Gh0stcringe yara

1. rule Gh0st_Cringe_bin
2. {
3. meta:
4. description = "Gh0st-Cringe RAT"
5. author = "James_inthe_box"
6. reference = "62f02dd911ed52ffa87d1c8215199bfad471a7d5d0ef905eb16f45b0bb49ed94"
7. date = "2019/05"
8. maltype = "RAT"
9.  
10. strings:
11. $string1 = "PluginMe"
12. $string2 = "%d.bak"
13. $string3 = "System"
14. $string4 = "Security"
15. $string5 = "Application"
16. $string6 = "Group"
17. $string7 = "Remark"
18. $string8 = "HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0"
19. $secapp9 = "UnThreat"
20. $secapp10 = "UnThreat.exe"
21. $secapp11 = "K7TSecurity.exe"
22. $secapp12 = "Ad-watch"
23. $secapp13 = "ad-watch.exe"
24. $secapp14 = "PSafe"
25. $secapp15 = "PSafeSysTray.exe"
26. $secapp16 = "BitDefender"
27. $secapp17 = "vsserv.exe"
28. $secapp18 = "remupd.exe"
29. $secapp19 = "rtvscan.exe"
30. $secapp20 = "Avast"
31. $secapp21 = "ashDisp.exe"
32. $secapp22 = "avcenter.exe"
33. $secapp23 = "TMBMSRV.exe"
34. $secapp24 = "knsdtray.exe"
35. $secapp25 = "NOD32"
36. $secapp26 = "egui.exe"
37. $secapp27 = "Mcshield.exe"
38. $secapp28 = "avp.exe"
39. $secapp29 = "F-Secure"
40. $secapp30 = "f-secure.exe"
41. $secapp31 = "avgwdsvc.exe"
42. $secapp32 = "AYAgent.aye"
43. $secapp33 = "V3Svc.exe"
44. $secapp34 = "Outpost"
45. $secapp35 = "acs.exe"
46. $secapp36 = "DR.WEB"
47. $secapp37 = "SPIDer.exe"
48. $secapp38 = "Comodo"
49. $secapp39 = "cfp.exe"
50. $secapp40 = "mssecess.exe"
51. $secapp41 = "QuickHeal"
52. $secapp42 = "QUHLPSVC.EXE"
53. $secapp43 = "RavMonD.exe"
54. $secapp44 = "KvMonXP.exe"
55. $secapp46 = "baiduSafeTray.exe"
56. $secapp47 = "BaiduSd.exe"
57. $secapp48 = "QQPCRTP.exe"
58. $secapp49 = "KSafeTray.exe"
59. $secapp50 = "kxetray.exe"
60. $secapp51 = "360sd.exe"
61. $secapp52 = "360tray.exe"
62. $secapp53 = "MSIE 6.0"
63.  
64. condition:
65. uint16(0) == 0x5A4D and 7 of ($string*) and 20 of ($secapp*) and filesize < 100KB
66. }
67.  
68. rule Gh0st_Cringe_mem
69. {
70. meta:
71. description = "Gh0st-Cringe RAT"
72. author = "James_inthe_box"
73. reference = "62f02dd911ed52ffa87d1c8215199bfad471a7d5d0ef905eb16f45b0bb49ed94"
74. date = "2019/05"
75. maltype = "RAT"
76.  
77. strings:
78. $string1 = "PluginMe"
79. $string2 = "%d.bak"
80. $string3 = "System"
81. $string4 = "Security"
82. $string5 = "Application"
83. $string6 = "Group"
84. $string7 = "Remark"
85. $string8 = "HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0"
86. $secapp9 = "UnThreat"
87. $secapp10 = "UnThreat.exe"
88. $secapp11 = "K7TSecurity.exe"
89. $secapp12 = "Ad-watch"
90. $secapp13 = "ad-watch.exe"
91. $secapp14 = "PSafe"
92. $secapp15 = "PSafeSysTray.exe"
93. $secapp16 = "BitDefender"
94. $secapp17 = "vsserv.exe"
95. $secapp18 = "remupd.exe"
96. $secapp19 = "rtvscan.exe"
97. $secapp20 = "Avast"
98. $secapp21 = "ashDisp.exe"
99. $secapp22 = "avcenter.exe"
100. $secapp23 = "TMBMSRV.exe"
101. $secapp24 = "knsdtray.exe"
102. $secapp25 = "NOD32"
103. $secapp26 = "egui.exe"
104. $secapp27 = "Mcshield.exe"
105. $secapp28 = "avp.exe"
106. $secapp29 = "F-Secure"
107. $secapp30 = "f-secure.exe"
108. $secapp31 = "avgwdsvc.exe"
109. $secapp32 = "AYAgent.aye"
110. $secapp33 = "V3Svc.exe"
111. $secapp34 = "Outpost"
112. $secapp35 = "acs.exe"
113. $secapp36 = "DR.WEB"
114. $secapp37 = "SPIDer.exe"
115. $secapp38 = "Comodo"
116. $secapp39 = "cfp.exe"
117. $secapp40 = "mssecess.exe"
118. $secapp41 = "QuickHeal"
119. $secapp42 = "QUHLPSVC.EXE"
120. $secapp43 = "RavMonD.exe"
121. $secapp44 = "KvMonXP.exe"
122. $secapp46 = "baiduSafeTray.exe"
123. $secapp47 = "BaiduSd.exe"
124. $secapp48 = "QQPCRTP.exe"
125. $secapp49 = "KSafeTray.exe"
126. $secapp50 = "kxetray.exe"
127. $secapp51 = "360sd.exe"
128. $secapp52 = "360tray.exe"
129. $secapp53 = "MSIE 6.0"
130.  
131. condition:
132. 7 of ($string*) and 20 of ($secapp*) and filesize > 100KB
133. }