SYMBOLCOMMON_NAMEaka. SYNONYMS
win.htran (Back to overview)

HTran

aka: HUC Packet Transmit Tool

Actor(s): GALLIUM, UPS

There is no description at this point.

References
2021-09-03FireEyeAdrian Sanchez Hernandez, Govand Sinjari, Joshua Goddard, Brendan McKeague, John Wolfram, Alex Pennino, Andrew Rector, Harris Ansari, Yash Gupta
@online{hernandez:20210903:pst:a8de902, author = {Adrian Sanchez Hernandez and Govand Sinjari and Joshua Goddard and Brendan McKeague and John Wolfram and Alex Pennino and Andrew Rector and Harris Ansari and Yash Gupta}, title = {{PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers}}, date = {2021-09-03}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html}, language = {English}, urldate = {2021-09-06} } PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers
CHINACHOPPER HTran
2020-05-21ESET ResearchMathieu Tartare, Martin Smolár
@online{tartare:20200521:no:016fc6c, author = {Mathieu Tartare and Martin Smolár}, title = {{No “Game over” for the Winnti Group}}, date = {2020-05-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/}, language = {English}, urldate = {2020-05-23} } No “Game over” for the Winnti Group
ACEHASH HTran MimiKatz PipeMon
2020-05-14Lab52Dex
@online{dex:20200514:energy:43e92b4, author = {Dex}, title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}}, date = {2020-05-14}, organization = {Lab52}, url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/}, language = {English}, urldate = {2020-06-10} } The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey
Cobalt Strike HTran MimiKatz PlugX Quasar RAT
2020-02-21ADEO DFIRADEO DFIR
@techreport{dfir:20200221:apt10:e9c3328, author = {ADEO DFIR}, title = {{APT10 Threat Analysis Report}}, date = {2020-02-21}, institution = {ADEO DFIR}, url = {https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf}, language = {English}, urldate = {2020-03-03} } APT10 Threat Analysis Report
CHINACHOPPER HTran MimiKatz PlugX Quasar RAT
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:b55f797, author = {SecureWorks}, title = {{BRONZE MAYFAIR}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-mayfair}, language = {English}, urldate = {2020-05-23} } BRONZE MAYFAIR
HTran pirpi UPS
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4118462, author = {SecureWorks}, title = {{BRONZE ATLAS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas}, language = {English}, urldate = {2020-05-23} } BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti Axiom
2019-12-12MicrosoftMicrosoft Threat Intelligence Center
@online{center:20191212:gallium:79f6460, author = {Microsoft Threat Intelligence Center}, title = {{GALLIUM: Targeting global telecom}}, date = {2019-12-12}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/}, language = {English}, urldate = {2022-06-15} } GALLIUM: Targeting global telecom
CHINACHOPPER Ghost RAT HTran MimiKatz Poison Ivy GALLIUM
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb, author = {Kelli Vanderlee and Nalani Fraser}, title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}}, date = {2019-11-19}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf}, language = {English}, urldate = {2021-03-02} } Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2013-03-04Trend MicroKyle Wilhoit
@online{wilhoit:20130304:indepth:ebccc8b, author = {Kyle Wilhoit}, title = {{In-Depth Look: APT Attack Tools of the Trade}}, date = {2013-03-04}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/}, language = {English}, urldate = {2019-07-11} } In-Depth Look: APT Attack Tools of the Trade
HTran
2011-08-03SecureworksJoe Stewart
@online{stewart:20110803:htran:7a67164, author = {Joe Stewart}, title = {{HTran and the Advanced Persistent Threat}}, date = {2011-08-03}, organization = {Secureworks}, url = {https://www.secureworks.com/research/htran}, language = {English}, urldate = {2020-01-08} } HTran and the Advanced Persistent Threat
HTran
Yara Rules
[TLP:WHITE] win_htran_auto (20220516 | Detects win.htran.)
rule win_htran_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.htran."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.htran"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c744243001000000 ff15???????? 83f8ff 750e 813d????????14270000 7537 }
            // n = 6, score = 200
            //   c744243001000000     | mov                 dword ptr [esp + 0x30], 1
            //   ff15????????         |                     
            //   83f8ff               | cmp                 eax, -1
            //   750e                 | jne                 0x10
            //   813d????????14270000     |     
            //   7537                 | jne                 0x39

        $sequence_1 = { 50 e8???????? 8d8c2418f30000 53 }
            // n = 4, score = 200
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d8c2418f30000       | lea                 ecx, [esp + 0xf318]
            //   53                   | push                ebx

        $sequence_2 = { 897808 8b15???????? 83c00c 8d1452 8d1495f09b4000 }
            // n = 5, score = 200
            //   897808               | mov                 dword ptr [eax + 8], edi
            //   8b15????????         |                     
            //   83c00c               | add                 eax, 0xc
            //   8d1452               | lea                 edx, [edx + edx*2]
            //   8d1495f09b4000       | lea                 edx, [edx*4 + 0x409bf0]

        $sequence_3 = { 51 e8???????? 8b570c 8be8 52 e8???????? }
            // n = 6, score = 200
            //   51                   | push                ecx
            //   e8????????           |                     
            //   8b570c               | mov                 edx, dword ptr [edi + 0xc]
            //   8be8                 | mov                 ebp, eax
            //   52                   | push                edx
            //   e8????????           |                     

        $sequence_4 = { 83e103 f3aa ff15???????? 8b742418 e9???????? b900140000 33c0 }
            // n = 7, score = 200
            //   83e103               | and                 ecx, 3
            //   f3aa                 | rep stosb           byte ptr es:[edi], al
            //   ff15????????         |                     
            //   8b742418             | mov                 esi, dword ptr [esp + 0x18]
            //   e9????????           |                     
            //   b900140000           | mov                 ecx, 0x1400
            //   33c0                 | xor                 eax, eax

        $sequence_5 = { 89742424 51 6a00 52 68???????? 6a00 }
            // n = 6, score = 200
            //   89742424             | mov                 dword ptr [esp + 0x24], esi
            //   51                   | push                ecx
            //   6a00                 | push                0
            //   52                   | push                edx
            //   68????????           |                     
            //   6a00                 | push                0

        $sequence_6 = { ff15???????? 85c0 7d14 68???????? e8???????? 83c404 }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7d14                 | jge                 0x16
            //   68????????           |                     
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_7 = { 89442410 c705????????03000000 8b442410 8b0d???????? 49 743a }
            // n = 6, score = 200
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   c705????????03000000     |     
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   8b0d????????         |                     
            //   49                   | dec                 ecx
            //   743a                 | je                  0x3c

        $sequence_8 = { 8816 46 8a10 40 0fb6da f683c1c3400004 740c }
            // n = 7, score = 200
            //   8816                 | mov                 byte ptr [esi], dl
            //   46                   | inc                 esi
            //   8a10                 | mov                 dl, byte ptr [eax]
            //   40                   | inc                 eax
            //   0fb6da               | movzx               ebx, dl
            //   f683c1c3400004       | test                byte ptr [ebx + 0x40c3c1], 4
            //   740c                 | je                  0xe

        $sequence_9 = { ff15???????? ebb6 6a00 8d8c2424010000 6800500000 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   ebb6                 | jmp                 0xffffffb8
            //   6a00                 | push                0
            //   8d8c2424010000       | lea                 ecx, [esp + 0x124]
            //   6800500000           | push                0x5000

    condition:
        7 of them and filesize < 114688
}
Download all Yara Rules