{
  "name": "Guntior - the story of an advanced bootkit that doesn't rely on Windows disk drivers",
  "slug": "guntior-the-story-of-an-advanced-bootkit-that-doesnt-rely-on-windows-disk-drivers",
  "description": "Amid the rise of bootkits at the time, a dropper was captured in-the-wild and posted on a malware tracker. The malware was called \"Guntior\", named after the device object its authors had chosen for it (\\Device\\Guntior). The name also appears in AV detections.",
  "published": "2024-05-08T11:32:21+00:00",
  "created_at": "2024-05-08T11:32:21+00:00",
  "modified_at": "2024-05-08T15:29:48+00:00",
  "created_at_opencti": "2024-05-08T11:32:21+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-05-03",
    "2024-05-04",
    "2024-05-05",
    "2024-05-06",
    "2024-05-07",
    "2024-05-08",
    "ata bus",
    "dll path",
    "explorer",
    "findwindow",
    "guntior",
    "ime file",
    "ioctl",
    "mbr",
    "mebroot",
    "ntfs",
    "payload dll",
    "rootkit",
    "rovnix",
    "tdl4",
    "tidserv",
    "windows"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "183.60.132.220"
      },
      {
        "id": "",
        "name": "eddbe87f2009cb3199def0845ccf01d0397c126aca6f55e2a9516616825cebb1"
      },
      {
        "id": "",
        "name": "e49ad00deda88a198f2728a3d276f0b55f892d3088bc861538a005e443d81a92"
      },
      {
        "id": "",
        "name": "b32cf71e325ceaa8982e6ebed33f95894f2591397e08404368fbaa6dce1095e3"
      },
      {
        "id": "",
        "name": "8eb365237e4cfe478b228d276598ff58c0b133fbcd374024b5903137cf196a3d"
      },
      {
        "id": "",
        "name": "4fdc39276228cab7ef1ef26a084e920760fdaacd78b29e776f09da0a95ae39b0"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:fead10afacad4ab2",
        "name": "Guntior",
        "slug": "guntior"
      }
    ],
    "attack_patterns": [
      {
        "id": "48d06e69-cd8d-432d-9840-7e24f0c1e794",
        "name": "T1561"
      },
      {
        "id": "41af8283-2fa5-469e-9c29-e8ad77b4f224",
        "name": "T1014"
      },
      {
        "id": "6e4e21cc-92cf-4564-920e-d509bd22fd40",
        "name": "T1574"
      },
      {
        "id": "926a888c-190c-4efb-ab6b-f9d7e6a0fc54",
        "name": "T1547"
      },
      {
        "id": "af9ed2e3-4663-4723-beab-c606ddc312e0",
        "name": "T1543"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "0b2b1ecd-d52e-492a-af08-050954bc03e5",
        "name": "T1056"
      },
      {
        "id": "fcd96dc0-500e-4354-bd97-5c65718a9004",
        "name": "T1562"
      }
    ]
  },
  "external_refs": [
    "https://artemonsecurity.blogspot.com/",
    "https://otx.alienvault.com/pulse/663b7ee697d3654bee3cbf0e"
  ]
}