            //   e8????????           |                     
            //   83c420               | add                 esp, 0x20
            //   85c0                 | test                eax, eax

        $sequence_1 = { 33c9 894c2414 53 8b10 8b4004 }
            // n = 5, score = 200
            //   33c9                 | xor                 ecx, ecx
            //   894c2414             | mov                 dword ptr [esp + 0x14], ecx
            //   53                   | push                ebx
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   8b4004               | mov                 eax, dword ptr [eax + 4]

        $sequence_2 = { 83c408 a1???????? 85c0 7405 }
            // n = 4, score = 200
            //   83c408               | add                 esp, 8
            //   a1????????           |                     
            //   85c0                 | test                eax, eax
            //   7405                 | je                  7

        $sequence_3 = { 51 e8???????? 8b570c 8be8 52 e8???????? }
            // n = 6, score = 200
            //   51                   | push                ecx
            //   e8????????           |                     
            //   8b570c               | mov                 edx, dword ptr [edi + 0xc]
            //   8be8                 | mov                 ebp, eax
            //   52                   | push                edx
            //   e8????????           |                     

        $sequence_4 = { 6a01 58 c20400 8b542404 }
            // n = 4, score = 200
            //   6a01                 | push                1
            //   58                   | pop                 eax
            //   c20400               | ret                 4
            //   8b542404             | mov                 edx, dword ptr [esp + 4]

        $sequence_5 = { 8b8424e0420100 33c9 894c2414 53 8b10 }
            // n = 5, score = 200
            //   8b8424e0420100       | mov                 eax, dword ptr [esp + 0x142e0]
            //   33c9                 | xor                 ecx, ecx
            //   894c2414             | mov                 dword ptr [esp + 0x14], ecx
            //   53                   | push                ebx
            //   8b10                 | mov                 edx, dword ptr [eax]

        $sequence_6 = { 68???????? e8???????? 83c404 33c0 c3 83ec14 8b4c241c }
            // n = 7, score = 200
            //   68????????           |                     
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   33c0                 | xor                 eax, eax
            //   c3                   | ret                 
            //   83ec14               | sub                 esp, 0x14
            //   8b4c241c             | mov                 ecx, dword ptr [esp + 0x1c]

        $sequence_7 = { 8bcb c1f805 83e11f 8b048500c54000 8d04c8 eb05 b8???????? }
            // n = 7, score = 200
            //   8bcb                 | mov                 ecx, ebx
            //   c1f805               | sar                 eax, 5
            //   83e11f               | and                 ecx, 0x1f
            //   8b048500c54000       | mov                 eax, dword ptr [eax*4 + 0x40c500]
            //   8d04c8               | lea                 eax, [eax + ecx*8]
            //   eb05                 | jmp                 7
            //   b8????????           |                     

        $sequence_8 = { 33c0 8dbc24ec520000 f3ab 8d9424e4000000 52 53 }
            // n = 6, score = 200
            //   33c0                 | xor                 eax, eax
            //   8dbc24ec520000       | lea                 edi, [esp + 0x52ec]
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   8d9424e4000000       | lea                 edx, [esp + 0xe4]
            //   52                   | push                edx
            //   53                   | push                ebx

        $sequence_9 = { ff15???????? ebb6 6a00 8d8c2424010000 6800500000 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   ebb6                 | jmp                 0xffffffb8
            //   6a00                 | push                0
            //   8d8c2424010000       | lea                 ecx, [esp + 0x124]
            //   6800500000           | push                0x5000

    condition:
        7 of them and filesize < 114688
}
Download all Yara Rules