Custom RAT developed by the BlackTech actor, based on the Gh0st RAT.
rule win_gh0sttimes_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.gh0sttimes." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gh0sttimes" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e8???????? c745fcffffffff 8b03 50 c7431400000000 e8???????? 83c408 } // n = 7, score = 800 // e8???????? | // c745fcffffffff | mov dword ptr [ebp - 4], 0xffffffff // 8b03 | mov eax, dword ptr [ebx] // 50 | push eax // c7431400000000 | mov dword ptr [ebx + 0x14], 0 // e8???????? | // 83c408 | add esp, 8 $sequence_1 = { e8???????? 8be5 5d c20400 80bdd0fcffff2e 7448 f685a4fcffff10 } // n = 7, score = 800 // e8???????? | // 8be5 | mov esp, ebp // 5d | pop ebp // c20400 | ret 4 // 80bdd0fcffff2e | cmp byte ptr [ebp - 0x330], 0x2e // 7448 | je 0x4a // f685a4fcffff10 | test byte ptr [ebp - 0x35c], 0x10 $sequence_2 = { 8d95d4fcffff 52 ffd3 8b8d88fbffff } // n = 4, score = 800 // 8d95d4fcffff | lea edx, [ebp - 0x32c] // 52 | push edx // ffd3 | call ebx // 8b8d88fbffff | mov ecx, dword ptr [ebp - 0x478] $sequence_3 = { 6a08 68ffff0000 50 c645a301 ff15???????? 85c0 753a } // n = 7, score = 800 // 6a08 | push 8 // 68ffff0000 | push 0xffff // 50 | push eax // c645a301 | mov byte ptr [ebp - 0x5d], 1 // ff15???????? | // 85c0 | test eax, eax // 753a | jne 0x3c $sequence_4 = { 52 8b55bc 8d45c0 50 8d4db4 } // n = 5, score = 800 // 52 | push edx // 8b55bc | mov edx, dword ptr [ebp - 0x44] // 8d45c0 | lea eax, [ebp - 0x40] // 50 | push eax // 8d4db4 | lea ecx, [ebp - 0x4c] $sequence_5 = { 7512 8b4de0 8b55e4 898f64010000 899768010000 5e } // n = 6, score = 800 // 7512 | jne 0x14 // 8b4de0 | mov ecx, dword ptr [ebp - 0x20] // 8b55e4 | mov edx, dword ptr [ebp - 0x1c] // 898f64010000 | mov dword ptr [edi + 0x164], ecx // 899768010000 | mov dword ptr [edi + 0x168], edx // 5e | pop esi $sequence_6 = { 85c0 7526 8b35???????? 68???????? 8d85ecfeffff 50 ffd6 } // n = 7, score = 800 // 85c0 | test eax, eax // 7526 | jne 0x28 // 8b35???????? | // 68???????? | // 8d85ecfeffff | lea eax, [ebp - 0x114] // 50 | push eax // ffd6 | call esi $sequence_7 = { 52 ffd6 85c0 752f } // n = 4, score = 800 // 52 | push edx // ffd6 | call esi // 85c0 | test eax, eax // 752f | jne 0x31 $sequence_8 = { 48f7d1 488d79ff 488d8c2460020000 e8???????? 488d15674e0300 488d8c2462020000 } // n = 6, score = 600 // 48f7d1 | dec esp // 488d79ff | mov dword ptr [esp + 0x20], ebx // 488d8c2460020000 | dec eax // e8???????? | // 488d15674e0300 | mov dword ptr [esp + 0x20], 0xfffffffe // 488d8c2462020000 | dec eax $sequence_9 = { 488bb424d0020000 488bbc24a0020000 488bac24c8020000 488b8c2490020000 4833cc } // n = 5, score = 600 // 488bb424d0020000 | lea edi, [ecx - 1] // 488bbc24a0020000 | dec eax // 488bac24c8020000 | lea ecx, [esp + 0x260] // 488b8c2490020000 | dec eax // 4833cc | lea edx, [0x34e67] $sequence_10 = { ff15???????? 4c8d5c2458 488d942400020000 41b919010200 4533c0 48c7c100000080 4c895c2420 } // n = 7, score = 600 // ff15???????? | // 4c8d5c2458 | dec esp // 488d942400020000 | lea ebx, [esp + 0x58] // 41b919010200 | dec eax // 4533c0 | lea edx, [esp + 0x200] // 48c7c100000080 | inc ecx // 4c895c2420 | mov ecx, 0x20119 $sequence_11 = { 48c7442420feffffff 488b05???????? 4833c4 48898424e0010000 488d4c2460 } // n = 5, score = 600 // 48c7442420feffffff | inc ebp // 488b05???????? | // 4833c4 | xor eax, eax // 48898424e0010000 | dec eax // 488d4c2460 | mov ecx, 0x80000000 $sequence_12 = { 488b442420 8178089a020000 0f84c5010000 488b442420 } // n = 4, score = 600 // 488b442420 | xor eax, esp // 8178089a020000 | dec eax // 0f84c5010000 | mov dword ptr [esp + 0x1e0], eax // 488b442420 | dec eax $sequence_13 = { 488b05???????? 4833c4 48898424a0010000 8b4158 488bf1 bf03000000 } // n = 6, score = 600 // 488b05???????? | // 4833c4 | dec eax // 48898424a0010000 | lea ecx, [esp + 0x262] // 8b4158 | dec eax // 488bf1 | mov eax, dword ptr [esp + 0x20] // bf03000000 | cmp dword ptr [eax + 8], 0x29a $sequence_14 = { 48894c2420 0f1f4000 807f2c2e 0f848f000000 f60710 4c8d4f2c } // n = 6, score = 600 // 48894c2420 | je 0x1cb // 0f1f4000 | dec eax // 807f2c2e | mov eax, dword ptr [esp + 0x20] // 0f848f000000 | dec eax // f60710 | arpl dx, ax // 4c8d4f2c | inc ecx $sequence_15 = { 4863c2 410fb652fe 420fb68c0800010000 418d0408 } // n = 4, score = 600 // 4863c2 | lea ecx, [esp + 0x60] // 410fb652fe | dec eax // 420fb68c0800010000 | not ecx // 418d0408 | dec eax condition: 7 of them and filesize < 548864 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY