gh0strat | a697fc511b8205926b1fb7446c4f7af8543e6e9971ee6774c1b08fb12ea0b9f9 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

a697fc511b...f9.exe

windows7-x64

a697fc511b...f9.exe

windows10-2004-x64

3

Sharing

General

Target

a697fc511b8205926b1fb7446c4f7af8543e6e9971ee6774c1b08fb12ea0b9f9
Size

370KB
Sample

221206-v92h2ahg94
MD5

e839703c3f87be94b500c6533a64b339
SHA1

9ba24fdde53e05f8c8ffd3c202c5d3c5d4a21469
SHA256

a697fc511b8205926b1fb7446c4f7af8543e6e9971ee6774c1b08fb12ea0b9f9
SHA512

e6e9d9a1d56bd4c9201b809b1fdab93ac8215962e9a1b4e1435d6e8a36a74074342bd777c2e5452cf0d0b70be607fd8c8c05c718dc651f3d678da3a8c21d27cd
SSDEEP

6144:kbB5jfgexjptZL02vIMoIcGRU0MQmEMRxlroXnuUEF9GCpiQdl:kbB5jfgexjrOA9NRPmxwX/itFl

Score

10^/10

gh0strat bootkit persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

a697fc511b8205926b1fb7446c4f7af8543e6e9971ee6774c1b08fb12ea0b9f9.exe

Resource

win7-20221111-en

gh0strat bootkit persistence rat

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

a697fc511b8205926b1fb7446c4f7af8543e6e9971ee6774c1b08fb12ea0b9f9.exe

Resource

win10v2004-20220901-en

windows10-2004-x64

1 signatures

150 seconds

Malware Config

Targets

- Target
  
  a697fc511b8205926b1fb7446c4f7af8543e6e9971ee6774c1b08fb12ea0b9f9
- Size
  
  370KB
- MD5
  
  e839703c3f87be94b500c6533a64b339
- SHA1
  
  9ba24fdde53e05f8c8ffd3c202c5d3c5d4a21469
- SHA256
  
  a697fc511b8205926b1fb7446c4f7af8543e6e9971ee6774c1b08fb12ea0b9f9
- SHA512
  
  e6e9d9a1d56bd4c9201b809b1fdab93ac8215962e9a1b4e1435d6e8a36a74074342bd777c2e5452cf0d0b70be607fd8c8c05c718dc651f3d678da3a8c21d27cd
- SSDEEP
  
  6144:kbB5jfgexjptZL02vIMoIcGRU0MQmEMRxlroXnuUEF9GCpiQdl:kbB5jfgexjrOA9NRPmxwX/itFl
Score

10^/10

gh0strat bootkit persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratbootkitpersistencerat

behavioral2

© 2018-2025

Terms | Privacy