gootkit | 38933984f5ff8b71c054d1c1155e308ac02377b89315ef17cea859178a30dbab | Triage

Sharing

General

Target

e561ae3cedb6f9fc0ecff559c62788b0
Size

293KB
Sample

210204-5d3bbhwkds
MD5

e561ae3cedb6f9fc0ecff559c62788b0
SHA1

de34eb34e2c489386fb32dd96469e7fdcef617d9
SHA256

38933984f5ff8b71c054d1c1155e308ac02377b89315ef17cea859178a30dbab
SHA512

c3abd85394b75b05b2bb7c53c28e3d1309226294c16594e6704e009f49353c45de4fcf632222f55529916181ce545485d6fd26d14eecb3db91b625ba9730d757

Score

10^/10

gootkit 8888 banker botnet ransomware trojan

Malware Config

Extracted

Family

gootkit

Botnet

8888

C2

sslsecurehost.com

securessl256.com

Attributes

vendor_id
8888

Targets

- Target
  
  e561ae3cedb6f9fc0ecff559c62788b0
- Size
  
  293KB
- MD5
  
  e561ae3cedb6f9fc0ecff559c62788b0
- SHA1
  
  de34eb34e2c489386fb32dd96469e7fdcef617d9
- SHA256
  
  38933984f5ff8b71c054d1c1155e308ac02377b89315ef17cea859178a30dbab
- SHA512
  
  c3abd85394b75b05b2bb7c53c28e3d1309226294c16594e6704e009f49353c45de4fcf632222f55529916181ce545485d6fd26d14eecb3db91b625ba9730d757
Score

10^/10

gootkit 8888 banker botnet ransomware trojan
- Gootkit
  Gootkit is a banking trojan, where large parts are written in node.JS.
  trojan banker botnet gootkit
- Deletes itself
- Enumerates physical storage devices
  Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
  ransomware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gootkit8888bankerbotnetransomwaretrojan

behavioral2

gootkit8888bankerbotnetransomwaretrojan