SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ghost_rat (Back to overview)

Ghost RAT

aka: Farfli, Gh0st RAT, PCRat

Actor(s): Emissary Panda, Hurricane Panda, Lazarus Group, Leviathan, Stone Panda

URLhaus    

There is no description at this point.

References
2020-07-28NTTNTT Security
@online{security:20200728:craftypanda:7643b28, author = {NTT Security}, title = {{CraftyPanda 標的型攻撃解析レポート}}, date = {2020-07-28}, organization = {NTT}, url = {https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report}, language = {Japanese}, urldate = {2020-07-30} } CraftyPanda 標的型攻撃解析レポート
Ghost RAT PlugX
2020-07-20Risky.bizDaniel Gordon
@online{gordon:20200720:what:b88e81f, author = {Daniel Gordon}, title = {{What even is Winnti?}}, date = {2020-07-20}, organization = {Risky.biz}, url = {https://risky.biz/whatiswinnti/}, language = {English}, urldate = {2020-08-18} } What even is Winnti?
CCleaner Backdoor Ghost RAT PlugX ZXShell
2020-06-14BushidoTokenBushidoToken
@online{bushidotoken:20200614:deepdive:3a375ca, author = {BushidoToken}, title = {{Deep-dive: The DarkHotel APT}}, date = {2020-06-14}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html}, language = {English}, urldate = {2020-06-16} } Deep-dive: The DarkHotel APT
Asruex Ghost RAT Ramsay Retro Unidentified 076 (Higaisa LNK to Shellcode)
2020-06-05PrevailionDanny Adamitis
@online{adamitis:20200605:gh0st:849c227, author = {Danny Adamitis}, title = {{The Gh0st Remains the Same}}, date = {2020-06-05}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/06/the-gh0st-remains-same8.html}, language = {English}, urldate = {2020-06-08} } The Gh0st Remains the Same
Ghost RAT
2020-06-04PTSecurityPT ESC Threat Intelligence
@online{intelligence:20200604:covid19:45fa7ba, author = {PT ESC Threat Intelligence}, title = {{COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group}}, date = {2020-06-04}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/}, language = {English}, urldate = {2020-06-05} } COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group
Ghost RAT
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:dcdc02a, author = {SecureWorks}, title = {{BRONZE FLEETWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-fleetwood}, language = {English}, urldate = {2020-05-23} } BRONZE FLEETWOOD
Binanen Ghost RAT OrcaRAT APT5
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:dc58892, author = {SecureWorks}, title = {{BRONZE GLOBE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-globe}, language = {English}, urldate = {2020-05-23} } BRONZE GLOBE
EtumBot Ghost RAT IXESHE
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4db27ec, author = {SecureWorks}, title = {{BRONZE UNION}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-union}, language = {English}, urldate = {2020-05-23} } BRONZE UNION
9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell LuckyMouse
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:41a0bc0, author = {SecureWorks}, title = {{BRONZE EDISON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-edison}, language = {English}, urldate = {2020-05-23} } BRONZE EDISON
Ghost RAT sykipot Maverick Panda Samurai Panda
2019-12-12MicrosoftMicrosoft Threat Intelligence Center
@online{center:20191212:gallium:79f6460, author = {Microsoft Threat Intelligence Center}, title = {{GALLIUM: Targeting global telecom}}, date = {2019-12-12}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/}, language = {English}, urldate = {2020-01-07} } GALLIUM: Targeting global telecom
Ghost RAT HTran GALLIUM
2019-11-04TencentTencent Security Mikan TIC
@online{tic:20191104:attack:33a29db, author = {Tencent Security Mikan TIC}, title = {{APT attack group "Higaisa" attack activity disclosed}}, date = {2019-11-04}, organization = {Tencent}, url = {https://s.tencent.com/research/report/836.html}, language = {Chinese}, urldate = {2020-05-13} } APT attack group "Higaisa" attack activity disclosed
Ghost RAT Higaisa
2019-09-17TalosChristopher Evans, David Liebenberg
@online{evans:20190917:cryptocurrency:8f3a9e9, author = {Christopher Evans and David Liebenberg}, title = {{Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”}}, date = {2019-09-17}, organization = {Talos}, url = {https://blog.talosintelligence.com/2019/09/panda-evolution.html}, language = {English}, urldate = {2019-10-31} } Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”
Ghost RAT
2019-02-27SecureworksCTU Research Team
@online{team:20190227:peek:16c9160, author = {CTU Research Team}, title = {{A Peek into BRONZE UNION’s Toolbox}}, date = {2019-02-27}, organization = {Secureworks}, url = {https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox}, language = {English}, urldate = {2020-01-07} } A Peek into BRONZE UNION’s Toolbox
Ghost RAT HyperBro ZXShell
2019-01-07IntezerIgnacio Sanmillan
@online{sanmillan:20190107:chinaz:50bb5f4, author = {Ignacio Sanmillan}, title = {{ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups}}, date = {2019-01-07}, organization = {Intezer}, url = {https://www.intezer.com/blog-chinaz-relations/}, language = {English}, urldate = {2019-11-27} } ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups
