gh0strat | 9f0a67d64d1d53fff0a3a1bbd1dec48b04986a88fd4f0924f0b8b4cc9776715e | Triage

Submit
Reports

Overview

overview

Static

static

9f0a67d64d...5e.exe

windows7-x64

9f0a67d64d...5e.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

9f0a67d64d1d53fff0a3a1bbd1dec48b04986a88fd4f0924f0b8b4cc9776715e
Size

192KB
Sample

221030-plnpdabear
MD5

a2f56007d3fac2e051c4d3f083b9d34e
SHA1

2fb67ab8c80307fd4e327f6254e07e3de1a0aa1d
SHA256

9f0a67d64d1d53fff0a3a1bbd1dec48b04986a88fd4f0924f0b8b4cc9776715e
SHA512

54624edf1edc16d60d140f19633ecda5ce99688c23dc685a1cdd14bbee4eca584cde92183d90ec4b4c9d78aeb218ccf2b2063473d97a71e5b4003349a69d0d8e
SSDEEP

3072:TSB23ZRnWUWwQ9LmtWegYpKd8W2/7ik2YvsolNI9cq97Lq74:TFPnWUWukYaNkrNxO7Lq

Score

10^/10

gh0strat bootkit persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

9f0a67d64d1d53fff0a3a1bbd1dec48b04986a88fd4f0924f0b8b4cc9776715e.exe

Resource

win7-20220812-en

gh0strat bootkit persistence rat

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

9f0a67d64d1d53fff0a3a1bbd1dec48b04986a88fd4f0924f0b8b4cc9776715e.exe

Resource

win10v2004-20220901-en

windows10-2004-x64

7 signatures

150 seconds

Malware Config

Targets

- Target
  
  9f0a67d64d1d53fff0a3a1bbd1dec48b04986a88fd4f0924f0b8b4cc9776715e
- Size
  
  192KB
- MD5
  
  a2f56007d3fac2e051c4d3f083b9d34e
- SHA1
  
  2fb67ab8c80307fd4e327f6254e07e3de1a0aa1d
- SHA256
  
  9f0a67d64d1d53fff0a3a1bbd1dec48b04986a88fd4f0924f0b8b4cc9776715e
- SHA512
  
  54624edf1edc16d60d140f19633ecda5ce99688c23dc685a1cdd14bbee4eca584cde92183d90ec4b4c9d78aeb218ccf2b2063473d97a71e5b4003349a69d0d8e
- SSDEEP
  
  3072:TSB23ZRnWUWwQ9LmtWegYpKd8W2/7ik2YvsolNI9cq97Lq74:TFPnWUWukYaNkrNxO7Lq
Score

10^/10

gh0strat bootkit persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Deletes itself
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratbootkitpersistencerat

behavioral2

© 2018-2025

Terms | Privacy