SYMBOLCOMMON_NAMEaka. SYNONYMS
win.onhat (Back to overview)

ONHAT


There is no description at this point.

References
2015-12-26GoogleVarious
@online{various:20151226:groups:987aa84, author = {Various}, title = {{APT Groups and Operations}}, date = {2015-12-26}, organization = {Google}, url = {https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/htmlview}, language = {English}, urldate = {2020-01-13} } APT Groups and Operations
ONHAT
2014-02-14SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20140214:analysis:0417082, author = {Counter Threat Unit ResearchTeam}, title = {{Analysis of DHS NCCIC Indicators}}, date = {2014-02-14}, organization = {Secureworks}, url = {https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators}, language = {English}, urldate = {2020-05-26} } Analysis of DHS NCCIC Indicators
jspRAT BeepService DDKeylogger LinseningSvr ONHAT SimpleFileMover ZiyangRAT
Yara Rules
[TLP:WHITE] win_onhat_auto (20220411 | Detects win.onhat.)
rule win_onhat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.onhat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.onhat"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 e8???????? 83c404 83f8ff 89442464 }
            // n = 5, score = 200
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   83f8ff               | cmp                 eax, -1
            //   89442464             | mov                 dword ptr [esp + 0x64], eax

        $sequence_1 = { c644243b4e c644243c56 885c243d c644243e53 }
            // n = 4, score = 200
            //   c644243b4e           | mov                 byte ptr [esp + 0x3b], 0x4e
            //   c644243c56           | mov                 byte ptr [esp + 0x3c], 0x56
            //   885c243d             | mov                 byte ptr [esp + 0x3d], bl
            //   c644243e53           | mov                 byte ptr [esp + 0x3e], 0x53

        $sequence_2 = { 85c0 7d85 68401f0000 ff15???????? 55 e8???????? 56 }
            // n = 7, score = 200
            //   85c0                 | test                eax, eax
            //   7d85                 | jge                 0xffffff87
            //   68401f0000           | push                0x1f40
            //   ff15????????         |                     
            //   55                   | push                ebp
            //   e8????????           |                     
            //   56                   | push                esi

        $sequence_3 = { 55 ff15???????? 8bf0 3bf5 7526 }
            // n = 5, score = 200
            //   55                   | push                ebp
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   3bf5                 | cmp                 esi, ebp
            //   7526                 | jne                 0x28

        $sequence_4 = { 55 895c2450 e8???????? 8b542410 89442448 52 e8???????? }
            // n = 7, score = 200
            //   55                   | push                ebp
            //   895c2450             | mov                 dword ptr [esp + 0x50], ebx
            //   e8????????           |                     
            //   8b542410             | mov                 edx, dword ptr [esp + 0x10]
            //   89442448             | mov                 dword ptr [esp + 0x48], eax
            //   52                   | push                edx
            //   e8????????           |                     

        $sequence_5 = { 3bc3 0f84d7000000 8b0c8e 8a1401 8b44241c }
            // n = 5, score = 200
            //   3bc3                 | cmp                 eax, ebx
            //   0f84d7000000         | je                  0xdd
            //   8b0c8e               | mov                 ecx, dword ptr [esi + ecx*4]
            //   8a1401               | mov                 dl, byte ptr [ecx + eax]
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]

        $sequence_6 = { 85c0 0f85c2010000 88442469 55 8d44246c 6a02 }
            // n = 6, score = 200
            //   85c0                 | test                eax, eax
            //   0f85c2010000         | jne                 0x1c8
            //   88442469             | mov                 byte ptr [esp + 0x69], al
            //   55                   | push                ebp
            //   8d44246c             | lea                 eax, dword ptr [esp + 0x6c]
            //   6a02                 | push                2

        $sequence_7 = { f3ab 66ab 8bac2478100000 8b9c246c100000 }
            // n = 4, score = 200
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   8bac2478100000       | mov                 ebp, dword ptr [esp + 0x1078]
            //   8b9c246c100000       | mov                 ebx, dword ptr [esp + 0x106c]

        $sequence_8 = { 33c9 8a4c2432 8ac7 52 50 c1eb18 51 }
            // n = 7, score = 200
            //   33c9                 | xor                 ecx, ecx
            //   8a4c2432             | mov                 cl, byte ptr [esp + 0x32]
            //   8ac7                 | mov                 al, bh
            //   52                   | push                edx
            //   50                   | push                eax
            //   c1eb18               | shr                 ebx, 0x18
            //   51                   | push                ecx

        $sequence_9 = { 83c40c b801000080 5f 5e 5d 5b }
            // n = 6, score = 200
            //   83c40c               | add                 esp, 0xc
            //   b801000080           | mov                 eax, 0x80000001
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   5b                   | pop                 ebx

    condition:
        7 of them and filesize < 57344
}
Download all Yara Rules