SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gh0sttimes (Back to overview)

Gh0stTimes

Custom RAT developed by the BlackTech actor, based on the Gh0st RAT.

References
2023-04-13Intel 471Souhail Hammou, Jorge Rodriguez
@online{hammou:20230413:from:ec710d3, author = {Souhail Hammou and Jorge Rodriguez}, title = {{From GhostNet to PseudoManuscrypt - The evolution of Gh0st RAT}}, date = {2023-04-13}, organization = {Intel 471}, url = {https://www.youtube.com/watch?v=uakw2HMGZ-I}, language = {English}, urldate = {2023-06-23} } From GhostNet to PseudoManuscrypt - The evolution of Gh0st RAT
BBSRAT Gh0stTimes Ghost RAT PseudoManuscrypt
2022-09-29NTTNTT Security Holdings Corporation
@techreport{corporation:20220929:report:1615dab, author = {NTT Security Holdings Corporation}, title = {{Report on APT Attacks by BlackTech}}, date = {2022-09-29}, institution = {NTT}, url = {https://jp.security.ntt/resources/EN-BlackTech_2021.pdf}, language = {English}, urldate = {2022-09-30} } Report on APT Attacks by BlackTech
Bifrost PLEAD TSCookie Flagpro Gh0stTimes SelfMake Loader SPIDERPIG RAT
2021-10-04JPCERT/CCShusei Tomonaga
@online{tomonaga:20211004:malware:5ba808a, author = {Shusei Tomonaga}, title = {{Malware Gh0stTimes Used by BlackTech}}, date = {2021-10-04}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html}, language = {English}, urldate = {2021-10-11} } Malware Gh0stTimes Used by BlackTech
Gh0stTimes Ghost RAT
Yara Rules
[TLP:WHITE] win_gh0sttimes_auto (20230715 | Detects win.gh0sttimes.)
rule win_gh0sttimes_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.gh0sttimes."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gh0sttimes"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8be5 5d c3 8b3f ebdd 83c30c 56 }
            // n = 7, score = 800
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8b3f                 | mov                 edi, dword ptr [edi]
            //   ebdd                 | jmp                 0xffffffdf
            //   83c30c               | add                 ebx, 0xc
            //   56                   | push                esi

        $sequence_1 = { 8b4628 8b3d???????? 83c420 6a00 50 ffd7 }
            // n = 6, score = 800
            //   8b4628               | mov                 eax, dword ptr [esi + 0x28]
            //   8b3d????????         |                     
            //   83c420               | add                 esp, 0x20
            //   6a00                 | push                0
            //   50                   | push                eax
            //   ffd7                 | call                edi

        $sequence_2 = { ffd3 8b3d???????? 8d868c000000 50 ffd7 }
            // n = 5, score = 800
            //   ffd3                 | call                ebx
            //   8b3d????????         |                     
            //   8d868c000000         | lea                 eax, [esi + 0x8c]
            //   50                   | push                eax
            //   ffd7                 | call                edi

        $sequence_3 = { c7833c01000000000000 e8???????? 8d8db8feffff 51 }
            // n = 4, score = 800
            //   c7833c01000000000000     | mov    dword ptr [ebx + 0x13c], 0
            //   e8????????           |                     
            //   8d8db8feffff         | lea                 ecx, [ebp - 0x148]
            //   51                   | push                ecx

        $sequence_4 = { 8985dcfdffff 899df0fdffff 899decfdffff 889df4fdffff }
            // n = 4, score = 800
            //   8985dcfdffff         | mov                 dword ptr [ebp - 0x224], eax
            //   899df0fdffff         | mov                 dword ptr [ebp - 0x210], ebx
            //   899decfdffff         | mov                 dword ptr [ebp - 0x214], ebx
            //   889df4fdffff         | mov                 byte ptr [ebp - 0x20c], bl

