gh0strat | 25bf6bc8d1a3489242813a068f296dfe95b1c15d63327c9e9acc416e95ba7fc9 | Triage

Submit
Reports

Overview

overview

Static

static

3

25bf6bc8d1...c9.exe

windows7-x64

25bf6bc8d1...c9.exe

windows10-2004-x64

Sharing

General

Target

25bf6bc8d1a3489242813a068f296dfe95b1c15d63327c9e9acc416e95ba7fc9
Size

8.3MB
Sample

240525-wvvydade92
MD5

0e325c1047cd5a0d17da652d12f642b2
SHA1

821df9a143bebed52b4a1685e2d2978fb0d46b51
SHA256

25bf6bc8d1a3489242813a068f296dfe95b1c15d63327c9e9acc416e95ba7fc9
SHA512

21b08680887bff65f36ac21f44b8c4db47f569bb2a64a1dc52a3a2c97ea7ebc8070ae5756b5db4dfea506b575479becaf339f2f684f7132c13594ad426cdb71e
SSDEEP

196608:f5gGhArtAXr5k6Vswjo3ae6/7XQMEnLc6ioy47RsJ26H:BgGhsc2yXQDc6ioy47e7

Score

10^/10

gh0strat bootkit persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

25bf6bc8d1a3489242813a068f296dfe95b1c15d63327c9e9acc416e95ba7fc9.exe

Resource

win7-20240221-en

gh0strat bootkit persistence rat

windows7-x64

21 signatures

150 seconds

Behavioral task

behavioral2

Sample

25bf6bc8d1a3489242813a068f296dfe95b1c15d63327c9e9acc416e95ba7fc9.exe

Resource

win10v2004-20240508-en

gh0strat bootkit persistence rat

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Targets

- Target
  
  25bf6bc8d1a3489242813a068f296dfe95b1c15d63327c9e9acc416e95ba7fc9
- Size
  
  8.3MB
- MD5
  
  0e325c1047cd5a0d17da652d12f642b2
- SHA1
  
  821df9a143bebed52b4a1685e2d2978fb0d46b51
- SHA256
  
  25bf6bc8d1a3489242813a068f296dfe95b1c15d63327c9e9acc416e95ba7fc9
- SHA512
  
  21b08680887bff65f36ac21f44b8c4db47f569bb2a64a1dc52a3a2c97ea7ebc8070ae5756b5db4dfea506b575479becaf339f2f684f7132c13594ad426cdb71e
- SSDEEP
  
  196608:f5gGhArtAXr5k6Vswjo3ae6/7XQMEnLc6ioy47RsJ26H:BgGhsc2yXQDc6ioy47e7
Score

10^/10

gh0strat bootkit persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Sets DLL path for service in the registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Pre-OS Boot

Bootkit

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Pre-OS Boot

Bootkit

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

gh0stratbootkitpersistencerat

behavioral2

gh0stratbootkitpersistencerat

© 2018-2024

Terms | Privacy