gh0strat | 3bd1b43127bc6d9e62acdb213cb939f71ab194299f9e2f3dd115d477fb29c2a9 | Triage

Submit
Reports

Overview

overview

Static

static

1

4aace42c08...0N.exe

windows7-x64

4aace42c08...0N.exe

windows10-2004-x64

Sharing

General

Target

4aace42c086257d57da1e206e97b5da0N.exe
Size

1.6MB
Sample

240819-mg3xdssckm
MD5

4aace42c086257d57da1e206e97b5da0
SHA1

43450bf00f772ed963452800cd8ff167d434dedd
SHA256

3bd1b43127bc6d9e62acdb213cb939f71ab194299f9e2f3dd115d477fb29c2a9
SHA512

a084214bf38844c0ee61b852f2529e630403d3547a3a6fae8068f4c497ddf6cf51d372d42487031651db038114d0e8cfbafc67f6860adb41659b04327add2ba4
SSDEEP

24576:saDo5rbqLu0/36jUS2K81dAmi1iqqieqao3732v9YIvIT2v+MVcOl4VTN9vvmQd5:7obqLu0MmdA1gi3T3b2SIlvVmTNzoo

Score

10^/10

gh0strat bootkit discovery evasion persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

4aace42c086257d57da1e206e97b5da0N.exe

Resource

win7-20240705-en

gh0strat bootkit discovery evasion persistence rat trojan

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

4aace42c086257d57da1e206e97b5da0N.exe

Resource

win10v2004-20240802-en

gh0strat bootkit discovery evasion persistence rat

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Targets

- Target
  
  4aace42c086257d57da1e206e97b5da0N.exe
- Size
  
  1.6MB
- MD5
  
  4aace42c086257d57da1e206e97b5da0
- SHA1
  
  43450bf00f772ed963452800cd8ff167d434dedd
- SHA256
  
  3bd1b43127bc6d9e62acdb213cb939f71ab194299f9e2f3dd115d477fb29c2a9
- SHA512
  
  a084214bf38844c0ee61b852f2529e630403d3547a3a6fae8068f4c497ddf6cf51d372d42487031651db038114d0e8cfbafc67f6860adb41659b04327add2ba4
- SSDEEP
  
  24576:saDo5rbqLu0/36jUS2K81dAmi1iqqieqao3732v9YIvIT2v+MVcOl4VTN9vvmQd5:7obqLu0MmdA1gi3T3b2SIlvVmTNzoo
Score

10^/10

gh0strat bootkit discovery evasion persistence rat trojan
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Checks whether UAC is enabled
  evasion trojan
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

Bootkit

Privilege Escalation

Defense Evasion

Pre-OS Boot

Bootkit

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratbootkitdiscoveryevasionpersistencerattrojan

behavioral2

gh0stratbootkitdiscoveryevasionpersistencerat

© 2018-2025

Terms | Privacy