Overview

overview

10

Static

static

a3c243afce...df.exe

windows7_x64

10

a3c243afce...df.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    137s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    19-02-2022 21:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a3c243afceb1fb38f25ae81816891d7d7c11ae76e80a43f31d2ceb9833f2f3df.exe

  • Size

    619KB

  • MD5

    a4a24a3daed6b4673884187b131c968b

  • SHA1

    b20661090b7305239d75209bac8d2179f648dcaa

  • SHA256

    a3c243afceb1fb38f25ae81816891d7d7c11ae76e80a43f31d2ceb9833f2f3df

  • SHA512

    3f49b3876921b41483b907066c9f1f6a61d3fe759219c2db8cb048473b94ba52ab064fcc7c4615da2e1b8056dedc93bf22ed865ff4df442e5ba5c43b1c6082dc

Score
10/10
gootkit260319bankerbotnettrojan

Malware Config

Extracted

Family

gootkit

Botnet

260319

C2

sillikogermin.com

feferturietan.com

manjuorlidnqo.com

chechelderpos.com

kalamindridro.com
Attributes
  • vendor_id

    260319

Signatures

  • Gootkit

    Gootkit is a banking trojan, where large parts are written in node.JS.

    trojanbankerbotnetgootkit
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\a3c243afceb1fb38f25ae81816891d7d7c11ae76e80a43f31d2ceb9833f2f3df.exe
    "C:\Users\Admin\AppData\Local\Temp\a3c243afceb1fb38f25ae81816891d7d7c11ae76e80a43f31d2ceb9833f2f3df.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4728
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\30257187.bat" "C:\Users\Admin\AppData\Local\Temp\a3c243afceb1fb38f25ae81816891d7d7c11ae76e80a43f31d2ceb9833f2f3df.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3084
      • C:\Windows\SysWOW64\attrib.exe
        attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\a3c243afceb1fb38f25ae81816891d7d7c11ae76e80a43f31d2ceb9833f2f3df.exe"
        3⤵
        • Views/modifies file attributes
        PID:3744
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1076

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\30257187.bat
    MD5

    21c397d45a75dd3ce1ddb94cf5b63a7f

    SHA1

    ec3de1bbb4e47e0b9cafec64f38a0b392d7f62e3

    SHA256

    9dc219091717908c6f637b9869ce4bd186728ad2fd084f2388256689bfebe64a

    SHA512

    b253a8c259ff73958ca7339207431e73bcadda99afff17f85e720fd6c71e6b82c744d5e34c13d0616bea1889b5d3e6d2249038a2f92f5ddddffe4dd2e9ab31e1

    Download Submit

  • memory/1076-131-0x000002D38A720000-0x000002D38A730000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1076-130-0x000002D38A190000-0x000002D38A1A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1076-132-0x000002D38CE10000-0x000002D38CE14000-memory.dmp

    Filesize

    16KB

    Download

  • memory/4728-134-0x0000000000E20000-0x0000000000E21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4728-133-0x0000000000143000-0x0000000000148000-memory.dmp

    Filesize

    20KB

    Download

  • memory/4728-135-0x00000000000D0000-0x00000000000FC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4728-136-0x00000000000D0000-0x000000000017E000-memory.dmp

    Filesize

    696KB

    Download