gootkit | 38933984f5ff8b71c054d1c1155e308ac02377b89315ef17cea859178a30dbab

Analysis

max time kernel
36s
max time network
8s
platform
windows7_x64
resource
win7v20201028
submitted
04-02-2021 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e561ae3cedb6f9fc0ecff559c62788b0.exe
Size

293KB
MD5

e561ae3cedb6f9fc0ecff559c62788b0
SHA1

de34eb34e2c489386fb32dd96469e7fdcef617d9
SHA256

38933984f5ff8b71c054d1c1155e308ac02377b89315ef17cea859178a30dbab
SHA512

c3abd85394b75b05b2bb7c53c28e3d1309226294c16594e6704e009f49353c45de4fcf632222f55529916181ce545485d6fd26d14eecb3db91b625ba9730d757

Score

10^/10

gootkit 8888 banker botnet ransomware trojan

Malware Config

Extracted

Family

gootkit

Botnet

8888

sslsecurehost.com

securessl256.com

Attributes

vendor_id
8888

Signatures

Gootkit
Gootkit is a banking trojan, where large parts are written in node.JS.
trojan banker botnet gootkit

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
1808	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

Suspicious use of SetThreadContext 1 IoCs

Processes:

e561ae3cedb6f9fc0ecff559c62788b0.exe

description	pid	Process	procid_target
PID 240 set thread context of 1668	240	e561ae3cedb6f9fc0ecff559c62788b0.exe	30

Suspicious behavior: EnumeratesProcesses 90 IoCs

Processes:

mstsc.exe

pid	Process
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe
1544	mstsc.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

e561ae3cedb6f9fc0ecff559c62788b0.exe

pid	Process
1668	e561ae3cedb6f9fc0ecff559c62788b0.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

e561ae3cedb6f9fc0ecff559c62788b0.exee561ae3cedb6f9fc0ecff559c62788b0.exee561ae3cedb6f9fc0ecff559c62788b0.exemstsc.execmd.exe

description	pid	Process	procid_target
PID 1056 wrote to memory of 240	1056	e561ae3cedb6f9fc0ecff559c62788b0.exe	29
PID 1056 wrote to memory of 240	1056	e561ae3cedb6f9fc0ecff559c62788b0.exe	29
PID 1056 wrote to memory of 240	1056	e561ae3cedb6f9fc0ecff559c62788b0.exe	29
PID 1056 wrote to memory of 240	1056	e561ae3cedb6f9fc0ecff559c62788b0.exe	29
PID 240 wrote to memory of 1668	240	e561ae3cedb6f9fc0ecff559c62788b0.exe	30
PID 240 wrote to memory of 1668	240	e561ae3cedb6f9fc0ecff559c62788b0.exe	30
PID 240 wrote to memory of 1668	240	e561ae3cedb6f9fc0ecff559c62788b0.exe	30
PID 240 wrote to memory of 1668	240	e561ae3cedb6f9fc0ecff559c62788b0.exe	30
PID 240 wrote to memory of 1668	240	e561ae3cedb6f9fc0ecff559c62788b0.exe	30
PID 240 wrote to memory of 1668	240	e561ae3cedb6f9fc0ecff559c62788b0.exe	30
PID 240 wrote to memory of 1668	240	e561ae3cedb6f9fc0ecff559c62788b0.exe	30
PID 240 wrote to memory of 1668	240	e561ae3cedb6f9fc0ecff559c62788b0.exe	30
PID 240 wrote to memory of 1668	240	e561ae3cedb6f9fc0ecff559c62788b0.exe	30
PID 240 wrote to memory of 1668	240	e561ae3cedb6f9fc0ecff559c62788b0.exe	30
PID 1668 wrote to memory of 1544	1668	e561ae3cedb6f9fc0ecff559c62788b0.exe	31
PID 1668 wrote to memory of 1544	1668	e561ae3cedb6f9fc0ecff559c62788b0.exe	31
PID 1668 wrote to memory of 1544	1668	e561ae3cedb6f9fc0ecff559c62788b0.exe	31
PID 1668 wrote to memory of 1544	1668	e561ae3cedb6f9fc0ecff559c62788b0.exe	31
PID 1668 wrote to memory of 1544	1668	e561ae3cedb6f9fc0ecff559c62788b0.exe	31
PID 1668 wrote to memory of 1544	1668	e561ae3cedb6f9fc0ecff559c62788b0.exe	31
PID 1668 wrote to memory of 1544	1668	e561ae3cedb6f9fc0ecff559c62788b0.exe	31
PID 1668 wrote to memory of 1544	1668	e561ae3cedb6f9fc0ecff559c62788b0.exe	31
PID 1668 wrote to memory of 1544	1668	e561ae3cedb6f9fc0ecff559c62788b0.exe	31
PID 1544 wrote to memory of 1808	1544	mstsc.exe	32
PID 1544 wrote to memory of 1808	1544	mstsc.exe	32
PID 1544 wrote to memory of 1808	1544	mstsc.exe	32
PID 1544 wrote to memory of 1808	1544	mstsc.exe	32
PID 1808 wrote to memory of 756	1808	cmd.exe	34
PID 1808 wrote to memory of 756	1808	cmd.exe	34
PID 1808 wrote to memory of 756	1808	cmd.exe	34
PID 1808 wrote to memory of 756	1808	cmd.exe	34

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Processes:

attrib.exe

pid	Process
756	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe
"C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe
  "C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe" -l
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:240
- - C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe
    C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe
    3⤵
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Windows\SysWOW64\mstsc.exe
      C:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1544
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\259306780.bat" "C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe""
        5⤵
        Deletes itself
        Suspicious use of WriteProcessMemory
        
        PID:1808
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe"
        6⤵
        Views/modifies file attributes
        
        PID:756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259306780.bat

MD5
18395be7e83808321db4e63bc466335b

SHA1
b0f2e12e68ff777c45060971ad024e445c997627

SHA256
d2e8d0a3df2ff516601a73003c53d1076f7d5849526920f624512674dfcaae15

SHA512
0cc05fb7f6c87a1f8b6850e7bc2a37e5dfc2ad71ef3803ebf52fd83f899da346f228d79bca172887600fb1ae0f0e336a97d1a5e15abe7a3576f50d399ceb9981

Download Submit
memory/240-3-0x0000000000000000-mapping.dmp

Download
memory/756-12-0x0000000000000000-mapping.dmp

Download
memory/1056-2-0x0000000075A61000-0x0000000075A63000-memory.dmp

Filesize
8KB

Download
memory/1544-8-0x0000000000000000-mapping.dmp

Download
memory/1544-14-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/1668-6-0x000000000040EA92-mapping.dmp

Download
memory/1668-5-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1668-13-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1808-10-0x0000000000000000-mapping.dmp

Download