Trusted Design

HDRoot Bootkit

概要

(Kaspersky) Some time ago while tracking Winnti group activity we came across a suspicious 64-bit sample. It was a standalone utility with the name HDD Rootkit for planting a bootkit on a computer. Once installed the bootkit infects the operating system with a backdoor at the early booting stage. The principles of this bootkit’s work, named HDRoot, have been described in the first part of our article. During our investigation we found several backdoors that the HDRoot bootkit used for infecting operating systems. These backdoors are described in this part of the article.

Created: 2026-02-23

Indicators

• FileHash-MD5 - c0118c58b6cd012467b3e35f7d7006ed -
• FileHash-MD5 - 7d1309ce050f32581b60841f82fc3399 -
• FileHash-MD5 - c5d59acb616dc8bac47b0ebd0244f686 -
• FileHash-MD5 - 1c30032dc5435070466b9dc96f466f95 -
• URL - http://www.gbutterfly.com/bbs/data/boot1.gif -
• FileHash-MD5 - f6004cfaa6dc53fd5bf32f7069f60e7a -
• FileHash-MD5 - e19793ff58c04c2d439707ac65703410 -
• FileHash-MD5 - e171d9e3fcb2eeccdc841cca9ef53fb8 -
• FileHash-MD5 - 4dc2fc6ad7d9ed9fcf13d914660764cd -
• FileHash-MD5 - 8062cbccb2895fb9215b3423cdefa396 -
• URL - http://boot.ncook.net/bbs/data/boot1.gif -
• FileHash-MD5 - c7fee0e094ee43f22882fb141c089cea -
• FileHash-MD5 - d200f9a9d2b7a44d20c31edb4384e62f -
• FileHash-MD5 - e07b5de475bbd11aab0719f9b5ba5654 -
• FileHash-MD5 - c8daf9821ebc4f1923d6ddb5477a8bbd -
• FileHash-MD5 - cc7af071098d3c00fdd725457ab00b65 -
• FileHash-MD5 - a28fe3387ea5352b8c26de6b56ec88f0 -
• FileHash-MD5 - 6ac4db5dcb874da2f61550dc950d08ff -
• FileHash-MD5 - 2b081914293f415e6c8bc9c2172f7e2a -
• FileHash-MD5 - eb3fbfc79a37441590d9509b085aaaca -
• FileHash-MD5 - 755351395aa920bc212dbf1d990809ab -
• FileHash-MD5 - 11e461ed6250b50afb70fbee93320131 -
• URL - http://www.btdot.com/bbs/data/boot1.gif -
• FileHash-MD5 - 2c85404fe7d1891fd41fcee4c92ad305 -
• FileHash-MD5 - acc4d57a98256dfaa5e2b7792948aaae -
• FileHash-MD5 - d0cb0eb5588eb3b14c9b9a3fa7551c28 -
• URL - http://www.funzone.co.kr/bbs/data/boot1.gif -
• FileHash-MD5 - 6ae7a087ef4185296c377b4eadf956a4 -
• FileHash-MD5 - 3ad35274cf09a24c4ec44d547f1673e7 -
• FileHash-MD5 - b10908408b153ce9fb34c2f0164b6a85 -
• FileHash-MD5 - ae7f93325ca8b1965502b18059f6e46a -
• URL - http://www.srsr.co.kr/bbs2/data/boot1.gif -

類似Pulses

• Financial Threat Group Targets Volume Boot Record (score: 0.66)
• Backdoor:MSIL/Aataki (score: 0.63)
• HackTool:Win64/AutoKMS (score: 0.62)
• Backdoor:Win32/Bedep (score: 0.62)
• Backdoor:Win32/Bedep (score: 0.62)

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る