SYMBOLCOMMON_NAMEaka. SYNONYMS
win.onhat (Back to overview)

ONHAT

VTCollection    

There is no description at this point.

References
2015-12-26GoogleVarious
APT Groups and Operations
ONHAT
2014-02-14SecureworksCounter Threat Unit ResearchTeam
Analysis of DHS NCCIC Indicators
jspRAT BeepService DDKeylogger LinseningSvr ONHAT SimpleFileMover ZiyangRAT
Yara Rules
[TLP:WHITE] win_onhat_auto (20230808 | Detects win.onhat.)
rule win_onhat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.onhat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.onhat"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 68???????? e8???????? 83c404 b806000080 5f 5e 5d }
            // n = 7, score = 200
            //   68????????           |                     
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   b806000080           | mov                 eax, 0x80000006
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp

        $sequence_1 = { c684242c01000048 889c242d010000 c684242e01000045 c684242f0100004e }
            // n = 4, score = 200
            //   c684242c01000048     | mov                 byte ptr [esp + 0x12c], 0x48
            //   889c242d010000       | mov                 byte ptr [esp + 0x12d], bl
            //   c684242e01000045     | mov                 byte ptr [esp + 0x12e], 0x45
            //   c684242f0100004e     | mov                 byte ptr [esp + 0x12f], 0x4e

        $sequence_2 = { 8d7c2414 bee8030000 f3ab 8b8c2424010000 b8d34d6210 f7e1 c1ea06 }
            // n = 7, score = 200
            //   8d7c2414             | lea                 edi, [esp + 0x14]
            //   bee8030000           | mov                 esi, 0x3e8
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   8b8c2424010000       | mov                 ecx, dword ptr [esp + 0x124]
            //   b8d34d6210           | mov                 eax, 0x10624dd3
            //   f7e1                 | mul                 ecx
            //   c1ea06               | shr                 edx, 6

        $sequence_3 = { 88542408 f3ab 8b8c240c200000 88542406 66ab aa 8d842410200000 }
            // n = 7, score = 200
            //   88542408             | mov                 byte ptr [esp + 8], dl
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   8b8c240c200000       | mov                 ecx, dword ptr [esp + 0x200c]
            //   88542406             | mov                 byte ptr [esp + 6], dl
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   aa                   | stosb               byte ptr es:[edi], al
            //   8d842410200000       | lea                 eax, [esp + 0x2010]

        $sequence_4 = { 57 32d2 b9ff070000 33c0 8d7c2409 88542408 }
            // n = 6, score = 200
            //   57                   | push                edi
            //   32d2                 | xor                 dl, dl
            //   b9ff070000           | mov                 ecx, 0x7ff
            //   33c0                 | xor                 eax, eax
            //   8d7c2409             | lea                 edi, [esp + 9]
            //   88542408             | mov                 byte ptr [esp + 8], dl

        $sequence_5 = { 53 ff15???????? 8bf0 3bf3 7526 }
            // n = 5, score = 200
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   3bf3                 | cmp                 esi, ebx
            //   7526                 | jne                 0x28

        $sequence_6 = { 33c9 8a4c2432 8ac7 52 50 c1eb18 51 }
            // n = 7, score = 200
            //   33c9                 | xor                 ecx, ecx
            //   8a4c2432             | mov                 cl, byte ptr [esp + 0x32]
            //   8ac7                 | mov                 al, bh
            //   52                   | push                edx
            //   50                   | push                eax
            //   c1eb18               | shr                 ebx, 0x18
            //   51                   | push                ecx

        $sequence_7 = { 8d7710 6a00 8d842424010000 56 50 51 e8???????? }
            // n = 7, score = 200
            //   8d7710               | lea                 esi, [edi + 0x10]
            //   6a00                 | push                0
            //   8d842424010000       | lea                 eax, [esp + 0x124]
            //   56                   | push                esi
            //   50                   | push                eax
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_8 = { 8d54241c 55 55 52 68???????? 55 55 }
            // n = 7, score = 200
            //   8d54241c             | lea                 edx, [esp + 0x1c]
            //   55                   | push                ebp
            //   55                   | push                ebp
            //   52                   | push                edx
            //   68????????           |                     
            //   55                   | push                ebp
            //   55                   | push                ebp

        $sequence_9 = { c644242852 c644242955 885c242a c644242b41 c644242c44 c644242d44 c644242e52 }
            // n = 7, score = 200
            //   c644242852           | mov                 byte ptr [esp + 0x28], 0x52
            //   c644242955           | mov                 byte ptr [esp + 0x29], 0x55
            //   885c242a             | mov                 byte ptr [esp + 0x2a], bl
            //   c644242b41           | mov                 byte ptr [esp + 0x2b], 0x41
            //   c644242c44           | mov                 byte ptr [esp + 0x2c], 0x44
            //   c644242d44           | mov                 byte ptr [esp + 0x2d], 0x44
            //   c644242e52           | mov                 byte ptr [esp + 0x2e], 0x52

    condition:
        7 of them and filesize < 57344
}
Download all Yara Rules