gootkit | 5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0

Analysis

max time kernel
22s
max time network
134s
platform
windows10_x64
resource
win10-en
submitted
07-09-2021 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0.exe
Size

229KB
MD5

3de1f88ca994482e852010ef0efb333e
SHA1

52bdc92f01baa2c62e18d40af7a58121ec0dfa28
SHA256

5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0
SHA512

4459cb7581d3c6b0ce159ade11827dc1ed793141f1744ae8cecd78504842c74da36eb99fbf53ab2863773c7b07803ead542c1981c813b2b2b6ac4eaf08c1314c

Score

10^/10

gootkit 4444 banker botnet trojan

Malware Config

Extracted

Family

gootkit

Botnet

4444

secure256bit.at

secure2048.at

Attributes

vendor_id
4444

Signatures

Gootkit
Gootkit is a banking trojan, where large parts are written in node.JS.
trojan banker botnet gootkit

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4528 set thread context of 4252	4528	5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0.exe	80

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe
4212	mstsc.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4252	5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 4268	4528	5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0.exe	79
PID 4528 wrote to memory of 4268	4528	5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0.exe	79
PID 4528 wrote to memory of 4268	4528	5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0.exe	79
PID 4528 wrote to memory of 4252	4528	5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0.exe	80
PID 4528 wrote to memory of 4252	4528	5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0.exe	80
PID 4528 wrote to memory of 4252	4528	5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0.exe	80
PID 4528 wrote to memory of 4252	4528	5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0.exe	80
PID 4528 wrote to memory of 4252	4528	5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0.exe	80
PID 4528 wrote to memory of 4252	4528	5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0.exe	80
PID 4528 wrote to memory of 4252	4528	5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0.exe	80
PID 4528 wrote to memory of 4252	4528	5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0.exe	80
PID 4528 wrote to memory of 4252	4528	5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0.exe	80
PID 4252 wrote to memory of 4212	4252	5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0.exe	81
PID 4252 wrote to memory of 4212	4252	5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0.exe	81
PID 4252 wrote to memory of 4212	4252	5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0.exe	81
PID 4252 wrote to memory of 4212	4252	5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0.exe	81
PID 4252 wrote to memory of 4212	4252	5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0.exe	81
PID 4252 wrote to memory of 4212	4252	5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0.exe	81
PID 4252 wrote to memory of 4212	4252	5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0.exe	81
PID 4252 wrote to memory of 4212	4252	5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0.exe	81
PID 4212 wrote to memory of 4348	4212	mstsc.exe	82
PID 4212 wrote to memory of 4348	4212	mstsc.exe	82
PID 4212 wrote to memory of 4348	4212	mstsc.exe	82
PID 4348 wrote to memory of 4388	4348	cmd.exe	84
PID 4348 wrote to memory of 4388	4348	cmd.exe	84
PID 4348 wrote to memory of 4388	4348	cmd.exe	84

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4388	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0.exe
"C:\Users\Admin\AppData\Local\Temp\5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Users\Admin\AppData\Local\Temp\5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0.exe
  C:\Users\Admin\AppData\Local\Temp\5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0.exe
  2⤵
  PID:4268
- C:\Users\Admin\AppData\Local\Temp\5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0.exe
  C:\Users\Admin\AppData\Local\Temp\5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0.exe
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4252
- - C:\Windows\SysWOW64\mstsc.exe
    C:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4212
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\259275156.bat" "C:\Users\Admin\AppData\Local\Temp\5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4348
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\5eb9121d5de5ab6ee44a89c29622c49fae4f5d1c7178929964b3adaa5d8623e0.exe"
        5⤵
        Views/modifies file attributes
        
        PID:4388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4212-120-0x00000000031A0000-0x00000000031BF000-memory.dmp

Filesize
124KB

Download
memory/4252-116-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4252-119-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4528-115-0x00000000001D0000-0x00000000001D3000-memory.dmp

Filesize
12KB

Download