gh0strat | bbc6e1ef59b38a38b2b8adf4fc0dc0a25a8370a03b293681423eb169d5aa5742 | Triage

Submit
Reports

Overview

overview

Static

static

bbc6e1ef59...42.exe

windows7-x64

bbc6e1ef59...42.exe

windows10-2004-x64

8

Sharing

General

Target

bbc6e1ef59b38a38b2b8adf4fc0dc0a25a8370a03b293681423eb169d5aa5742
Size

235KB
Sample

221203-g3gy6abf56
MD5

32e398d8dc621da81aa91be2f2f42df4
SHA1

37c7b1f046c880c556b939e2a136a296f9753b83
SHA256

bbc6e1ef59b38a38b2b8adf4fc0dc0a25a8370a03b293681423eb169d5aa5742
SHA512

2474192a51fc367e70f9cbe1b9ab63fd4161d771236902cb595891777d886187f06270272c514ece54edd634c6da584f4235c60b9f1bff8c7aabde63e27a1d87
SSDEEP

6144:zphUyNq8ibIsUeIuiFFXYBmGFXfyHH+8kUBS:zvUyNq8OqeIuiemIyn+8o

Score

10^/10

gh0strat bootkit persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

bbc6e1ef59b38a38b2b8adf4fc0dc0a25a8370a03b293681423eb169d5aa5742.exe

Resource

win7-20220812-en

gh0strat bootkit persistence rat

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

bbc6e1ef59b38a38b2b8adf4fc0dc0a25a8370a03b293681423eb169d5aa5742.exe

Resource

win10v2004-20220812-en

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  bbc6e1ef59b38a38b2b8adf4fc0dc0a25a8370a03b293681423eb169d5aa5742
- Size
  
  235KB
- MD5
  
  32e398d8dc621da81aa91be2f2f42df4
- SHA1
  
  37c7b1f046c880c556b939e2a136a296f9753b83
- SHA256
  
  bbc6e1ef59b38a38b2b8adf4fc0dc0a25a8370a03b293681423eb169d5aa5742
- SHA512
  
  2474192a51fc367e70f9cbe1b9ab63fd4161d771236902cb595891777d886187f06270272c514ece54edd634c6da584f4235c60b9f1bff8c7aabde63e27a1d87
- SSDEEP
  
  6144:zphUyNq8ibIsUeIuiFFXYBmGFXfyHH+8kUBS:zvUyNq8OqeIuiemIyn+8o
Score

10^/10

gh0strat bootkit persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Executes dropped EXE
- Sets DLL path for service in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Bootkit

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gh0stratbootkitpersistencerat

behavioral2

© 2018-2024

Terms | Privacy