gh0strat | 968aadb9874bd87ef21a5c9457f4811ed9c9f6f5a609a192e0fd3d2b78e6a1b6 | Triage

Submit
Reports

Overview

overview

Static

static

968aadb987...b6.exe

windows7-x64

968aadb987...b6.exe

windows10-2004-x64

1

Sharing

Copy URL Twitter E-mail

General

Target

968aadb9874bd87ef21a5c9457f4811ed9c9f6f5a609a192e0fd3d2b78e6a1b6
Size

301KB
Sample

221207-crjldsaa5x
MD5

0ec24820c8a56f68f1314e0cd5df22d1
SHA1

7d3d7db55c7ac15b85fe25f57f32c5974b444f64
SHA256

968aadb9874bd87ef21a5c9457f4811ed9c9f6f5a609a192e0fd3d2b78e6a1b6
SHA512

d110d65fda0ca27803452015c97fc80abdd10291d3afb46cb51624ce435f6abfeccfca1effa10a773d440c44e217b539c61baef21c1fe7690744483add1fac67
SSDEEP

6144:tgeeoNppQVH0pwpMy65Xy/TaMsHleE8wrHDpgSOhCrdUvMyP:tgeeoNpiVH0pphy/TQHCwTDySOhCrmv1

Score

10^/10

gh0strat bootkit persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

968aadb9874bd87ef21a5c9457f4811ed9c9f6f5a609a192e0fd3d2b78e6a1b6.exe

Resource

win7-20220901-en

gh0strat bootkit persistence rat

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

968aadb9874bd87ef21a5c9457f4811ed9c9f6f5a609a192e0fd3d2b78e6a1b6.exe

Resource

win10v2004-20221111-en

windows10-2004-x64

0 signatures

150 seconds

Malware Config

Targets

- Target
  
  968aadb9874bd87ef21a5c9457f4811ed9c9f6f5a609a192e0fd3d2b78e6a1b6
- Size
  
  301KB
- MD5
  
  0ec24820c8a56f68f1314e0cd5df22d1
- SHA1
  
  7d3d7db55c7ac15b85fe25f57f32c5974b444f64
- SHA256
  
  968aadb9874bd87ef21a5c9457f4811ed9c9f6f5a609a192e0fd3d2b78e6a1b6
- SHA512
  
  d110d65fda0ca27803452015c97fc80abdd10291d3afb46cb51624ce435f6abfeccfca1effa10a773d440c44e217b539c61baef21c1fe7690744483add1fac67
- SSDEEP
  
  6144:tgeeoNppQVH0pwpMy65Xy/TaMsHleE8wrHDpgSOhCrdUvMyP:tgeeoNpiVH0pphy/TQHCwTDySOhCrmv1
Score

10^/10

gh0strat bootkit persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Drops file in Drivers directory
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratbootkitpersistencerat

behavioral2

© 2018-2025

Terms | Privacy