Show in Graph
Common Information
Type Value
Value 
import "pe"

rule gh0st_rat_loader {
	meta:
		author = "tcontre"
		description = "detecting gh0strat_loader"
		date = "2021-02-22"
		sha256 = "70ac339c41eb7a3f868736f98afa311674da61ae12164042e44d6e641338ff1f"
	strings:
		$mz = { 4D 5A }
		$code = { 40 33 FF 89 45 E8 57 8A 04 10 8A 14 0E 32 D0 88 14 0E FF 15 ?? ?? ?? ?? 8B C6 B9 ?? 00 00 00 }
		$str1 = "Shellex"
		$str2 = "VirtualProtect"
	condition:
		($mz at 0) and $code and all of ($str*)
}
Category
Type Yara Rule
Misp Type
Description
Details Published Attributes CTI Title
Details Website 2021-02-22 11 Gh0stRat Anti-Debugging : Nested SEH (try - catch) to Decrypt and Load its Payload