Ghost RAT
2018-09-19Möbius Strip Reverse EngineeringRolf Rolles
@online{rolles:20180919:hexrays:1afcc0c, author = {Rolf Rolles}, title = {{Hex-Rays Microcode API vs. Obfuscating Compiler}}, date = {2018-09-19}, organization = {Möbius Strip Reverse Engineering}, url = {http://www.hexblog.com/?p=1248}, language = {English}, urldate = {2019-10-28} } Hex-Rays Microcode API vs. Obfuscating Compiler
Ghost RAT
2018-04-17NCC GroupNikolaos Pantazopoulos
@online{pantazopoulos:20180417:decoding:7d5f713, author = {Nikolaos Pantazopoulos}, title = {{Decoding network data from a Gh0st RAT variant}}, date = {2018-04-17}, organization = {NCC Group}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/}, language = {English}, urldate = {2019-11-27} } Decoding network data from a Gh0st RAT variant
Ghost RAT LuckyMouse
2018-02-01BitdefenderBitdefender Team
@online{team:20180201:operation:e76f179, author = {Bitdefender Team}, title = {{Operation PZCHAO: Inside a highly specialized espionage infrastructure}}, date = {2018-02-01}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/}, language = {English}, urldate = {2020-05-18} } Operation PZCHAO: Inside a highly specialized espionage infrastructure
Ghost RAT Emissary Panda
2018-01-04Malware Traffic AnalysisBrad Duncan
@online{duncan:20180104:malspam:ce2dfac, author = {Brad Duncan}, title = {{MALSPAM PUSHING PCRAT/GH0ST}}, date = {2018-01-04}, organization = {Malware Traffic Analysis}, url = {http://www.malware-traffic-analysis.net/2018/01/04/index.html}, language = {English}, urldate = {2019-12-24} } MALSPAM PUSHING PCRAT/GH0ST
Ghost RAT
2017-12-19ProofpointDarien Huss
@online{huss:20171219:north:e5ef6da, author = {Darien Huss}, title = {{North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group}}, date = {2017-12-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new}, language = {English}, urldate = {2019-12-20} } North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group
Ghost RAT
2017-12-19ProofpointDarien Huss
@techreport{huss:20171219:north:b2da03e, author = {Darien Huss}, title = {{North Korea Bitten by Bitcoin Bug}}, date = {2017-12-19}, institution = {Proofpoint}, url = {https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf}, language = {English}, urldate = {2019-10-18} } North Korea Bitten by Bitcoin Bug
QUICKCAFE PowerSpritz Ghost RAT PowerRatankba
2017-02-25Financial Security InstituteKyoung-Ju Kwak (郭炅周)
@techreport{:20170225:silent:5a11e12, author = {Kyoung-Ju Kwak (郭炅周)}, title = {{Silent RIFLE: Response Against Advanced Threat}}, date = {2017-02-25}, institution = {Financial Security Institute}, url = {https://hackcon.org/uploads/327/05%20-%20Kwak.pdf}, language = {English}, urldate = {2020-03-04} } Silent RIFLE: Response Against Advanced Threat
Ghost RAT
2016-04-22CylanceIsaac Palmer
@online{palmer:20160422:ghost:dda6514, author = {Isaac Palmer}, title = {{The Ghost Dragon}}, date = {2016-04-22}, organization = {Cylance}, url = {https://blog.cylance.com/the-ghost-dragon}, language = {English}, urldate = {2020-01-08} } The Ghost Dragon
Ghost RAT
2012Norman ASASnorre Fagerland
@techreport{fagerland:2012:many:c938856, author = {Snorre Fagerland}, title = {{The many faces of Gh0st Rat}}, date = {2012}, institution = {Norman ASA}, url = {http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf}, language = {English}, urldate = {2019-12-20} } The many faces of Gh0st Rat
Ghost RAT
2011-06-29SymantecJohn McDonald
@online{mcdonald:20110629:inside:b955948, author = {John McDonald}, title = {{Inside a Back Door Attack}}, date = {2011-06-29}, organization = {Symantec}, url = {https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack}, language = {English}, urldate = {2020-04-21} } Inside a Back Door Attack
Ghost RAT Dust Storm
2009-03-28Information Warfare MonitorInformation Warfare Monitor
@techreport{monitor:20090328:tracking:dffad13, author = {Information Warfare Monitor}, title = {{Tracking GhostNet: Investigating a Cyber Espionage Network}}, date = {2009-03-28}, institution = {Information Warfare Monitor}, url = {http://www.nartv.org/mirror/ghostnet.pdf}, language = {English}, urldate = {2020-04-23} } Tracking GhostNet: Investigating a Cyber Espionage Network
Ghost RAT GhostNet
Yara Rules
[TLP:WHITE] win_ghost_rat_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_ghost_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b400c 85c0 7505 a1???????? 50 8bce }
            // n = 6, score = 400
            //   8b400c               | mov                 eax, dword ptr [eax + 0xc]
            //   85c0                 | test                eax, eax
            //   7505                 | jne                 7
            //   a1????????           |                     
            //   50                   | push                eax
            //   8bce                 | mov                 ecx, esi

