SYMBOLCOMMON_NAMEaka. SYNONYMS
win.khrat (Back to overview)

KHRAT

Actor(s): DragonOK

VTCollection    

According to Unit42, KHRAT is a Trojan that registers victims using their infected machine’s username, system language and local IP address. KHRAT provides the threat actors typical RAT features and access to the victim system, including keylogging, screenshot capabilities, remote shell access and so on.

References
2022-07-18Palo Alto Networks Unit 42Unit 42
Rancor Taurus
DDKONG KHRAT PLAINTEE RANCOR
2019-12-17Palo Alto Networks Unit 42Jen Miller-Osborn, Mike Harbison
Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia
DDKONG Derusbi KHRAT
2017-03-29ForcepointRoland Dela Paz
Trojanized Adobe installer used to install DragonOK’s new custom backdoor
KHRAT DragonOK
Yara Rules
[TLP:WHITE] win_khrat_auto (20230808 | Detects win.khrat.)
rule win_khrat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.khrat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.khrat"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d858cfbffff 50 68f4030000 57 }
            // n = 4, score = 100
            //   8d858cfbffff         | lea                 eax, [ebp - 0x474]
            //   50                   | push                eax
            //   68f4030000           | push                0x3f4
            //   57                   | push                edi

        $sequence_1 = { 66c745e00000 8b859cfbffff 8945e8 8b8590fbffff 8945ec 8945f0 }
            // n = 6, score = 100
            //   66c745e00000         | mov                 word ptr [ebp - 0x20], 0
            //   8b859cfbffff         | mov                 eax, dword ptr [ebp - 0x464]
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   8b8590fbffff         | mov                 eax, dword ptr [ebp - 0x470]
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax

        $sequence_2 = { c9 c20400 55 8bec 81c4d0f9ffff }
            // n = 5, score = 100
            //   c9                   | leave               
            //   c20400               | ret                 4
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81c4d0f9ffff         | add                 esp, 0xfffff9d0

        $sequence_3 = { 81c448feffff c705????????ffffffff 8d8572feffff 50 6802020000 e8???????? 6a06 }
            // n = 7, score = 100
            //   81c448feffff         | add                 esp, 0xfffffe48
            //   c705????????ffffffff     |     
            //   8d8572feffff         | lea                 eax, [ebp - 0x18e]
            //   50                   | push                eax
            //   6802020000           | push                0x202
            //   e8????????           |                     
            //   6a06                 | push                6

        $sequence_4 = { 68???????? 6a00 e8???????? 0bc0 0f840e010000 }
            // n = 5, score = 100
            //   68????????           |                     
            //   6a00                 | push                0
            //   e8????????           |                     
            //   0bc0                 | or                  eax, eax
            //   0f840e010000         | je                  0x114

        $sequence_5 = { 66c746326500 66c746347700 66c746363a00 66c746380000 8db500feffff }
            // n = 5, score = 100
            //   66c746326500         | mov                 word ptr [esi + 0x32], 0x65
            //   66c746347700         | mov                 word ptr [esi + 0x34], 0x77
            //   66c746363a00         | mov                 word ptr [esi + 0x36], 0x3a
            //   66c746380000         | mov                 word ptr [esi + 0x38], 0
            //   8db500feffff         | lea                 esi, [ebp - 0x200]

        $sequence_6 = { ff35???????? 8f45e6 8d45e2 50 e8???????? c9 }
            // n = 6, score = 100
            //   ff35????????         |                     
            //   8f45e6               | pop                 dword ptr [ebp - 0x1a]
            //   8d45e2               | lea                 eax, [ebp - 0x1e]
            //   50                   | push                eax
            //   e8????????           |                     
            //   c9                   | leave               

        $sequence_7 = { eb25 ff35???????? e8???????? 8d85d4fdffff }
            // n = 4, score = 100
            //   eb25                 | jmp                 0x27
            //   ff35????????         |                     
            //   e8????????           |                     
            //   8d85d4fdffff         | lea                 eax, [ebp - 0x22c]

        $sequence_8 = { c9 c3 55 8bec 83c4fc 833d????????ff }
            // n = 6, score = 100
            //   c9                   | leave               
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83c4fc               | add                 esp, -4
            //   833d????????ff       |                     

        $sequence_9 = { 50 8d85bcf8ffff 50 8d85dcf8ffff 50 8d8500ffffff }
            // n = 6, score = 100
            //   50                   | push                eax
            //   8d85bcf8ffff         | lea                 eax, [ebp - 0x744]
            //   50                   | push                eax
            //   8d85dcf8ffff         | lea                 eax, [ebp - 0x724]
            //   50                   | push                eax
            //   8d8500ffffff         | lea                 eax, [ebp - 0x100]

    condition:
        7 of them and filesize < 57344
}
Download all Yara Rules