gootkit | 5766bffa91f87cd08582fac05209c5d8d9356ad88e15499038dc624c0ccbc468

General

Target

5766bffa91f87cd08582fac05209c5d8d9356ad88e15499038dc624c0ccbc468.exe
Size

286KB
MD5

350c0b08ec0452a070bbed6fc730b17c
SHA1

15d23e2d535bf6540491fdaae6ef8d617ec47930
SHA256

5766bffa91f87cd08582fac05209c5d8d9356ad88e15499038dc624c0ccbc468
SHA512

725cd3062b4aa68eb93a7bc1a3f7318f84cf003a296e2bfe11b884579ea8a0f6e25d86821fce3c4c40ae0e5fb67ab167aafafb65e9d7451c9923327eb9123a3c

Score

10^/10

gootkit 6546 banker botnet trojan

Malware Config

Extracted

Family

gootkit

Botnet

6546

C2

servicemanager.icu

partnerservice.xyz

Attributes

vendor_id
6546

Signatures

Gootkit
Gootkit is a banking trojan, where large parts are written in node.JS.
trojan banker botnet gootkit

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5766bffa91f87cd08582fac05209c5d8d9356ad88e15499038dc624c0ccbc468.exe

Deletes itself 1 IoCs

pid	Process
1492	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 1492	1188	5766bffa91f87cd08582fac05209c5d8d9356ad88e15499038dc624c0ccbc468.exe	27
PID 1188 wrote to memory of 1492	1188	5766bffa91f87cd08582fac05209c5d8d9356ad88e15499038dc624c0ccbc468.exe	27
PID 1188 wrote to memory of 1492	1188	5766bffa91f87cd08582fac05209c5d8d9356ad88e15499038dc624c0ccbc468.exe	27
PID 1188 wrote to memory of 1492	1188	5766bffa91f87cd08582fac05209c5d8d9356ad88e15499038dc624c0ccbc468.exe	27
PID 1492 wrote to memory of 752	1492	cmd.exe	29
PID 1492 wrote to memory of 752	1492	cmd.exe	29
PID 1492 wrote to memory of 752	1492	cmd.exe	29
PID 1492 wrote to memory of 752	1492	cmd.exe	29

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
752	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5766bffa91f87cd08582fac05209c5d8d9356ad88e15499038dc624c0ccbc468.exe
"C:\Users\Admin\AppData\Local\Temp\5766bffa91f87cd08582fac05209c5d8d9356ad88e15499038dc624c0ccbc468.exe"
1⤵
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\259377854.bat" "C:\Users\Admin\AppData\Local\Temp\5766bffa91f87cd08582fac05209c5d8d9356ad88e15499038dc624c0ccbc468.exe""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\5766bffa91f87cd08582fac05209c5d8d9356ad88e15499038dc624c0ccbc468.exe"
    3⤵
    - Views/modifies file attributes
    PID:752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1188-55-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/1188-56-0x0000000074EC1000-0x0000000074EC3000-memory.dmp

Filesize
8KB

Download
memory/1188-57-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads