gootkit | 087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555

General

Target

087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe
Size

264KB
MD5

af0b810ee30058e5cea264fed2a15f05
SHA1

7aae8004f0042d3c4d250ace81053dbc3e31fecf
SHA256

087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555
SHA512

56b7da6973995c0e007ce78f62c5a45db54f8448ff7f0af6fcebe1a5f63c5d30b6864b7d0ae5c940f0db1d12c7363d87037a2b166caf51bc9b32175a95072710

Score

10^/10

gootkit 410 banker botnet trojan

Malware Config

Extracted

Family

gootkit

Botnet

410

C2

parking.dynophyl.com

parked.dynonortheast.com

trktrk.eu

smeinsurances.co.uk

Attributes

vendor_id
410

Signatures

Gootkit
Gootkit is a banking trojan, where large parts are written in node.JS.
trojan banker botnet gootkit

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

848 cmd.exe

pid	process
848	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

mstsc.exe

pid	process
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe

pid process

1796 087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe

pid process

1796 087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe

pid	process
1796	087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe

pid	process
1796	087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exemstsc.execmd.exe

description	pid	process	target process
PID 1796 wrote to memory of 2032	1796	087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe	mstsc.exe
PID 1796 wrote to memory of 2032	1796	087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe	mstsc.exe
PID 1796 wrote to memory of 2032	1796	087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe	mstsc.exe
PID 1796 wrote to memory of 2032	1796	087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe	mstsc.exe
PID 1796 wrote to memory of 2032	1796	087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe	mstsc.exe
PID 1796 wrote to memory of 2032	1796	087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe	mstsc.exe
PID 1796 wrote to memory of 2032	1796	087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe	mstsc.exe
PID 1796 wrote to memory of 2032	1796	087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe	mstsc.exe
PID 1796 wrote to memory of 2032	1796	087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe	mstsc.exe
PID 2032 wrote to memory of 848	2032	mstsc.exe	cmd.exe
PID 2032 wrote to memory of 848	2032	mstsc.exe	cmd.exe
PID 2032 wrote to memory of 848	2032	mstsc.exe	cmd.exe
PID 2032 wrote to memory of 848	2032	mstsc.exe	cmd.exe
PID 848 wrote to memory of 1060	848	cmd.exe	attrib.exe
PID 848 wrote to memory of 1060	848	cmd.exe	attrib.exe
PID 848 wrote to memory of 1060	848	cmd.exe	attrib.exe
PID 848 wrote to memory of 1060	848	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1060 attrib.exe

pid	process
1060	attrib.exe

C:\Users\Admin\AppData\Local\Temp\087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe
"C:\Users\Admin\AppData\Local\Temp\087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe"
1⤵
- Checks BIOS information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\mstsc.exe
C:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7075128.bat" "C:\Users\Admin\AppData\Local\Temp\087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe""
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\attrib.exe
attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe"
4⤵
- Views/modifies file attributes
PID:1060

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7075128.bat
Filesize
72B

MD5
a1cfbeed0549939c8213ab115db42853

SHA1
21368c8b4d778c4a48962bdabf14e4dfbbea40e6

SHA256
dae93a002c717e67ac4fe17e7732856bb8d88160cb29a417af0ba140f8768ec6

SHA512
82bd28ddac8816a8e75f3c864b6c3ff4b88247a03bdca356d9a41e01d7183a6a2ef68f1b899c3d1b65920e7cac67c900606abaac20296b458b45bb64c45936f1

Download Submit
memory/848-58-0x0000000000000000-mapping.dmp

Download
memory/1060-61-0x0000000000000000-mapping.dmp

Download
memory/1796-54-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1796-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2032-56-0x0000000000000000-mapping.dmp

Download
memory/2032-59-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads