Overview

overview

10

Static

static

d5ba0f1c01...29.exe

windows7_x64

10

d5ba0f1c01...29.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    122s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    19-02-2022 21:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d5ba0f1c01cf12f57cca93996d2f87191c9420afbbd116d3757060d780338d29.exe

  • Size

    285KB

  • MD5

    c25b6469a89826074b513d45b76c4c6a

  • SHA1

    cd13f2ee1af78f3f48edb595fc90358415e5ebe1

  • SHA256

    d5ba0f1c01cf12f57cca93996d2f87191c9420afbbd116d3757060d780338d29

  • SHA512

    a9314292c946ad2c63165f241ab4bc3dbb5626b14b7fb5d6606dbf8d789040a50e7eb5777721568fbc32bed4d0a4e815dd423096a92026c319d4d96dcc3fc5f7

Score
10/10
gootkit6546bankerbotnettrojan

Malware Config

Extracted

Family

gootkit

Botnet

6546

C2

servicemanager.icu

partnerservice.xyz
Attributes
  • vendor_id

    6546

Signatures

  • Gootkit

    Gootkit is a banking trojan, where large parts are written in node.JS.

    trojanbankerbotnetgootkit
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\d5ba0f1c01cf12f57cca93996d2f87191c9420afbbd116d3757060d780338d29.exe
    "C:\Users\Admin\AppData\Local\Temp\d5ba0f1c01cf12f57cca93996d2f87191c9420afbbd116d3757060d780338d29.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:548
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\30226078.bat" "C:\Users\Admin\AppData\Local\Temp\d5ba0f1c01cf12f57cca93996d2f87191c9420afbbd116d3757060d780338d29.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2368
      • C:\Windows\SysWOW64\attrib.exe
        attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\d5ba0f1c01cf12f57cca93996d2f87191c9420afbbd116d3757060d780338d29.exe"
        3⤵
        • Views/modifies file attributes
        PID:2700
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4536

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\30226078.bat
    MD5

    5af0c80a702c8f14ec00aeec6c19111b

    SHA1

    c9bfe8e3bf4bf7eca9e586243b202cdc4bc1d5a9

    SHA256

    2be0c9aa28da142b6a8a10275350a0b610254063f5f99bc558bafdec26874f7c

    SHA512

    be1d8510c4fc1b775cc6d05d0db28afea9250ecc56f2fc31925184134c2e52af2cdcd8e85bce3103f1475731a664af100287a877816863af7ca3601decfc2c0f

    Download Submit

  • memory/548-130-0x0000000000480000-0x0000000000483000-memory.dmp

    Filesize

    12KB

    Download

  • memory/548-131-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4536-133-0x0000022C81DA0000-0x0000022C81DB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4536-134-0x0000022C82320000-0x0000022C82330000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4536-135-0x0000022C84A20000-0x0000022C84A24000-memory.dmp

    Filesize

    16KB

    Download