        $sequence_5 = { 8b4f0c 8b11 8b02 8b96ac000000 6a10 }
            // n = 5, score = 800
            //   8b4f0c               | mov                 ecx, dword ptr [edi + 0xc]
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   8b02                 | mov                 eax, dword ptr [edx]
            //   8b96ac000000         | mov                 edx, dword ptr [esi + 0xac]
            //   6a10                 | push                0x10

        $sequence_6 = { 89480c b904000000 0fb650f0 3210 83c004 80f2dd }
            // n = 6, score = 800
            //   89480c               | mov                 dword ptr [eax + 0xc], ecx
            //   b904000000           | mov                 ecx, 4
            //   0fb650f0             | movzx               edx, byte ptr [eax - 0x10]
            //   3210                 | xor                 dl, byte ptr [eax]
            //   83c004               | add                 eax, 4
            //   80f2dd               | xor                 dl, 0xdd

        $sequence_7 = { 488b4c2430 488b03 48c1e80a c1e002 }
            // n = 4, score = 600
            //   488b4c2430           | dec                 eax
            //   488b03               | mov                 ecx, dword ptr [esp + 0x30]
            //   48c1e80a             | dec                 eax
            //   c1e002               | mov                 eax, dword ptr [ebx]

        $sequence_8 = { 488b4c2430 488b4968 e8???????? 4c8b5c2430 }
            // n = 4, score = 600
            //   488b4c2430           | not                 eax
            //   488b4968             | xor                 eax, dword ptr [ecx + 8]
            //   e8????????           |                     
            //   4c8b5c2430           | dec                 eax

        $sequence_9 = { 488b4c2430 83490c08 a808 7409 488b442430 83480c04 }
            // n = 6, score = 600
            //   488b4c2430           | mov                 eax, dword ptr [esp + 0x30]
            //   83490c08             | mov                 eax, dword ptr [eax + 0x74]
            //   a808                 | dec                 eax
            //   7409                 | mov                 ecx, dword ptr [esp + 0x30]
            //   488b442430           | dec                 eax
            //   83480c04             | mov                 ecx, dword ptr [ecx + 0x68]

        $sequence_10 = { 488b4c2430 488b4968 33c0 66890451 }
            // n = 4, score = 600
            //   488b4c2430           | dec                 eax
            //   488b4968             | mov                 ecx, dword ptr [esp + 0x30]
            //   33c0                 | dec                 eax
            //   66890451             | mov                 eax, dword ptr [ebx]

        $sequence_11 = { 488b4c2430 48c1e80c f7d0 334108 }
            // n = 4, score = 600
            //   488b4c2430           | dec                 eax
            //   48c1e80c             | mov                 ecx, dword ptr [esp + 0x30]
            //   f7d0                 | dec                 eax
            //   334108               | mov                 ecx, dword ptr [ecx + 0x68]

        $sequence_12 = { 488b4c2430 488b03 48c1e809 c1e003 f7d0 334108 }
            // n = 6, score = 600
            //   488b4c2430           | inc                 ebp
            //   488b03               | lea                 eax, [ebx + 0x7f]
            //   48c1e809             | xor                 ebx, ebx
            //   c1e003               | mov                 edx, 0xffff
            //   f7d0                 | dec                 eax
            //   334108               | mov                 ecx, dword ptr [esp + 0x30]

        $sequence_13 = { 488b8f38010000 41bb01000000 4c8d4c2440 458d437f 33db baffff0000 }
            // n = 6, score = 600
            //   488b8f38010000       | dec                 eax
            //   41bb01000000         | mov                 ecx, dword ptr [edi + 0x138]
            //   4c8d4c2440           | inc                 ecx
            //   458d437f             | mov                 ebx, 1
            //   33db                 | dec                 esp
            //   baffff0000           | lea                 ecx, [esp + 0x40]

        $sequence_14 = { 488b4c2430 488b03 48c1e80b 03c0 }
            // n = 4, score = 600
            //   488b4c2430           | shr                 eax, 0xa
            //   488b03               | shl                 eax, 2
            //   48c1e80b             | not                 eax
            //   03c0                 | dec                 eax

    condition:
        7 of them and filesize < 548864
}
Download all Yara Rules