YARA rules · HTRAN · threatengine.sh

Home/HTRAN/YARA rules

YARA

YARA rules for HTRAN

6 rules · scoped to tool · back to HTRAN

YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.

◈

YARA rules

6 of 6

direct htran

HKTL_htran_go

Detects go based htran variant

author Jeff Beley license see source repo

view YARA rule

rule HKTL_htran_go {
   meta:
      author = "Jeff Beley"
      hash1 = "4acbefb9f7907c52438ebb3070888ddc8cddfe9e3849c9d0196173a422b9035f"
      description = "Detects go based htran variant"
      date = "2019-01-09"
      id = "bd9409e3-3d4c-57d6-af60-b6d6bd93d46b"
   strings:
      $s1 = "https://github.com/cw1997/NATBypass" fullword ascii
      $s2 = "-slave ip1:port1 ip2:port2" fullword ascii
      $s3 = "-tran port1 ip:port2" fullword ascii
   condition:
      uint16(0) == 0x5a4d and filesize < 7000KB and 1 of them
}

direct DeepPanda

DeepPanda_htran_exe

Hack Deep Panda - htran-exe

author Florian Roth (Nextron Systems) license see source repo

view YARA rule

rule DeepPanda_htran_exe {
	meta:
		description = "Hack Deep Panda - htran-exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		date = "2015/02/08"
		hash = "38e21f0b87b3052b536408fdf59185f8b3d210b9"
		id = "2a551e82-aff1-5a77-bc5e-d06e49dca8bc"
	strings:
		$s0 = "%s -<listen|tran|slave> <option> [-log logfile]" fullword ascii
		$s2 = "\\Release\\htran.pdb" ascii
		$s3 = "[SERVER]connection to %s:%d error" fullword ascii
		$s4 = "-tran  <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
		$s8 = "======================== htran V%s =======================" fullword ascii
		$s11 = "-slave  <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
		$s15 = "[+] OK! I Closed The Two Socket." fullword ascii
		$s20 = "-listen <ConnectPort> <TransmitPort>" fullword ascii
	condition:
		1 of them
}

direct

CN_Honker_Htran_V2_40_htran20

Sample from CN Honker Pentest Toolset - file htran20.exe

author Florian Roth (Nextron Systems) license see source repo

view YARA rule

rule CN_Honker_Htran_V2_40_htran20 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file htran20.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "b992bf5b04d362ed3757e90e57bc5d6b2a04e65c"
		id = "9dd1ab4b-108e-55be-b94d-2868ce00855e"
	strings:
		$s1 = "%s -slave  ConnectHost ConnectPort TransmitHost TransmitPort" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "Enter Your Socks Type No: [0.BindPort 1.ConnectBack 2.Listen]:" fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "[SERVER]connection to %s:%d error" fullword ascii /* PEStudio Blacklist: strings */
		$s4 = "%s -connect ConnectHost [ConnectPort]       Default:%d" fullword ascii /* PEStudio Blacklist: strings */
		$s5 = "[+] got, ip:%s, port:%d" fullword ascii /* PEStudio Blacklist: strings */
		$s6 = "[-] There is a error...Create a new connection." fullword ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 200KB and all of them
}

direct

CN_Honker_HTran2_4

Sample from CN Honker Pentest Toolset - file HTran2.4.exe

author Florian Roth (Nextron Systems) license see source repo

view YARA rule

rule CN_Honker_HTran2_4 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file HTran2.4.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "524f986692f55620013ab5a06bf942382e64d38a"
		id = "21cb5ec5-900d-5092-8c2b-2d951289957c"
	strings:
		$s1 = "Enter Your Socks Type No: [0.BindPort 1.ConnectBack 2.Listen]:" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "[+] New connection %s:%d !!" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 180KB and all of them
}

direct

CN_Honker__lcx_HTran2_4_htran20

Sample from CN Honker Pentest Toolset - from files lcx.exe, HTran2.4.exe, htran20.exe

author Florian Roth (Nextron Systems) license see source repo

view YARA rule

rule CN_Honker__lcx_HTran2_4_htran20 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - from files lcx.exe, HTran2.4.exe, htran20.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		super_rule = 1
		hash0 = "0c8779849d53d0772bbaa1cedeca150c543ebf38"
		hash1 = "524f986692f55620013ab5a06bf942382e64d38a"
		hash2 = "b992bf5b04d362ed3757e90e57bc5d6b2a04e65c"
		id = "c6851e7b-ab64-5578-896e-4d92fb3b2000"
	strings:
		$s1 = "[SERVER]connection to %s:%d error" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "[+] OK! I Closed The Two Socket." fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "[+] Start Transmit (%s:%d <-> %s:%d) ......" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 440KB and all of them
}

direct IronPanda

IronPanda_Malware_Htran

Iron Panda Malware Htran

author Florian Roth (Nextron Systems) license see source repo

view YARA rule

rule IronPanda_Malware_Htran {
	meta:
		description = "Iron Panda Malware Htran"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "https://goo.gl/E4qia9"
		date = "2015-09-16"
		hash = "7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7"
		id = "7215f0da-9367-59b4-a78b-aeeebc4f2b69"
	strings:
		$s1 = "[-] Gethostbyname(%s) error:%s" fullword ascii
		$s2 = "%s -<listen|tran|slave> <option> [-log logfile]" fullword ascii
		$s3 = "-slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
		$s4 = "[-] ERROR: Must supply logfile name." fullword ascii
		$s5 = "[SERVER]connection to %s:%d error" fullword ascii
		$s6 = "[+] Make a Connection to %s:%d...." fullword ascii
		$s7 = "[+] Waiting another Client on port:%d...." fullword ascii
		$s8 = "[+] Accept a Client on port %d from %s" fullword ascii
		$s9 = "[+] Make a Connection to %s:%d ......" fullword ascii
		$s10 = "cmshared_get_ptr_from_atom" fullword ascii
		$s11 = "_cmshared_get_ptr_from_atom" ascii
		$s12 = "[+] OK! I Closed The Two Socket." fullword ascii
		$s13 = "[-] TransmitPort invalid." fullword ascii
		$s14 = "[+] Waiting for Client on port:%d ......" fullword ascii
	condition:
		 ( uint16(0) == 0x5a4d and filesize < 125KB and 3 of them ) 
		 or 
		 5 of them
}

Showing 1-6 of 6

Prev 1 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin