gootkit | 0ca397cd9b4dd05d04216e1511fcfb820e91383d82f34dc003698f4fc3f11744

General

Target

0ca397cd9b4dd05d04216e1511fcfb820e91383d82f34dc003698f4fc3f11744.exe
Size

268KB
MD5

03f6ec5cca4b5d0eb52775125e770f07
SHA1

782a8fd49bbc5fe7ff3c28508561a400fc22732e
SHA256

0ca397cd9b4dd05d04216e1511fcfb820e91383d82f34dc003698f4fc3f11744
SHA512

21a6896b3f3f2451a29aa3216d0dbb12c00b7f79f02319beaf10d5226f669cbdc3f7623e17da65d82d5320703fb9c17f713793e250d124492491cd9b19815ef8

Score

10^/10

gootkit 410 banker botnet trojan

Malware Config

Extracted

Family

gootkit

Botnet

410

C2

parking.dynophyl.com

parked.dynonortheast.com

trktrk.eu

smeinsurances.co.uk

Attributes

vendor_id
410

Signatures

Gootkit
Gootkit is a banking trojan, where large parts are written in node.JS.
trojan banker botnet gootkit

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0ca397cd9b4dd05d04216e1511fcfb820e91383d82f34dc003698f4fc3f11744.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0ca397cd9b4dd05d04216e1511fcfb820e91383d82f34dc003698f4fc3f11744.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

mstsc.exe

pid	process
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe
1072	mstsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

0ca397cd9b4dd05d04216e1511fcfb820e91383d82f34dc003698f4fc3f11744.exe

pid process

2384 0ca397cd9b4dd05d04216e1511fcfb820e91383d82f34dc003698f4fc3f11744.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

0ca397cd9b4dd05d04216e1511fcfb820e91383d82f34dc003698f4fc3f11744.exe

pid process

2384 0ca397cd9b4dd05d04216e1511fcfb820e91383d82f34dc003698f4fc3f11744.exe

pid	process
2384	0ca397cd9b4dd05d04216e1511fcfb820e91383d82f34dc003698f4fc3f11744.exe

pid	process
2384	0ca397cd9b4dd05d04216e1511fcfb820e91383d82f34dc003698f4fc3f11744.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

0ca397cd9b4dd05d04216e1511fcfb820e91383d82f34dc003698f4fc3f11744.exemstsc.execmd.exe

description	pid	process	target process
PID 2384 wrote to memory of 1072	2384	0ca397cd9b4dd05d04216e1511fcfb820e91383d82f34dc003698f4fc3f11744.exe	mstsc.exe
PID 2384 wrote to memory of 1072	2384	0ca397cd9b4dd05d04216e1511fcfb820e91383d82f34dc003698f4fc3f11744.exe	mstsc.exe
PID 2384 wrote to memory of 1072	2384	0ca397cd9b4dd05d04216e1511fcfb820e91383d82f34dc003698f4fc3f11744.exe	mstsc.exe
PID 2384 wrote to memory of 1072	2384	0ca397cd9b4dd05d04216e1511fcfb820e91383d82f34dc003698f4fc3f11744.exe	mstsc.exe
PID 2384 wrote to memory of 1072	2384	0ca397cd9b4dd05d04216e1511fcfb820e91383d82f34dc003698f4fc3f11744.exe	mstsc.exe
PID 2384 wrote to memory of 1072	2384	0ca397cd9b4dd05d04216e1511fcfb820e91383d82f34dc003698f4fc3f11744.exe	mstsc.exe
PID 2384 wrote to memory of 1072	2384	0ca397cd9b4dd05d04216e1511fcfb820e91383d82f34dc003698f4fc3f11744.exe	mstsc.exe
PID 2384 wrote to memory of 1072	2384	0ca397cd9b4dd05d04216e1511fcfb820e91383d82f34dc003698f4fc3f11744.exe	mstsc.exe
PID 1072 wrote to memory of 1164	1072	mstsc.exe	cmd.exe
PID 1072 wrote to memory of 1164	1072	mstsc.exe	cmd.exe
PID 1072 wrote to memory of 1164	1072	mstsc.exe	cmd.exe
PID 1164 wrote to memory of 4884	1164	cmd.exe	attrib.exe
PID 1164 wrote to memory of 4884	1164	cmd.exe	attrib.exe
PID 1164 wrote to memory of 4884	1164	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4884 attrib.exe

pid	process
4884	attrib.exe

C:\Users\Admin\AppData\Local\Temp\0ca397cd9b4dd05d04216e1511fcfb820e91383d82f34dc003698f4fc3f11744.exe
"C:\Users\Admin\AppData\Local\Temp\0ca397cd9b4dd05d04216e1511fcfb820e91383d82f34dc003698f4fc3f11744.exe"
1⤵
- Checks BIOS information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\mstsc.exe
  C:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\0ca397cd9b4dd05d04216e1511fcfb820e91383d82f34dc003698f4fc3f11744.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240544578.bat" "C:\Users\Admin\AppData\Local\Temp\0ca397cd9b4dd05d04216e1511fcfb820e91383d82f34dc003698f4fc3f11744.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1164
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\0ca397cd9b4dd05d04216e1511fcfb820e91383d82f34dc003698f4fc3f11744.exe"
      4⤵
      Views/modifies file attributes
      PID:4884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240544578.bat

Filesize
76B

MD5
9b5ab686636105a8616e36f7ba50d2c9

SHA1
0e3c9b22f1716f081195ae07df109974e2788380

SHA256
e32767b4c86512fc9936920560eef25a292f617043b074e99105a76b18af7287

SHA512
d7d5563b4bdd2f12f61a139cd3ba5249ed333afb11153f54715436c59599609f688b8378268e596e10d000c698ac10d57350e0416a7599c127b1e3383c710458

Download Submit
memory/1072-130-0x0000000000000000-mapping.dmp

Download
memory/1072-133-0x0000000000FA0000-0x0000000000FC0000-memory.dmp

Filesize
128KB

Download
memory/1164-132-0x0000000000000000-mapping.dmp

Download
memory/2384-131-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4884-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads