e561ae3cedb6f9fc0ecff559c62788b0

General
Target

e561ae3cedb6f9fc0ecff559c62788b0

Size

293KB

Sample

210204-5d3bbhwkds

Score
10 /10
MD5

e561ae3cedb6f9fc0ecff559c62788b0

SHA1

de34eb34e2c489386fb32dd96469e7fdcef617d9

SHA256

38933984f5ff8b71c054d1c1155e308ac02377b89315ef17cea859178a30dbab

SHA512

c3abd85394b75b05b2bb7c53c28e3d1309226294c16594e6704e009f49353c45de4fcf632222f55529916181ce545485d6fd26d14eecb3db91b625ba9730d757

Malware Config

Extracted

Family gootkit
Botnet 8888
C2

sslsecurehost.com

securessl256.com

Attributes
vendor_id
8888
Targets
Target

e561ae3cedb6f9fc0ecff559c62788b0

MD5

e561ae3cedb6f9fc0ecff559c62788b0

Filesize

293KB

Score
10 /10
SHA1

de34eb34e2c489386fb32dd96469e7fdcef617d9

SHA256

38933984f5ff8b71c054d1c1155e308ac02377b89315ef17cea859178a30dbab

SHA512

c3abd85394b75b05b2bb7c53c28e3d1309226294c16594e6704e009f49353c45de4fcf632222f55529916181ce545485d6fd26d14eecb3db91b625ba9730d757

Tags

Signatures

  • Gootkit

    Description

    Gootkit is a banking trojan, where large parts are written in node.JS.

    Tags

  • Deletes itself

  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    Tags

    TTPs

    System Information Discovery
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Tasks