gootkit | 087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555

Analysis

max time kernel
41s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
30-05-2022 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe
Size

264KB
MD5

af0b810ee30058e5cea264fed2a15f05
SHA1

7aae8004f0042d3c4d250ace81053dbc3e31fecf
SHA256

087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555
SHA512

56b7da6973995c0e007ce78f62c5a45db54f8448ff7f0af6fcebe1a5f63c5d30b6864b7d0ae5c940f0db1d12c7363d87037a2b166caf51bc9b32175a95072710

Score

10^/10

gootkit 410 banker botnet trojan

Malware Config

Extracted

Family

gootkit

Botnet

410

parking.dynophyl.com

parked.dynonortheast.com

trktrk.eu

smeinsurances.co.uk

Attributes

vendor_id
410

Signatures

Gootkit
Gootkit is a banking trojan, where large parts are written in node.JS.
trojan banker botnet gootkit

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe

Deletes itself 1 IoCs

pid	Process
848	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe
2032	mstsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1796	087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1796	087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 2032	1796	087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe	28
PID 1796 wrote to memory of 2032	1796	087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe	28
PID 1796 wrote to memory of 2032	1796	087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe	28
PID 1796 wrote to memory of 2032	1796	087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe	28
PID 1796 wrote to memory of 2032	1796	087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe	28
PID 1796 wrote to memory of 2032	1796	087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe	28
PID 1796 wrote to memory of 2032	1796	087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe	28
PID 1796 wrote to memory of 2032	1796	087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe	28
PID 1796 wrote to memory of 2032	1796	087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe	28
PID 2032 wrote to memory of 848	2032	mstsc.exe	29
PID 2032 wrote to memory of 848	2032	mstsc.exe	29
PID 2032 wrote to memory of 848	2032	mstsc.exe	29
PID 2032 wrote to memory of 848	2032	mstsc.exe	29
PID 848 wrote to memory of 1060	848	cmd.exe	31
PID 848 wrote to memory of 1060	848	cmd.exe	31
PID 848 wrote to memory of 1060	848	cmd.exe	31
PID 848 wrote to memory of 1060	848	cmd.exe	31

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1060	attrib.exe

C:\Users\Admin\AppData\Local\Temp\087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe
"C:\Users\Admin\AppData\Local\Temp\087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe"
1⤵
- Checks BIOS information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\SysWOW64\mstsc.exe
  C:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\7075128.bat" "C:\Users\Admin\AppData\Local\Temp\087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe""
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe"
      4⤵
      Views/modifies file attributes
      PID:1060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7075128.bat

Filesize
72B

MD5
a1cfbeed0549939c8213ab115db42853

SHA1
21368c8b4d778c4a48962bdabf14e4dfbbea40e6

SHA256
dae93a002c717e67ac4fe17e7732856bb8d88160cb29a417af0ba140f8768ec6

SHA512
82bd28ddac8816a8e75f3c864b6c3ff4b88247a03bdca356d9a41e01d7183a6a2ef68f1b899c3d1b65920e7cac67c900606abaac20296b458b45bb64c45936f1

Download Submit
memory/1796-54-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1796-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2032-59-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download