gootkit | 38933984f5ff8b71c054d1c1155e308ac02377b89315ef17cea859178a30dbab

Analysis

max time kernel
61s
max time network
123s
platform
windows10_x64
resource
win10v20201028
submitted
04-02-2021 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e561ae3cedb6f9fc0ecff559c62788b0.exe
Size

293KB
MD5

e561ae3cedb6f9fc0ecff559c62788b0
SHA1

de34eb34e2c489386fb32dd96469e7fdcef617d9
SHA256

38933984f5ff8b71c054d1c1155e308ac02377b89315ef17cea859178a30dbab
SHA512

c3abd85394b75b05b2bb7c53c28e3d1309226294c16594e6704e009f49353c45de4fcf632222f55529916181ce545485d6fd26d14eecb3db91b625ba9730d757

Score

10^/10

gootkit 8888 banker botnet ransomware trojan

Malware Config

Extracted

Family

gootkit

Botnet

8888

sslsecurehost.com

securessl256.com

Attributes

vendor_id
8888

Signatures

Gootkit
Gootkit is a banking trojan, where large parts are written in node.JS.
trojan banker botnet gootkit
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4172 set thread context of 3284	4172	e561ae3cedb6f9fc0ecff559c62788b0.exe	79

Suspicious behavior: EnumeratesProcesses 90 IoCs

pid	Process
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe
3836	mstsc.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3284	e561ae3cedb6f9fc0ecff559c62788b0.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4684 wrote to memory of 4172	4684	e561ae3cedb6f9fc0ecff559c62788b0.exe	78
PID 4684 wrote to memory of 4172	4684	e561ae3cedb6f9fc0ecff559c62788b0.exe	78
PID 4684 wrote to memory of 4172	4684	e561ae3cedb6f9fc0ecff559c62788b0.exe	78
PID 4172 wrote to memory of 3284	4172	e561ae3cedb6f9fc0ecff559c62788b0.exe	79
PID 4172 wrote to memory of 3284	4172	e561ae3cedb6f9fc0ecff559c62788b0.exe	79
PID 4172 wrote to memory of 3284	4172	e561ae3cedb6f9fc0ecff559c62788b0.exe	79
PID 4172 wrote to memory of 3284	4172	e561ae3cedb6f9fc0ecff559c62788b0.exe	79
PID 4172 wrote to memory of 3284	4172	e561ae3cedb6f9fc0ecff559c62788b0.exe	79
PID 4172 wrote to memory of 3284	4172	e561ae3cedb6f9fc0ecff559c62788b0.exe	79
PID 4172 wrote to memory of 3284	4172	e561ae3cedb6f9fc0ecff559c62788b0.exe	79
PID 4172 wrote to memory of 3284	4172	e561ae3cedb6f9fc0ecff559c62788b0.exe	79
PID 4172 wrote to memory of 3284	4172	e561ae3cedb6f9fc0ecff559c62788b0.exe	79
PID 3284 wrote to memory of 3836	3284	e561ae3cedb6f9fc0ecff559c62788b0.exe	80
PID 3284 wrote to memory of 3836	3284	e561ae3cedb6f9fc0ecff559c62788b0.exe	80
PID 3284 wrote to memory of 3836	3284	e561ae3cedb6f9fc0ecff559c62788b0.exe	80
PID 3284 wrote to memory of 3836	3284	e561ae3cedb6f9fc0ecff559c62788b0.exe	80
PID 3284 wrote to memory of 3836	3284	e561ae3cedb6f9fc0ecff559c62788b0.exe	80
PID 3284 wrote to memory of 3836	3284	e561ae3cedb6f9fc0ecff559c62788b0.exe	80
PID 3284 wrote to memory of 3836	3284	e561ae3cedb6f9fc0ecff559c62788b0.exe	80
PID 3284 wrote to memory of 3836	3284	e561ae3cedb6f9fc0ecff559c62788b0.exe	80
PID 3836 wrote to memory of 3568	3836	mstsc.exe	81
PID 3836 wrote to memory of 3568	3836	mstsc.exe	81
PID 3836 wrote to memory of 3568	3836	mstsc.exe	81
PID 3568 wrote to memory of 4056	3568	cmd.exe	83
PID 3568 wrote to memory of 4056	3568	cmd.exe	83
PID 3568 wrote to memory of 4056	3568	cmd.exe	83

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4056	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe
"C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe
  "C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe" -l
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4172
- - C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe
    C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe
    3⤵
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3284
  - - C:\Windows\SysWOW64\mstsc.exe
      C:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3836
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\259276781.bat" "C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3568
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe"
        6⤵
        Views/modifies file attributes
        
        PID:4056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3284-3-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3284-4-0x000000000040EA92-mapping.dmp

Download
memory/3284-6-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3568-8-0x0000000000000000-mapping.dmp

Download
memory/3836-5-0x0000000000000000-mapping.dmp

Download
memory/3836-7-0x0000000002E70000-0x0000000002E90000-memory.dmp

Filesize
128KB

Download
memory/4056-10-0x0000000000000000-mapping.dmp

Download
memory/4172-2-0x0000000000000000-mapping.dmp

Download