SYMBOLCOMMON_NAMEaka. SYNONYMS
win.htran (Back to overview)

HTran

aka: HUC Packet Transmit Tool

Actor(s): GALLIUM, UPS

There is no description at this point.

References
2021-09-03FireEyeAdrian Sanchez Hernandez, Govand Sinjari, Joshua Goddard, Brendan McKeague, John Wolfram, Alex Pennino, Andrew Rector, Harris Ansari, Yash Gupta
@online{hernandez:20210903:pst:a8de902, author = {Adrian Sanchez Hernandez and Govand Sinjari and Joshua Goddard and Brendan McKeague and John Wolfram and Alex Pennino and Andrew Rector and Harris Ansari and Yash Gupta}, title = {{PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers}}, date = {2021-09-03}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html}, language = {English}, urldate = {2021-09-06} } PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers
CHINACHOPPER HTran
2020-05-21ESET ResearchMathieu Tartare, Martin Smolár
@online{tartare:20200521:no:016fc6c, author = {Mathieu Tartare and Martin Smolár}, title = {{No “Game over” for the Winnti Group}}, date = {2020-05-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/}, language = {English}, urldate = {2020-05-23} } No “Game over” for the Winnti Group
ACEHASH HTran MimiKatz PipeMon
2020-05-14Lab52Dex
@online{dex:20200514:energy:43e92b4, author = {Dex}, title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}}, date = {2020-05-14}, organization = {Lab52}, url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/}, language = {English}, urldate = {2020-06-10} } The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey
Cobalt Strike HTran MimiKatz PlugX Quasar RAT
2020-02-21ADEO DFIRADEO DFIR
@techreport{dfir:20200221:apt10:e9c3328, author = {ADEO DFIR}, title = {{APT10 Threat Analysis Report}}, date = {2020-02-21}, institution = {ADEO DFIR}, url = {https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf}, language = {English}, urldate = {2020-03-03} } APT10 Threat Analysis Report
CHINACHOPPER HTran MimiKatz PlugX Quasar RAT
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4118462, author = {SecureWorks}, title = {{BRONZE ATLAS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas}, language = {English}, urldate = {2020-05-23} } BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti APT41
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:b55f797, author = {SecureWorks}, title = {{BRONZE MAYFAIR}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-mayfair}, language = {English}, urldate = {2020-05-23} } BRONZE MAYFAIR
HTran pirpi APT3
2019-12-12MicrosoftMicrosoft Threat Intelligence Center
@online{center:20191212:gallium:79f6460, author = {Microsoft Threat Intelligence Center}, title = {{GALLIUM: Targeting global telecom}}, date = {2019-12-12}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/}, language = {English}, urldate = {2022-06-15} } GALLIUM: Targeting global telecom
CHINACHOPPER Ghost RAT HTran MimiKatz Poison Ivy GALLIUM
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb, author = {Kelli Vanderlee and Nalani Fraser}, title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}}, date = {2019-11-19}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf}, language = {English}, urldate = {2021-03-02} } Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2019-06-25CybereasonCybereason Nocturnus
@online{nocturnus:20190625:operation:21efa8f, author = {Cybereason Nocturnus}, title = {{OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS}}, date = {2019-06-25}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers}, language = {English}, urldate = {2022-07-01} } OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS
CHINACHOPPER HTran MimiKatz Poison Ivy Operation Soft Cell
2013-03-04Trend MicroKyle Wilhoit
@online{wilhoit:20130304:indepth:ebccc8b, author = {Kyle Wilhoit}, title = {{In-Depth Look: APT Attack Tools of the Trade}}, date = {2013-03-04}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/}, language = {English}, urldate = {2019-07-11} } In-Depth Look: APT Attack Tools of the Trade
HTran
2011-08-03SecureworksJoe Stewart
@online{stewart:20110803:htran:7a67164, author = {Joe Stewart}, title = {{HTran and the Advanced Persistent Threat}}, date = {2011-08-03}, organization = {Secureworks}, url = {https://www.secureworks.com/research/htran}, language = {English}, urldate = {2020-01-08} } HTran and the Advanced Persistent Threat
HTran
Yara Rules
[TLP:WHITE] win_htran_auto (20230715 | Detects win.htran.)
rule win_htran_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.htran."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.htran"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b942430510000 55 52 68???????? e8???????? }
            // n = 5, score = 200
            //   8b942430510000       | mov                 edx, dword ptr [esp + 0x5130]
            //   55                   | push                ebp
            //   52                   | push                edx
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_1 = { 8d4c243c 50 51 52 ffd5 }
            // n = 5, score = 200
            //   8d4c243c             | lea                 ecx, [esp + 0x3c]
            //   50                   | push                eax
            //   51                   | push                ecx
            //   52                   | push                edx
            //   ffd5                 | call                ebp

