gh0strat | ac3d71f46ce24bdb6a97c0997291633b171c17141d06d153b5d4424ecaa34220 | Triage

Submit
Reports

Overview

overview

Static

static

ac3d71f46c...20.exe

windows7-x64

ac3d71f46c...20.exe

windows10-2004-x64

Sharing

General

Target

ac3d71f46ce24bdb6a97c0997291633b171c17141d06d153b5d4424ecaa34220
Size

184KB
Sample

221003-m6w55sdbfn
MD5

5160af69aec4088ef0e2cc8d0d9d6850
SHA1

1d1cb3687c3a0473e629fc7178ad914684c647ff
SHA256

ac3d71f46ce24bdb6a97c0997291633b171c17141d06d153b5d4424ecaa34220
SHA512

b5245c7dd0c30d38693f52622e783402e8d09b50f1f2e28ec793133937320982f2fa4ee92c8413a59bc1d3e9b05becb910dbbec368c3cda9fe674ac30d55dc09
SSDEEP

3072:mtABk6WqKjRTmSPYYDw4nOP29jGMg+f0NLStQLdYqodDI+:GABk6WqCvBDnnOPaFf0kOLdyI

Score

10^/10

gh0strat bootkit persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

ac3d71f46ce24bdb6a97c0997291633b171c17141d06d153b5d4424ecaa34220.exe

Resource

win7-20220901-en

gh0strat bootkit persistence rat

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

ac3d71f46ce24bdb6a97c0997291633b171c17141d06d153b5d4424ecaa34220.exe

Resource

win10v2004-20220901-en

gh0strat bootkit persistence rat

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Targets

- Target
  
  ac3d71f46ce24bdb6a97c0997291633b171c17141d06d153b5d4424ecaa34220
- Size
  
  184KB
- MD5
  
  5160af69aec4088ef0e2cc8d0d9d6850
- SHA1
  
  1d1cb3687c3a0473e629fc7178ad914684c647ff
- SHA256
  
  ac3d71f46ce24bdb6a97c0997291633b171c17141d06d153b5d4424ecaa34220
- SHA512
  
  b5245c7dd0c30d38693f52622e783402e8d09b50f1f2e28ec793133937320982f2fa4ee92c8413a59bc1d3e9b05becb910dbbec368c3cda9fe674ac30d55dc09
- SSDEEP
  
  3072:mtABk6WqKjRTmSPYYDw4nOP29jGMg+f0NLStQLdYqodDI+:GABk6WqCvBDnnOPaFf0kOLdyI
Score

10^/10

gh0strat bootkit persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Sets DLL path for service in the registry
  persistence
- Deletes itself
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Bootkit

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gh0stratbootkitpersistencerat

behavioral2

gh0stratbootkitpersistencerat

© 2018-2024

Terms | Privacy