SYMBOLCOMMON_NAMEaka. SYNONYMS
win.khrat (Back to overview)

KHRAT

Actor(s): DragonOK


According to Unit42, KHRAT is a Trojan that registers victims using their infected machine’s username, system language and local IP address. KHRAT provides the threat actors typical RAT features and access to the victim system, including keylogging, screenshot capabilities, remote shell access and so on.

References
2022-07-18Palo Alto Networks Unit 42Unit 42
@online{42:20220718:rancor:f5d3324, author = {Unit 42}, title = {{Rancor Taurus}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/rancortaurus/}, language = {English}, urldate = {2022-07-29} } Rancor Taurus
DDKONG KHRAT PLAINTEE RANCOR
2019-12-17Palo Alto Networks Unit 42Jen Miller-Osborn, Mike Harbison
@online{millerosborn:20191217:rancor:998fe1c, author = {Jen Miller-Osborn and Mike Harbison}, title = {{Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia}}, date = {2019-12-17}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/}, language = {English}, urldate = {2020-01-08} } Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia
DDKONG Derusbi KHRAT
2017-03-29ForcepointRoland Dela Paz
@online{paz:20170329:trojanized:867a7ca, author = {Roland Dela Paz}, title = {{Trojanized Adobe installer used to install DragonOK’s new custom backdoor}}, date = {2017-03-29}, organization = {Forcepoint}, url = {https://www.forcepoint.com/de/blog/x-labs/trojanized-adobe-installer-used-install-dragonok-s-new-custom-backdoor}, language = {English}, urldate = {2020-04-06} } Trojanized Adobe installer used to install DragonOK’s new custom backdoor
KHRAT DragonOK
Yara Rules
[TLP:WHITE] win_khrat_auto (20221125 | Detects win.khrat.)
rule win_khrat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.khrat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.khrat"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 59 5b c9 c20400 55 8bec 81c448feffff }
            // n = 7, score = 100
            //   59                   | pop                 ecx
            //   5b                   | pop                 ebx
            //   c9                   | leave               
            //   c20400               | ret                 4
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81c448feffff         | add                 esp, 0xfffffe48

        $sequence_1 = { a3???????? 6a00 6800003000 6a00 6a04 6a00 }
            // n = 6, score = 100
            //   a3????????           |                     
            //   6a00                 | push                0
            //   6800003000           | push                0x300000
            //   6a00                 | push                0
            //   6a04                 | push                4
            //   6a00                 | push                0

        $sequence_2 = { 8985e8fdffff ffb5e8fdffff e8???????? 3d0180ffff 0f85b1070000 68ff000000 }
            // n = 6, score = 100
            //   8985e8fdffff         | mov                 dword ptr [ebp - 0x218], eax
            //   ffb5e8fdffff         | push                dword ptr [ebp - 0x218]
            //   e8????????           |                     
            //   3d0180ffff           | cmp                 eax, 0xffff8001
            //   0f85b1070000         | jne                 0x7b7
            //   68ff000000           | push                0xff

        $sequence_3 = { 8f05???????? ff730b 8f05???????? ff730f 8f05???????? 6a00 6a00 }
            // n = 7, score = 100
            //   8f05????????         |                     
            //   ff730b               | push                dword ptr [ebx + 0xb]
            //   8f05????????         |                     
            //   ff730f               | push                dword ptr [ebx + 0xf]
            //   8f05????????         |                     
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_4 = { e8???????? 8d85d4fdffff 50 ffb5d0f9ffff }
            // n = 4, score = 100
            //   e8????????           |                     
            //   8d85d4fdffff         | lea                 eax, [ebp - 0x22c]
            //   50                   | push                eax
            //   ffb5d0f9ffff         | push                dword ptr [ebp - 0x630]

        $sequence_5 = { c20800 55 8bec 81c48cfbffff 8d1d10520010 }
            // n = 5, score = 100
            //   c20800               | ret                 8
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81c48cfbffff         | add                 esp, 0xfffffb8c
            //   8d1d10520010         | lea                 ebx, [0x10005210]

        $sequence_6 = { 57 ffb594fbffff e8???????? eb08 c70300000000 }
            // n = 5, score = 100
            //   57                   | push                edi
            //   ffb594fbffff         | push                dword ptr [ebp - 0x46c]
            //   e8????????           |                     
            //   eb08                 | jmp                 0xa
            //   c70300000000         | mov                 dword ptr [ebx], 0

        $sequence_7 = { 50 e8???????? 6a00 6a07 8d85c0fbffff 50 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   6a00                 | push                0
            //   6a07                 | push                7
            //   8d85c0fbffff         | lea                 eax, [ebp - 0x440]
            //   50                   | push                eax

        $sequence_8 = { 0bc0 7405 a3???????? 5b }
            // n = 4, score = 100
            //   0bc0                 | or                  eax, eax
            //   7405                 | je                  7
            //   a3????????           |                     
            //   5b                   | pop                 ebx

        $sequence_9 = { 66c746043800 66c746063800 66c746083500 66c7460a3100 66c7460c3200 66c7460e3000 66c746104500 }
            // n = 7, score = 100
            //   66c746043800         | mov                 word ptr [esi + 4], 0x38
            //   66c746063800         | mov                 word ptr [esi + 6], 0x38
            //   66c746083500         | mov                 word ptr [esi + 8], 0x35
            //   66c7460a3100         | mov                 word ptr [esi + 0xa], 0x31
            //   66c7460c3200         | mov                 word ptr [esi + 0xc], 0x32
            //   66c7460e3000         | mov                 word ptr [esi + 0xe], 0x30
            //   66c746104500         | mov                 word ptr [esi + 0x10], 0x45

    condition:
        7 of them and filesize < 57344
}
Download all Yara Rules