gh0strat | b5ddea176f84e1230e048754fa7222b01f272c7fc36cd8a370808eb53e88a59c | Triage

Submit
Reports

Overview

overview

Static

static

b5ddea176f...9c.exe

windows7-x64

b5ddea176f...9c.exe

windows10-2004-x64

8

Sharing

General

Target

b5ddea176f84e1230e048754fa7222b01f272c7fc36cd8a370808eb53e88a59c
Size

524KB
Sample

221203-hnbz2agg4v
MD5

339d322f96ffae239fcfda935c332f91
SHA1

36b1809655156659a52edeadf665c72c6ba071f1
SHA256

b5ddea176f84e1230e048754fa7222b01f272c7fc36cd8a370808eb53e88a59c
SHA512

b942464f9d06855198f323b9891c8704ff145c94f1cba0ac92dccaa19946b1a21ca1a5f37c1b73b482f52a737cf9b822d08286cddc0b41ebd8105e676bbd7cb8
SSDEEP

6144:7Rm973fQ6Rf/3sNYGl73IBtWcp+a18MWExFrMkuWnOMdWFmjD1z93bW:741Tf/AYGpSp+aKMWExFriWL8FM3q

Score

10^/10

gh0strat bootkit persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

b5ddea176f84e1230e048754fa7222b01f272c7fc36cd8a370808eb53e88a59c.exe

Resource

win7-20220812-en

gh0strat bootkit persistence rat

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

b5ddea176f84e1230e048754fa7222b01f272c7fc36cd8a370808eb53e88a59c.exe

Resource

win10v2004-20220812-en

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  b5ddea176f84e1230e048754fa7222b01f272c7fc36cd8a370808eb53e88a59c
- Size
  
  524KB
- MD5
  
  339d322f96ffae239fcfda935c332f91
- SHA1
  
  36b1809655156659a52edeadf665c72c6ba071f1
- SHA256
  
  b5ddea176f84e1230e048754fa7222b01f272c7fc36cd8a370808eb53e88a59c
- SHA512
  
  b942464f9d06855198f323b9891c8704ff145c94f1cba0ac92dccaa19946b1a21ca1a5f37c1b73b482f52a737cf9b822d08286cddc0b41ebd8105e676bbd7cb8
- SSDEEP
  
  6144:7Rm973fQ6Rf/3sNYGl73IBtWcp+a18MWExFrMkuWnOMdWFmjD1z93bW:741Tf/AYGpSp+aKMWExFriWL8FM3q
Score

10^/10

gh0strat bootkit persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Executes dropped EXE
- Sets DLL path for service in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Bootkit

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gh0stratbootkitpersistencerat

behavioral2

© 2018-2024

Terms | Privacy