SYMBOLCOMMON_NAMEaka. SYNONYMS
win.htran (Back to overview)

HTran

aka: HUC Packet Transmit Tool

Actor(s): GALLIUM, UPS

VTCollection    

There is no description at this point.

References
2021-09-03FireEyeAdrian Sanchez Hernandez, Alex Pennino, Andrew Rector, Brendan McKeague, Govand Sinjari, Harris Ansari, John Wolfram, Joshua Goddard, Yash Gupta
PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers
CHINACHOPPER HTran
2020-05-21ESET ResearchMartin Smolár, Mathieu Tartare
No “Game over” for the Winnti Group
ACEHASH HTran MimiKatz PipeMon
2020-05-14Lab52Dex
The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey
Cobalt Strike HTran MimiKatz PlugX Quasar RAT
2020-02-21ADEO DFIRADEO DFIR
APT10 Threat Analysis Report
CHINACHOPPER HTran MimiKatz PlugX Quasar RAT
2020-01-01SecureworksSecureWorks
BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti APT41
2020-01-01SecureworksSecureWorks
BRONZE MAYFAIR
HTran pirpi APT3
2019-12-12MicrosoftMicrosoft Threat Intelligence Center
GALLIUM: Targeting global telecom
CHINACHOPPER Ghost RAT HTran MimiKatz Poison Ivy GALLIUM
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2019-06-25CybereasonCybereason Nocturnus
OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS
CHINACHOPPER HTran MimiKatz Poison Ivy Operation Soft Cell
2013-03-04Trend MicroKyle Wilhoit
In-Depth Look: APT Attack Tools of the Trade
HTran
2011-08-03SecureworksJoe Stewart
HTran and the Advanced Persistent Threat
HTran
Yara Rules
[TLP:WHITE] win_htran_auto (20230808 | Detects win.htran.)
rule win_htran_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.htran."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.htran"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 8d8434f0a20000 55 50 53 }
            // n = 5, score = 200
            //   6a00                 | push                0
            //   8d8434f0a20000       | lea                 eax, [esp + esi + 0xa2f0]
            //   55                   | push                ebp
            //   50                   | push                eax
            //   53                   | push                ebx

        $sequence_1 = { 8bc8 83e103 f3a4 8b4c2462 }
            // n = 4, score = 200
            //   8bc8                 | mov                 ecx, eax
            //   83e103               | and                 ecx, 3
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   8b4c2462             | mov                 ecx, dword ptr [esp + 0x62]

        $sequence_2 = { 83c408 a1???????? 85c0 7405 }
            // n = 4, score = 200
            //   83c408               | add                 esp, 8
            //   a1????????           |                     
            //   85c0                 | test                eax, eax
            //   7405                 | je                  7

        $sequence_3 = { 50 51 ffd3 85c0 7d28 bf???????? 83c9ff }
            // n = 7, score = 200
            //   50                   | push                eax
            //   51                   | push                ecx
            //   ffd3                 | call                ebx
            //   85c0                 | test                eax, eax
            //   7d28                 | jge                 0x2a
            //   bf????????           |                     
            //   83c9ff               | or                  ecx, 0xffffffff

        $sequence_4 = { ffd5 8bf8 8b442440 50 ff15???????? 50 53 }
            // n = 7, score = 200
            //   ffd5                 | call                ebp
            //   8bf8                 | mov                 edi, eax
            //   8b442440             | mov                 eax, dword ptr [esp + 0x40]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   50                   | push                eax
            //   53                   | push                ebx

        $sequence_5 = { 8b8424e0420100 33c9 894c2414 53 8b10 }
            // n = 5, score = 200
            //   8b8424e0420100       | mov                 eax, dword ptr [esp + 0x142e0]
            //   33c9                 | xor                 ecx, ecx
            //   894c2414             | mov                 dword ptr [esp + 0x14], ecx
            //   53                   | push                ebx
            //   8b10                 | mov                 edx, dword ptr [eax]

        $sequence_6 = { 8816 46 eb0f 0fb6d2 f682c1c3400004 }
            // n = 5, score = 200
            //   8816                 | mov                 byte ptr [esi], dl
            //   46                   | inc                 esi
            //   eb0f                 | jmp                 0x11
            //   0fb6d2               | movzx               edx, dl
            //   f682c1c3400004       | test                byte ptr [edx + 0x40c3c1], 4

        $sequence_7 = { 89442410 c705????????03000000 8b442410 8b0d???????? 49 743a }
            // n = 6, score = 200
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   c705????????03000000     |     
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   8b0d????????         |                     
            //   49                   | dec                 ecx
            //   743a                 | je                  0x3c

        $sequence_8 = { c20400 8b542404 8b0d???????? 3915???????? 56 b8???????? }
            // n = 6, score = 200
            //   c20400               | ret                 4
            //   8b542404             | mov                 edx, dword ptr [esp + 4]
            //   8b0d????????         |                     
            //   3915????????         |                     
            //   56                   | push                esi
            //   b8????????           |                     

        $sequence_9 = { 899424e8010000 89b424e8000000 899424e4000000 33c0 8d8c24e8000000 }
            // n = 5, score = 200
            //   899424e8010000       | mov                 dword ptr [esp + 0x1e8], edx
            //   89b424e8000000       | mov                 dword ptr [esp + 0xe8], esi
            //   899424e4000000       | mov                 dword ptr [esp + 0xe4], edx
            //   33c0                 | xor                 eax, eax
            //   8d8c24e8000000       | lea                 ecx, [esp + 0xe8]

    condition:
        7 of them and filesize < 114688
}
Download all Yara Rules