gootkit | 38933984f5ff8b71c054d1c1155e308ac02377b89315ef17cea859178a30dbab

Analysis

max time kernel
36s
max time network
8s
platform
windows7_x64
resource
win7v20201028
submitted
04/02/2021, 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e561ae3cedb6f9fc0ecff559c62788b0.exe
Size

293KB
MD5

e561ae3cedb6f9fc0ecff559c62788b0
SHA1

de34eb34e2c489386fb32dd96469e7fdcef617d9
SHA256

38933984f5ff8b71c054d1c1155e308ac02377b89315ef17cea859178a30dbab
SHA512

c3abd85394b75b05b2bb7c53c28e3d1309226294c16594e6704e009f49353c45de4fcf632222f55529916181ce545485d6fd26d14eecb3db91b625ba9730d757

Score

10^/10

gootkit 8888 banker botnet ransomware trojan

Malware Config

Extracted

Family

gootkit

Botnet

8888

sslsecurehost.com

securessl256.com

Attributes

vendor_id
8888

Signatures

Gootkit
Gootkit is a banking trojan, where large parts are written in node.JS.
trojan banker botnet gootkit

Deletes itself 1 IoCs

pid	Process
1808	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 240 set thread context of 1668	240	e561ae3cedb6f9fc0ecff559c62788b0.exe	30

Suspicious behavior: EnumeratesProcesses 90 IoCs

pid	Process
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1668	e561ae3cedb6f9fc0ecff559c62788b0.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 240	1056	e561ae3cedb6f9fc0ecff559c62788b0.exe	29
PID 1056 wrote to memory of 240	1056	e561ae3cedb6f9fc0ecff559c62788b0.exe	29
PID 1056 wrote to memory of 240	1056	e561ae3cedb6f9fc0ecff559c62788b0.exe	29
PID 1056 wrote to memory of 240	1056	e561ae3cedb6f9fc0ecff559c62788b0.exe	29
PID 240 wrote to memory of 1668	240	e561ae3cedb6f9fc0ecff559c62788b0.exe	30
PID 240 wrote to memory of 1668	240	e561ae3cedb6f9fc0ecff559c62788b0.exe	30
PID 240 wrote to memory of 1668	240	e561ae3cedb6f9fc0ecff559c62788b0.exe	30
PID 240 wrote to memory of 1668	240	e561ae3cedb6f9fc0ecff559c62788b0.exe	30
PID 240 wrote to memory of 1668	240	e561ae3cedb6f9fc0ecff559c62788b0.exe	30
PID 240 wrote to memory of 1668	240	e561ae3cedb6f9fc0ecff559c62788b0.exe	30
PID 240 wrote to memory of 1668	240	e561ae3cedb6f9fc0ecff559c62788b0.exe	30
PID 240 wrote to memory of 1668	240	e561ae3cedb6f9fc0ecff559c62788b0.exe	30
PID 240 wrote to memory of 1668	240	e561ae3cedb6f9fc0ecff559c62788b0.exe	30
PID 240 wrote to memory of 1668	240	e561ae3cedb6f9fc0ecff559c62788b0.exe	30
PID 1668 wrote to memory of 1544	1668	e561ae3cedb6f9fc0ecff559c62788b0.exe	31
PID 1668 wrote to memory of 1544	1668	e561ae3cedb6f9fc0ecff559c62788b0.exe	31
PID 1668 wrote to memory of 1544	1668	e561ae3cedb6f9fc0ecff559c62788b0.exe	31
PID 1668 wrote to memory of 1544	1668	e561ae3cedb6f9fc0ecff559c62788b0.exe	31
PID 1668 wrote to memory of 1544	1668	e561ae3cedb6f9fc0ecff559c62788b0.exe	31
PID 1668 wrote to memory of 1544	1668	e561ae3cedb6f9fc0ecff559c62788b0.exe	31
PID 1668 wrote to memory of 1544	1668	e561ae3cedb6f9fc0ecff559c62788b0.exe	31
PID 1668 wrote to memory of 1544	1668	e561ae3cedb6f9fc0ecff559c62788b0.exe	31
PID 1668 wrote to memory of 1544	1668	e561ae3cedb6f9fc0ecff559c62788b0.exe	31
PID 1544 wrote to memory of 1808	1544	mstsc.exe	32
PID 1544 wrote to memory of 1808	1544	mstsc.exe	32
PID 1544 wrote to memory of 1808	1544	mstsc.exe	32
PID 1544 wrote to memory of 1808	1544	mstsc.exe	32
PID 1808 wrote to memory of 756	1808	cmd.exe	34
PID 1808 wrote to memory of 756	1808	cmd.exe	34
PID 1808 wrote to memory of 756	1808	cmd.exe	34
PID 1808 wrote to memory of 756	1808	cmd.exe	34

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
756	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe
"C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe
  "C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe" -l
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:240
- - C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe
    C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe
    3⤵
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Windows\SysWOW64\mstsc.exe
      C:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1544
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\259306780.bat" "C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe""
        5⤵
        Deletes itself
        Suspicious use of WriteProcessMemory
        
        PID:1808
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe"
        6⤵
        Views/modifies file attributes
        
        PID:756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1056-2-0x0000000075A61000-0x0000000075A63000-memory.dmp

Filesize
8KB

Download
memory/1544-14-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/1668-5-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1668-13-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download