        $sequence_1 = { 57 8bd9 e8???????? 8b4d08 3bc8 }
            // n = 5, score = 400
            //   57                   | push                edi
            //   8bd9                 | mov                 ebx, ecx
            //   e8????????           |                     
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   3bc8                 | cmp                 ecx, eax

        $sequence_2 = { 5d c20400 894df4 c745f800000000 df6df4 }
            // n = 5, score = 400
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   c745f800000000       | mov                 dword ptr [ebp - 8], 0
            //   df6df4               | fild                qword ptr [ebp - 0xc]

        $sequence_3 = { df6df4 83ec08 dc0d???????? dd1c24 }
            // n = 4, score = 400
            //   df6df4               | fild                qword ptr [ebp - 0xc]
            //   83ec08               | sub                 esp, 8
            //   dc0d????????         |                     
            //   dd1c24               | fstp                qword ptr [esp]

        $sequence_4 = { 6a01 56 ff15???????? 5e c20800 }
            // n = 5, score = 400
            //   6a01                 | push                1
            //   56                   | push                esi
            //   ff15????????         |                     
            //   5e                   | pop                 esi
            //   c20800               | ret                 8

        $sequence_5 = { 8b06 6aff 50 ff15???????? 8b0e 51 }
            // n = 6, score = 400
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   6aff                 | push                -1
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   51                   | push                ecx

        $sequence_6 = { 5b 83c410 c20800 6a05 }
            // n = 4, score = 300
            //   5b                   | pop                 ebx
            //   83c410               | add                 esp, 0x10
            //   c20800               | ret                 8
            //   6a05                 | push                5

        $sequence_7 = { 52 8bcb e8???????? 8bcb e8???????? 84c0 }
            // n = 6, score = 300
            //   52                   | push                edx
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   84c0                 | test                al, al

        $sequence_8 = { 6a00 6a00 e8???????? 8b96549f0000 83c41c 89849614030000 8b86549f0000 }
            // n = 7, score = 300
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   e8????????           |                     
            //   8b96549f0000         | mov                 edx, dword ptr [esi + 0x9f54]
            //   83c41c               | add                 esp, 0x1c
            //   89849614030000       | mov                 dword ptr [esi + edx*4 + 0x314], eax
            //   8b86549f0000         | mov                 eax, dword ptr [esi + 0x9f54]

        $sequence_9 = { 46 750b 5f 5e 33c0 5b }
            // n = 6, score = 300
            //   46                   | inc                 esi
            //   750b                 | jne                 0xd
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   33c0                 | xor                 eax, eax
            //   5b                   | pop                 ebx

        $sequence_10 = { 49 7509 5f 5e 5b 83c454 c20400 }
            // n = 7, score = 300
            //   49                   | dec                 ecx
            //   7509                 | jne                 0xb
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   83c454               | add                 esp, 0x54
            //   c20400               | ret                 4

        $sequence_11 = { 6a00 c705????????20010000 e8???????? 8b35???????? 83c434 }
            // n = 5, score = 300
            //   6a00                 | push                0
            //   c705????????20010000     |     
            //   e8????????           |                     
            //   8b35????????         |                     
            //   83c434               | add                 esp, 0x34

        $sequence_12 = { e8???????? 59 83c8ff e9???????? 8b45fc }
            // n = 5, score = 200
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   83c8ff               | or                  eax, 0xffffffff
            //   e9????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_13 = { ff7508 ff15???????? 40 50 ff15???????? 59 }
            // n = 6, score = 200
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff15????????         |                     
            //   40                   | inc                 eax
            //   50                   | push                eax
            //   ff15????????         |                     
            //   59                   | pop                 ecx

        $sequence_14 = { e9???????? 8d45dc 50 681f000200 }
            // n = 4, score = 200
            //   e9????????           |                     
            //   8d45dc               | lea                 eax, [ebp - 0x24]
            //   50                   | push                eax
            //   681f000200           | push                0x2001f

