Yara Rules


rule Gh0st_RAT
{
meta:
description="Gh0st RAT Signature"
reference="http://rinseandrepeatanalysis.blogspot.com/2018/05/malware-analysis-gh0st-rat.html"
date="5/27/2018"
hash1="05d8c65417e946fee515ee5b69066f4d"
hash2="f1c3dbc49985eab22e89d3dc86452ea5"

strings:
$mutex = "QQQQQQrrG0va+9r72uqaevp6+f"
$unique_string="OOOOOO2vYA8fzw/AXzv+MC9fYAAr/a/v3+BALxnw==|K38xgSlaK39ZUE9hUDErbVZ3LicxQVRTNTwna09hVncuJ2RqNTw+QJ8=$/fPy8ALxvQP7+58=@KUksWk5EUylUNy+Fnw==#rrGws7K1nw=="
$PE_Section=".pepsi"
$strrv="k- exe.tsohE"
condition:
($mutex or $unique_string) or ($PE_Section and $strrv)
}

Comments