Havoc C2 - Yara Detection Via Ntdll API Hashes
Tags
| attack-pattern: | Malware - T1587.001 Malware - T1588.001 |
Common Information
| Type | Value |
|---|---|
| UUID | 901bdfd9-4c7f-4a43-a387-b4aea0553752 |
| Fingerprint | a68709b4053e3388 |
| Analysis status | DONE |
| Considered CTI value | 0 |
| Text language | |
| Published | Nov. 21, 2022, midnight |
| Added to db | Aug. 13, 2023, 10:02 a.m. |
| Last updated | Nov. 17, 2024, 11:40 p.m. |
| Headline | Havoc C2 - Yara Detection Via Ntdll API Hashes |
| Title | Havoc C2 - Yara Detection Via Ntdll API Hashes |
| Detected Hints/Tags/Attributes | 13/1/8 |
Source URLs
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 107 | ✔ | Embee Research | https://embee-research.ghost.io/rss/ | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 4128 | github.com |
|
| Details | Domain | 1373 | twitter.com |
|
| Details | File | 533 | ntdll.dll |
|
| Details | Github username | 4 | embee-research |
|
| Details | Url | 1 | https://github.com/embee-research/yara/tree/main/rules |
|
| Details | Url | 1 | https://github.com/embee-research/yara |
|
| Details | Url | 1 | https://twitter.com/embee_research/status/1579668721777643520 |
|
| Details | Yara rule | 1 | rule DemonNtdllHashes {
meta:
author = "embee_research @ HuntressLabs"
vendor = "Huntress Research"
date = "2022/10/11"
strings:
$nt_hash1 = { 53 17 E6 70 }
$nt_hash2 = { 43 6A 45 9E }
$nt_hash3 = { EC B8 83 F7 }
$nt_hash4 = { 88 28 E9 50 }
$nt_hash5 = { F6 99 5A 2E }
$nt_hash6 = { DA 81 B3 C0 }
$nt_hash7 = { D7 71 BA 70 }
$nt_hash8 = { 88 2B 49 8E }
$nt_hash9 = { EF F0 A1 3A }
$nt_hash10 = { F5 39 34 7C }
$nt_hash11 = { 70 F2 AB 35 }
$nt_hash12 = { 1D AA A3 3C }
$nt_hash13 = { 11 B2 8F F7 }
$nt_hash14 = { 4C 7C DE A5 }
$nt_hash15 = { 90 FE 61 95 }
$nt_hash16 = { D0 EE 33 77 }
$nt_hash17 = { A9 AF 4B 55 }
$nt_hash18 = { 0E 21 0C 88 }
$nt_hash19 = { 3D 13 8E 8B }
$nt_hash20 = { 7D 74 58 CA }
condition:
(3 of them) and (uint16(0) == 0x5a4d or uint16(0) == 0x00e8 or uint16(0) == 0x4856)
} |