8750b245-af35-4bc6-9af3-dc858f9db64f

blacklotus_driver.sys :inline :inline

Description

The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality. Once the persistence is configured, the BlackLotus bootkit is executed on every system start. The bootkits goal is to deploy a kernel driver and a final user-mode component.

  • UUID: 8750b245-af35-4bc6-9af3-dc858f9db64f
  • Created: 2023-04-05
  • Author: Michael Haag
  • Acknowledgement: Martin Smolár, ESET |

DownloadBlock

This download link contains the malicious driver!

Commands

sc.exe create blacklotus_driver.sys binPath=C:\windows\temp\blacklotus_driver.sys type=kernel && sc.exe start blacklotus_driver.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/

    • Known Vulnerable Samples

    PropertyValue
    Filename0x3440_blacklotus_v2_driver.sys
    Creation Timestamp2022-10-10 13:11:06
    MD54ad8fd9e83d7200bd7f8d0d4a9abfb11
    SHA117fa047c1f979b180644906fe9265f21af5b0509
    SHA256749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c
    Authentihash MD5f5742f4fb216979627236a799f614c43
    Authentihash SHA15aba7fa2330d68a679c18cfa2c652ac8b3b4770d
    Authentihash SHA25683ac9bf01c2d2ab0f66782fade462864f42b86e53dc455e1441c2a16d0ec2847
    RichPEHeaderHash MD5ffdf660eb1ebf020a1d0a55a90712dfb
    RichPEHeaderHash SHA13e905e3d061d0d59de61fcf39c994fcb0ec1bab3
    RichPEHeaderHash SHA2562b3f99a94b7a7132854be769e27b331419c53989ef42f686d6f5ba09ddefefd6

    Download

    Imports

    Expand

    Imported Functions

    Expand

    Exported Functions

    Expand
    • restore

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • .00cfg
    • .edata
    • .reloc

    Signature

    Expand
    PropertyValue
    Filename0x3040_blacklotus_beta_driver.sys
    Creation Timestamp2022-08-21 14:40:09
    MD5a42249a046182aaaf3a7a7db98bfa69d
    SHA11f3799fed3cf43254fe30dcdfdb8dc02d82e662b
    SHA256f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae
    Authentihash MD5188d812252f224a8ea618f8e9f1fdadb
    Authentihash SHA1ede3868d6bb27bee5c0b9a71fef486e405d59816
    Authentihash SHA256265010deb10af80885726edc450867fa69acbde449b51d13bf891322ff5c1c2d
    RichPEHeaderHash MD5be07bc61b7ccf659c7b3dde871f25be9
    RichPEHeaderHash SHA1393952208c038e8e3d3298276d21539496e34b13
    RichPEHeaderHash SHA256c361d85cea6b483b3c88e99d1a0139069e7b2e6a4382e3c14563027e6712db20

    Download

    Imports

    Expand

    Imported Functions

    Expand

    Exported Functions

    Expand
    • restore

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • .00cfg
    • .edata
    • .reloc

    Signature

    Expand
    PropertyValue
    Filename0x3040_blacklotus_beta_driver.sys
    Creation Timestamp2022-08-21 14:40:09
    MD5a42249a046182aaaf3a7a7db98bfa69d
    SHA11f3799fed3cf43254fe30dcdfdb8dc02d82e662b
    SHA256f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae
    Authentihash MD5188d812252f224a8ea618f8e9f1fdadb
    Authentihash SHA1ede3868d6bb27bee5c0b9a71fef486e405d59816
    Authentihash SHA256265010deb10af80885726edc450867fa69acbde449b51d13bf891322ff5c1c2d
    RichPEHeaderHash MD5be07bc61b7ccf659c7b3dde871f25be9
    RichPEHeaderHash SHA1393952208c038e8e3d3298276d21539496e34b13
    RichPEHeaderHash SHA256c361d85cea6b483b3c88e99d1a0139069e7b2e6a4382e3c14563027e6712db20

    Download

    Imports

    Expand

    Imported Functions

    Expand

    Exported Functions

    Expand
    • restore

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • .00cfg
    • .edata
    • .reloc

    Signature

    Expand
    PropertyValue
    Filenameblacklotus_beta_driver.sys
    Creation Timestamp
    MD5
    SHA14B882748FAF2C6C360884C6812DD5BCBCE75EBFF
    SHA256

    Imports

    Expand

    Imported Functions

    Expand

    Exported Functions

    Expand

    Sections

    Expand

    Signature

    Expand
    PropertyValue
    Filenameblacklotus_beta_driver_2.sys
    Creation Timestamp
    MD5
    SHA191F832F46E4C38ECC9335460D46F6F71352CFFED
    SHA256

    Imports

    Expand

    Imported Functions

    Expand

    Exported Functions

    Expand

    Sections

    Expand

    Signature

    Expand
    PropertyValue
    Filenameblacklotus_beta_driver_3.sys
    Creation Timestamp
    MD5
    SHA1994DC79255AEB662A672A1814280DE73D405617A
    SHA256

    Imports

    Expand

    Imported Functions

    Expand

    Exported Functions

    Expand

    Sections

    Expand

    Signature

    Expand
    PropertyValue
    Filenameblacklotus_beta_driver_4.sys
    Creation Timestamp
    MD5
    SHA1FFF4F28287677CAABC60C8AB36786C370226588D
    SHA256

    Imports

    Expand

    Imported Functions

    Expand

    Exported Functions

    Expand

    Sections

    Expand

    Signature

    Expand

    source

    last_updated: 2024-09-26