SYMBOLCOMMON_NAMEaka. SYNONYMS
win.onhat (Back to overview)

ONHAT


There is no description at this point.

References
2015-12-26GoogleVarious
@online{various:20151226:groups:987aa84, author = {Various}, title = {{APT Groups and Operations}}, date = {2015-12-26}, organization = {Google}, url = {https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/htmlview}, language = {English}, urldate = {2020-01-13} } APT Groups and Operations
ONHAT
2014-02-14SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20140214:analysis:0417082, author = {Counter Threat Unit ResearchTeam}, title = {{Analysis of DHS NCCIC Indicators}}, date = {2014-02-14}, organization = {Secureworks}, url = {https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators}, language = {English}, urldate = {2020-05-26} } Analysis of DHS NCCIC Indicators
jspRAT BeepService DDKeylogger LinseningSvr ONHAT SimpleFileMover ZiyangRAT
Yara Rules
[TLP:WHITE] win_onhat_auto (20211008 | Detects win.onhat.)
rule win_onhat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.onhat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.onhat"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 89442418 e8???????? 8be8 83c408 85ed 753a 8b442410 }
            // n = 7, score = 200
            //   89442418             | mov                 dword ptr [esp + 0x18], eax
            //   e8????????           |                     
            //   8be8                 | mov                 ebp, eax
            //   83c408               | add                 esp, 8
            //   85ed                 | test                ebp, ebp
            //   753a                 | jne                 0x3c
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]

        $sequence_1 = { f3ab 66ab 8d8c2494000000 6a20 8d54242c }
            // n = 5, score = 200
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   8d8c2494000000       | lea                 ecx, dword ptr [esp + 0x94]
            //   6a20                 | push                0x20
            //   8d54242c             | lea                 edx, dword ptr [esp + 0x2c]

        $sequence_2 = { 66894c2412 e8???????? 83f8ff 0f85a7000000 b04e b243 }
            // n = 6, score = 200
            //   66894c2412           | mov                 word ptr [esp + 0x12], cx
            //   e8????????           |                     
            //   83f8ff               | cmp                 eax, -1
            //   0f85a7000000         | jne                 0xad
            //   b04e                 | mov                 al, 0x4e
            //   b243                 | mov                 dl, 0x43

        $sequence_3 = { f7e1 c1ea06 53 56 89542410 8bc1 33d2 }
            // n = 7, score = 200
            //   f7e1                 | mul                 ecx
            //   c1ea06               | shr                 edx, 6
            //   53                   | push                ebx
            //   56                   | push                esi
            //   89542410             | mov                 dword ptr [esp + 0x10], edx
            //   8bc1                 | mov                 eax, ecx
            //   33d2                 | xor                 edx, edx

        $sequence_4 = { 5f 5e 5b 81c414110000 c3 5f 5e }
            // n = 7, score = 200
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   81c414110000         | add                 esp, 0x1114
            //   c3                   | ret                 
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_5 = { 83c40c 85c0 0f85e7010000 8b942474100000 }
            // n = 4, score = 200
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   0f85e7010000         | jne                 0x1ed
            //   8b942474100000       | mov                 edx, dword ptr [esp + 0x1074]

        $sequence_6 = { ff15???????? e9???????? 68???????? eb05 68???????? e8???????? 83c404 }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   e9????????           |                     
            //   68????????           |                     
            //   eb05                 | jmp                 7
            //   68????????           |                     
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_7 = { 56 8b742434 33db 663bf3 57 895c2410 895c2438 }
            // n = 7, score = 200
            //   56                   | push                esi
            //   8b742434             | mov                 esi, dword ptr [esp + 0x34]
            //   33db                 | xor                 ebx, ebx
            //   663bf3               | cmp                 si, bx
            //   57                   | push                edi
            //   895c2410             | mov                 dword ptr [esp + 0x10], ebx
            //   895c2438             | mov                 dword ptr [esp + 0x38], ebx

        $sequence_8 = { 668b542412 55 8d44246c 6a0a }
            // n = 4, score = 200
            //   668b542412           | mov                 dx, word ptr [esp + 0x12]
            //   55                   | push                ebp
            //   8d44246c             | lea                 eax, dword ptr [esp + 0x6c]
            //   6a0a                 | push                0xa

        $sequence_9 = { c684248401000052 888c2485010000 c684248601000020 88942487010000 }
            // n = 4, score = 200
            //   c684248401000052     | mov                 byte ptr [esp + 0x184], 0x52
            //   888c2485010000       | mov                 byte ptr [esp + 0x185], cl
            //   c684248601000020     | mov                 byte ptr [esp + 0x186], 0x20
            //   88942487010000       | mov                 byte ptr [esp + 0x187], dl

    condition:
        7 of them and filesize < 57344
}
Download all Yara Rules