General

  • Target

    e561ae3cedb6f9fc0ecff559c62788b0

  • Size

    293KB

  • Sample

    210204-5d3bbhwkds

  • MD5

    e561ae3cedb6f9fc0ecff559c62788b0

  • SHA1

    de34eb34e2c489386fb32dd96469e7fdcef617d9

  • SHA256

    38933984f5ff8b71c054d1c1155e308ac02377b89315ef17cea859178a30dbab

  • SHA512

    c3abd85394b75b05b2bb7c53c28e3d1309226294c16594e6704e009f49353c45de4fcf632222f55529916181ce545485d6fd26d14eecb3db91b625ba9730d757

Malware Config

Extracted

Family

gootkit

Botnet

8888

C2

sslsecurehost.com

securessl256.com

Attributes
vendor_id
8888

Targets

    • Target

      e561ae3cedb6f9fc0ecff559c62788b0

    • Size

      293KB

    • MD5

      e561ae3cedb6f9fc0ecff559c62788b0

    • SHA1

      de34eb34e2c489386fb32dd96469e7fdcef617d9

    • SHA256

      38933984f5ff8b71c054d1c1155e308ac02377b89315ef17cea859178a30dbab

    • SHA512

      c3abd85394b75b05b2bb7c53c28e3d1309226294c16594e6704e009f49353c45de4fcf632222f55529916181ce545485d6fd26d14eecb3db91b625ba9730d757

    • Gootkit

      Gootkit is a banking trojan, where large parts are written in node.JS.

    • Deletes itself

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Persistence

                    Privilege Escalation

                      Tasks