        $sequence_2 = { 8d3449 8d34b5f09b4000 83c00c 3bc6 7305 }
            // n = 5, score = 200
            //   8d3449               | lea                 esi, [ecx + ecx*2]
            //   8d34b5f09b4000       | lea                 esi, [esi*4 + 0x409bf0]
            //   83c00c               | add                 eax, 0xc
            //   3bc6                 | cmp                 eax, esi
            //   7305                 | jae                 7

        $sequence_3 = { 52 50 68???????? 03f0 2be8 e8???????? 83c410 }
            // n = 7, score = 200
            //   52                   | push                edx
            //   50                   | push                eax
            //   68????????           |                     
            //   03f0                 | add                 esi, eax
            //   2be8                 | sub                 ebp, eax
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10

        $sequence_4 = { ffd5 8bf8 8b442440 50 ff15???????? 50 53 }
            // n = 7, score = 200
            //   ffd5                 | call                ebp
            //   8bf8                 | mov                 edi, eax
            //   8b442440             | mov                 eax, dword ptr [esp + 0x40]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   50                   | push                eax
            //   53                   | push                ebx

        $sequence_5 = { 8b8424e0420100 33c9 894c2414 53 8b10 }
            // n = 5, score = 200
            //   8b8424e0420100       | mov                 eax, dword ptr [esp + 0x142e0]
            //   33c9                 | xor                 ecx, ecx
            //   894c2414             | mov                 dword ptr [esp + 0x14], ecx
            //   53                   | push                ebx
            //   8b10                 | mov                 edx, dword ptr [eax]

        $sequence_6 = { 8816 46 eb0f 0fb6d2 f682c1c3400004 }
            // n = 5, score = 200
            //   8816                 | mov                 byte ptr [esi], dl
            //   46                   | inc                 esi
            //   eb0f                 | jmp                 0x11
            //   0fb6d2               | movzx               edx, dl
            //   f682c1c3400004       | test                byte ptr [edx + 0x40c3c1], 4

        $sequence_7 = { 33c0 f3a4 b900500000 8dbc14ec020000 2bca }
            // n = 5, score = 200
            //   33c0                 | xor                 eax, eax
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   b900500000           | mov                 ecx, 0x5000
            //   8dbc14ec020000       | lea                 edi, [esp + edx + 0x2ec]
            //   2bca                 | sub                 ecx, edx

        $sequence_8 = { 33c0 8dbc24ec520000 f3ab 8d9424e4000000 52 53 }
            // n = 6, score = 200
            //   33c0                 | xor                 eax, eax
            //   8dbc24ec520000       | lea                 edi, [esp + 0x52ec]
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   8d9424e4000000       | lea                 edx, [esp + 0xe4]
            //   52                   | push                edx
            //   53                   | push                ebx

        $sequence_9 = { 899424e8010000 89b424e8000000 899424e4000000 33c0 8d8c24e8000000 }
            // n = 5, score = 200
            //   899424e8010000       | mov                 dword ptr [esp + 0x1e8], edx
            //   89b424e8000000       | mov                 dword ptr [esp + 0xe8], esi
            //   899424e4000000       | mov                 dword ptr [esp + 0xe4], edx
            //   33c0                 | xor                 eax, eax
            //   8d8c24e8000000       | lea                 ecx, [esp + 0xe8]

    condition:
        7 of them and filesize < 114688
}
Download all Yara Rules