        $sequence_15 = { 8b4608 8b7e20 8b36 813f6b006500 7406 813f4b004500 75e8 }
            // n = 7, score = 200
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   8b7e20               | mov                 edi, dword ptr [esi + 0x20]
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   813f6b006500         | cmp                 dword ptr [edi], 0x65006b
            //   7406                 | je                  8
            //   813f4b004500         | cmp                 dword ptr [edi], 0x45004b
            //   75e8                 | jne                 0xffffffea

        $sequence_16 = { 50 6800000080 ff15???????? 85c0 7407 32c0 e9???????? }
            // n = 7, score = 200
            //   50                   | push                eax
            //   6800000080           | push                0x80000000
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   32c0                 | xor                 al, al
            //   e9????????           |                     

        $sequence_17 = { 8dbd85feffff f3ab 66ab aa }
            // n = 4, score = 200
            //   8dbd85feffff         | lea                 edi, [ebp - 0x17b]
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   aa                   | stosb               byte ptr es:[edi], al

        $sequence_18 = { ff15???????? 85c0 7507 c745e401000000 834dfcff }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7507                 | jne                 9
            //   c745e401000000       | mov                 dword ptr [ebp - 0x1c], 1
            //   834dfcff             | or                  dword ptr [ebp - 4], 0xffffffff

        $sequence_19 = { 83e9fc c7014c696272 83e9fc c70161727941 83e9fc }
            // n = 5, score = 200
            //   83e9fc               | sub                 ecx, -4
            //   c7014c696272         | mov                 dword ptr [ecx], 0x7262694c
            //   83e9fc               | sub                 ecx, -4
            //   c70161727941         | mov                 dword ptr [ecx], 0x41797261
            //   83e9fc               | sub                 ecx, -4

        $sequence_20 = { 8b4ddc 81c1f8000000 894dd8 8b55e4 8b4220 8945fc c745f800000000 }
            // n = 7, score = 100
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]
            //   81c1f8000000         | add                 ecx, 0xf8
            //   894dd8               | mov                 dword ptr [ebp - 0x28], ecx
            //   8b55e4               | mov                 edx, dword ptr [ebp - 0x1c]
            //   8b4220               | mov                 eax, dword ptr [edx + 0x20]
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   c745f800000000       | mov                 dword ptr [ebp - 8], 0

        $sequence_21 = { 8b4580 50 8b8d60ffffff 51 ff951cffffff }
            // n = 5, score = 100
            //   8b4580               | mov                 eax, dword ptr [ebp - 0x80]
            //   50                   | push                eax
            //   8b8d60ffffff         | mov                 ecx, dword ptr [ebp - 0xa0]
            //   51                   | push                ecx
            //   ff951cffffff         | call                dword ptr [ebp - 0xe4]

        $sequence_22 = { 898570ffffff 8b8570ffffff 8138aabbccdd 7411 8b8d70ffffff }
            // n = 5, score = 100
            //   898570ffffff         | mov                 dword ptr [ebp - 0x90], eax
            //   8b8570ffffff         | mov                 eax, dword ptr [ebp - 0x90]
            //   8138aabbccdd         | cmp                 dword ptr [eax], 0xddccbbaa
            //   7411                 | je                  0x13
            //   8b8d70ffffff         | mov                 ecx, dword ptr [ebp - 0x90]

        $sequence_23 = { 03440a0c 50 8b4d0c ff511c }
            // n = 4, score = 100
            //   03440a0c             | add                 eax, dword ptr [edx + ecx + 0xc]
            //   50                   | push                eax
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   ff511c               | call                dword ptr [ecx + 0x1c]

        $sequence_24 = { 56 57 e8???????? e8???????? 58 }
            // n = 5, score = 100
            //   56                   | push                esi
            //   57                   | push                edi
            //   e8????????           |                     
            //   e8????????           |                     
            //   58                   | pop                 eax

        $sequence_25 = { 8b8d70ffffff 83c101 898d70ffffff ebe1 8b9570ffffff 2b952cffffff 8955d0 }
            // n = 7, score = 100
            //   8b8d70ffffff         | mov                 ecx, dword ptr [ebp - 0x90]
            //   83c101               | add                 ecx, 1
            //   898d70ffffff         | mov                 dword ptr [ebp - 0x90], ecx
            //   ebe1                 | jmp                 0xffffffe3
            //   8b9570ffffff         | mov                 edx, dword ptr [ebp - 0x90]
            //   2b952cffffff         | sub                 edx, dword ptr [ebp - 0xd4]
            //   8955d0               | mov                 dword ptr [ebp - 0x30], edx

    condition:
        7 of them and filesize < 303104
}
Download all Yara Rules