Iron Panda Malware Htran

Hunt Hypothesis

The Iron Panda Malware Htran is likely being used to exfiltrate data through covert network communication channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data breaches early.

YARA Rule

rule IronPanda_Malware_Htran 
{

    meta:
        description = "Iron Panda Malware Htran"
        author = "Florian Roth"
        reference = "https://goo.gl/E4qia9"
        date = "2015-09-16"
        hash = "7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7"
   
    strings:
        $s1 = "[-] Gethostbyname(%s) error:%s" fullword ascii
        $s2 = "%s -<listen|tran|slave> <option> [-log logfile]" fullword ascii
        $s3 = "-slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
        $s4 = "[-] ERROR: Must supply logfile name." fullword ascii
        $s5 = "[SERVER]connection to %s:%d error" fullword ascii
        $s6 = "[+] Make a Connection to %s:%d...." fullword ascii
        $s7 = "[+] Waiting another Client on port:%d...." fullword ascii
        $s8 = "[+] Accept a Client on port %d from %s" fullword ascii
        $s9 = "[+] Make a Connection to %s:%d ......" fullword ascii
        $s10 = "cmshared_get_ptr_from_atom" fullword ascii
        $s11 = "_cmshared_get_ptr_from_atom" fullword ascii
        $s12 = "[+] OK! I Closed The Two Socket." fullword ascii
        $s13 = "[-] TransmitPort invalid." fullword ascii
        $s14 = "[+] Waiting for Client on port:%d ......" fullword ascii
   
    condition:
         ( uint16(0) == 0x5a4d and filesize < 125KB and 3 of them ) or 5 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 14 string patterns in its detection logic.

References

• https://goo.gl/E4qia9
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using Windows Task Scheduler to run a legitimate system maintenance script that includes a .htran file as part of a legacy data migration process.
  Filter/Exclusion: Exclude processes initiated by schtasks.exe or tasks scheduled under the Task Scheduler service.

• Scenario: A security team is performing a Windows Registry backup using reg.exe and the backup file includes a .htran extension as part of a custom naming convention.
  Filter/Exclusion: Exclude processes initiated by reg.exe or files with .htran extension created during registry backup operations.

• Scenario: A developer is using PowerShell to automate the deployment of a custom application that generates temporary .htran files during the build process.
  Filter/Exclusion: Exclude processes initiated by powershell.exe or files created in specific temporary directories like C:\Users\*\AppData\Local\Temp.

• Scenario: A database administrator is using SQL Server Agent Jobs to export data to a file with a .htran extension as part of a data archiving process.
  Filter/Exclusion: Exclude processes initiated by sqlagent.exe or files created in SQL Server export directories.

• Scenario: A system update or patching tool, such as Microsoft Endpoint Configuration Manager (MECM), generates a .htran file as part of its update process.
  Filter/Exclusion: Exclude processes initiated by ccmexec.exe or files created during system update operations.