Gh0stRat Anti-Debugging : Nested SEH (try - catch) to Decrypt and Load its Payload
Tags
| attack-pattern: | Data Hardware - T1592.001 Keylogging - T1056.001 Keylogging - T1417.001 Malware - T1587.001 Malware - T1588.001 Tool - T1588.002 |
Common Information
| Type | Value |
|---|---|
| UUID | a1a9d7cf-5690-44b6-b313-74ef34064f04 |
| Fingerprint | ae517c1bb5ae74b7 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Feb. 22, 2021, 9:57 a.m. |
| Added to db | Sept. 26, 2022, 9:30 a.m. |
| Last updated | Nov. 12, 2024, 11:50 a.m. |
| Headline | {"®eve®se": "Enginee®ing"} |
| Title | Gh0stRat Anti-Debugging : Nested SEH (try - catch) to Decrypt and Load its Payload |
| Detected Hints/Tags/Attributes | 27/1/11 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 6 | www.hexblog.com |
|
| Details | File | 1 | recon-2012-skochinsky-compiler-internals.pdf |
|
| Details | File | 6 | f-secure.exe |
|
| Details | File | 45 | mcshield.exe |
|
| Details | File | 4 | baidusafetray.exe |
|
| Details | File | 1 | %d.bak |
|
| Details | sha256 | 1 | 70ac339c41eb7a3f868736f98afa311674da61ae12164042e44d6e641338ff1f |
|
| Details | sha256 | 1 | edffd5fc8eb86e2b20dd44e0482b97f74666edc2ec52966be19a6fe43358a5db |
|
| Details | Url | 1 | https://www.hexblog.com/wp-content/uploads/2012/06/recon-2012-skochinsky-compiler-internals.pdf |
|
| Details | Yara rule | 1 | import "pe"
rule gh0st_rat_loader {
meta:
author = "tcontre"
description = "detecting gh0strat_loader"
date = "2021-02-22"
sha256 = "70ac339c41eb7a3f868736f98afa311674da61ae12164042e44d6e641338ff1f"
strings:
$mz = { 4D 5A }
$code = { 40 33 FF 89 45 E8 57 8A 04 10 8A 14 0E 32 D0 88 14 0E FF 15 ?? ?? ?? ?? 8B C6 B9 ?? 00 00 00 }
$str1 = "Shellex"
$str2 = "VirtualProtect"
condition:
($mz at 0) and $code and all of ($str*)
} |
|
| Details | Yara rule | 1 | rule gh0st_rat_payload {
meta:
author = "tcontre"
description = "detecting gh0strat_payload in memory without MZ header in memory"
date = "2021-02-22"
sha256 = "edffd5fc8eb86e2b20dd44e0482b97f74666edc2ec52966be19a6fe43358a5db"
strings:
$dos = "DOS mode"
$av_str1 = "f-secure.exe"
$av_str2 = "Mcshield.exe"
$av_str3 = "Sunbelt"
$av_str4 = "baiduSafeTray.exe"
$clsid = "{4D36E972-E325-11CE-BFC1-08002BE10318}"
$s1 = "[WIN]"
$s2 = "[Print Screen]"
$s3 = "Shellex"
$s4 = "HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0"
$s5 = "%s\\%d.bak"
condition:
($dos at 0x6c) and 2 of ($av_str*) and 4 of ($s*) and $clsid
} |