gh0strat | 6ccb2248ecb871336a3e66d8728d27b6647306130b1952d7f8086874a6adcb60 | Triage

Submit
Reports

Overview

overview

Static

static

6ccb2248ec...60.exe

windows7-x64

6ccb2248ec...60.exe

windows10-2004-x64

Sharing

General

Target

6ccb2248ecb871336a3e66d8728d27b6647306130b1952d7f8086874a6adcb60
Size

28KB
Sample

221107-3kv9qahahq
MD5

92d71db5d7ecf727f7387fbd2f033b2c
SHA1

c6332ddff92d799cd3e70da87d97cc9f16af9077
SHA256

6ccb2248ecb871336a3e66d8728d27b6647306130b1952d7f8086874a6adcb60
SHA512

ecf55a956f0b7522e9952c2d3819fcb83ac8890a04cb654881ad411f70aa806cd8cb8b78820a8a293aa38a8f73b20f8910a073290d173fe1532b88c725c13036
SSDEEP

768:mPRjlBNB+BFBoBsB4BTBmBAC86oLjEMcaNoNl9/NOIj:chF/CF/5

Score

10^/10

gh0strat joker bootkit discovery evasion infostealer persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

6ccb2248ecb871336a3e66d8728d27b6647306130b1952d7f8086874a6adcb60.exe

Resource

win7-20220901-en

gh0strat joker bootkit discovery evasion infostealer persistence rat trojan

windows7-x64

21 signatures

150 seconds

Behavioral task

behavioral2

Sample

6ccb2248ecb871336a3e66d8728d27b6647306130b1952d7f8086874a6adcb60.exe

Resource

win10v2004-20220901-en

gh0strat joker bootkit discovery evasion infostealer persistence rat trojan

windows10-2004-x64

23 signatures

150 seconds

Malware Config

Targets

- Target
  
  6ccb2248ecb871336a3e66d8728d27b6647306130b1952d7f8086874a6adcb60
- Size
  
  28KB
- MD5
  
  92d71db5d7ecf727f7387fbd2f033b2c
- SHA1
  
  c6332ddff92d799cd3e70da87d97cc9f16af9077
- SHA256
  
  6ccb2248ecb871336a3e66d8728d27b6647306130b1952d7f8086874a6adcb60
- SHA512
  
  ecf55a956f0b7522e9952c2d3819fcb83ac8890a04cb654881ad411f70aa806cd8cb8b78820a8a293aa38a8f73b20f8910a073290d173fe1532b88c725c13036
- SSDEEP
  
  768:mPRjlBNB+BFBoBsB4BTBmBAC86oLjEMcaNoNl9/NOIj:chF/CF/5
Score

10^/10

gh0strat joker bootkit discovery evasion infostealer persistence rat trojan
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- UAC bypass
  evasion trojan
- joker
  Joker is an Android malware that targets billing and SMS fraud.
  infostealer trojan joker
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

New Service

Privilege Escalation

Bypass User Account Control

New Service

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratjokerbootkitdiscoveryevasioninfostealerpersistencerattrojan

behavioral2

gh0stratjokerbootkitdiscoveryevasioninfostealerpersistencerattrojan

© 2018-2025

Terms | Privacy