Anthem Hack Deep Panda - htran-exe

Hunt Hypothesis

The hypothesis is that the detection of htran-exe, associated with the Anthem Hack Deep Panda group, may indicate the presence of adversary activity leveraging this tool for lateral movement or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise and mitigate the risk of advanced persistent threats.

YARA Rule

rule Anthem_DeepPanda_htran_exe
{

    meta:
        description = "Anthem Hack Deep Panda - htran-exe"
        author = "Florian Roth"
        date = "2015/02/08"
        hash = "38e21f0b87b3052b536408fdf59185f8b3d210b9"

    strings:
        $s0 = "%s -<listen|tran|slave> <option> [-log logfile]" fullword ascii
        $s1 = "[-] Gethostbyname(%s) error:%s" fullword ascii
        $s2 = "e:\\VS 2008 Project\\htran\\Release\\htran.pdb" fullword ascii
        $s3 = "[SERVER]connection to %s:%d error" fullword ascii
        $s4 = "-tran  <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
        $s5 = "[-] ERROR: Must supply logfile name." fullword ascii
        $s6 = "[-] There is a error...Create a new connection." fullword ascii
        $s7 = "[+] Accept a Client on port %d from %s" fullword ascii
        $s8 = "======================== htran V%s =======================" fullword ascii
        $s9 = "[-] Socket Listen error." fullword ascii
        $s10 = "[-] ERROR: open logfile" fullword ascii
        $s11 = "-slave  <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
        $s12 = "[+] Make a Connection to %s:%d ......" fullword ascii
        $s14 = "Recv %5d bytes from %s:%d" fullword ascii
        $s15 = "[+] OK! I Closed The Two Socket." fullword ascii
        $s16 = "[+] Waiting another Client on port:%d...." fullword ascii
        $s17 = "[+] Accept a Client on port %d from %s ......" fullword ascii
        $s20 = "-listen <ConnectPort> <TransmitPort>" fullword ascii

    condition:
        10 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 18 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled job running htran.exe for data migration
  Filter/Exclusion: process.parent_process_name == "schtasks.exe" or process.command_line contains "data_migration"

• Scenario: System administrator using htran.exe to transfer logs between servers
  Filter/Exclusion: process.user == "admin_user" or process.command_line contains "log_transfer"

• Scenario: Security tool or endpoint protection software using htran.exe for file integrity monitoring
  Filter/Exclusion: process.parent_process_name == "endpoint_protection_service.exe" or process.command_line contains "integrity_check"

• Scenario: Development team using htran.exe as part of a CI/CD pipeline for artifact transfer
  Filter/Exclusion: process.parent_process_name == "jenkins.exe" or process.command_line contains "ci_cd_pipeline"

• Scenario: IT staff using htran.exe to transfer configuration files during system setup
  Filter/Exclusion: process.command_line contains "setup_config" or process.user == "it_setup_user"