Custom RAT developed by the BlackTech actor, based on the Gh0st RAT.
rule win_gh0sttimes_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.gh0sttimes." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gh0sttimes" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 899df0fdffff 899decfdffff 889df4fdffff 889df5fdffff 889df6fdffff 889df7fdffff 889df8fdffff } // n = 7, score = 800 // 899df0fdffff | mov dword ptr [ebp - 0x210], ebx // 899decfdffff | mov dword ptr [ebp - 0x214], ebx // 889df4fdffff | mov byte ptr [ebp - 0x20c], bl // 889df5fdffff | mov byte ptr [ebp - 0x20b], bl // 889df6fdffff | mov byte ptr [ebp - 0x20a], bl // 889df7fdffff | mov byte ptr [ebp - 0x209], bl // 889df8fdffff | mov byte ptr [ebp - 0x208], bl $sequence_1 = { 52 50 8985dcfdffff e8???????? } // n = 4, score = 800 // 52 | push edx // 50 | push eax // 8985dcfdffff | mov dword ptr [ebp - 0x224], eax // e8???????? | $sequence_2 = { 50 ff15???????? 85c0 750f 5b } // n = 5, score = 800 // 50 | push eax // ff15???????? | // 85c0 | test eax, eax // 750f | jne 0x11 // 5b | pop ebx $sequence_3 = { 33c5 8945fc 8b4508 53 33db 8d8de0fdffff 51 } // n = 7, score = 800 // 33c5 | xor eax, ebp // 8945fc | mov dword ptr [ebp - 4], eax // 8b4508 | mov eax, dword ptr [ebp + 8] // 53 | push ebx // 33db | xor ebx, ebx // 8d8de0fdffff | lea ecx, [ebp - 0x220] // 51 | push ecx $sequence_4 = { 0f852c010000 b8???????? 8d5001 8d642400 } // n = 4, score = 800 // 0f852c010000 | jne 0x132 // b8???????? | // 8d5001 | lea edx, [eax + 1] // 8d642400 | lea esp, [esp] $sequence_5 = { 8b0e 51 ff15???????? 43 } // n = 4, score = 800 // 8b0e | mov ecx, dword ptr [esi] // 51 | push ecx // ff15???????? | // 43 | inc ebx $sequence_6 = { 6a09 8d4df0 c645f070 8945f5 e8???????? 8b4dfc 5f } // n = 7, score = 800 // 6a09 | push 9 // 8d4df0 | lea ecx, [ebp - 0x10] // c645f070 | mov byte ptr [ebp - 0x10], 0x70 // 8945f5 | mov dword ptr [ebp - 0xb], eax // e8???????? | // 8b4dfc | mov ecx, dword ptr [ebp - 4] // 5f | pop edi $sequence_7 = { 0f8638010000 83c708 8b57fc 8b85ecfdffff 52 } // n = 5, score = 800 // 0f8638010000 | jbe 0x13e // 83c708 | add edi, 8 // 8b57fc | mov edx, dword ptr [edi - 4] // 8b85ecfdffff | mov eax, dword ptr [ebp - 0x214] // 52 | push edx $sequence_8 = { 488b4c2438 488d442430 488d150c710200 4889442428 } // n = 4, score = 600 // 488b4c2438 | not eax // 488d442430 | xor eax, dword ptr [ecx + 8] // 488d150c710200 | inc ecx // 4889442428 | and eax, esp $sequence_9 = { 488b4c2438 488d442434 4c8d4c2430 4889442428 488d442440 488d1520790200 } // n = 6, score = 600 // 488b4c2438 | dec eax // 488d442434 | lea edx, [0x2710c] // 4c8d4c2430 | dec eax // 4889442428 | mov dword ptr [esp + 0x28], eax // 488d442440 | dec eax // 488d1520790200 | mov ecx, dword ptr [esp + 0x38] $sequence_10 = { 488b8f40010000 ff15???????? 488b8f40010000 ff15???????? 48c78740010000ffffffff } // n = 5, score = 600 // 488b8f40010000 | dec eax // ff15???????? | // 488b8f40010000 | mov ecx, dword ptr [edi + 0x140] // ff15???????? | // 48c78740010000ffffffff | dec eax $sequence_11 = { 488b4c2430 488b4968 e8???????? 4c8b5c2430 } // n = 4, score = 600 // 488b4c2430 | mov eax, dword ptr [esp + 0x30] // 488b4968 | mov eax, dword ptr [eax + 0x74] // e8???????? | // 4c8b5c2430 | dec eax $sequence_12 = { 488b4c2430 83490c08 a808 7409 488b442430 83480c04 } // n = 6, score = 600 // 488b4c2430 | arpl word ptr [ebx + 0xac], cx // 83490c08 | dec eax // a808 | imul ecx, ecx, 0x10 // 7409 | dec eax // 488b442430 | mov ecx, dword ptr [esp + 0x30] // 83480c04 | dec eax $sequence_13 = { 488b4c2430 48c1e80c f7d0 334108 } // n = 4, score = 600 // 488b4c2430 | dec eax // 48c1e80c | mov ecx, dword ptr [esp + 0x30] // f7d0 | dec eax // 334108 | mov ecx, dword ptr [ecx + 0x68] $sequence_14 = { 488b4c2438 488d442430 488d15da700200 4889442428 } // n = 4, score = 600 // 488b4c2438 | dec eax // 488d442430 | mov ecx, dword ptr [esp + 0x30] // 488d15da700200 | or dword ptr [ecx + 0xc], 8 // 4889442428 | test al, 8 $sequence_15 = { 488b4c2430 488b4968 33c0 66890451 488b442430 } // n = 5, score = 600 // 488b4c2430 | mov ecx, dword ptr [edi + 0x140] // 488b4968 | dec eax // 33c0 | mov dword ptr [edi + 0x140], 0xffffffff // 66890451 | dec eax // 488b442430 | mov ecx, dword ptr [esp + 0x30] condition: 7 of them and filesize < 548864 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY