Overview

overview

10

Static

static

087b9f549d...55.exe

windows7_x64

10

087b9f549d...55.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    163s
  • max time network
    187s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    30-05-2022 21:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe

  • Size

    264KB

  • MD5

    af0b810ee30058e5cea264fed2a15f05

  • SHA1

    7aae8004f0042d3c4d250ace81053dbc3e31fecf

  • SHA256

    087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555

  • SHA512

    56b7da6973995c0e007ce78f62c5a45db54f8448ff7f0af6fcebe1a5f63c5d30b6864b7d0ae5c940f0db1d12c7363d87037a2b166caf51bc9b32175a95072710

Score
10/10
gootkit410bankerbotnettrojan

Malware Config

Extracted

Family

gootkit

Botnet

410

C2

parking.dynophyl.com

parked.dynonortheast.com

trktrk.eu

smeinsurances.co.uk
Attributes
  • vendor_id

    410

Signatures

  • Gootkit

    Gootkit is a banking trojan, where large parts are written in node.JS.

    trojanbankerbotnetgootkit
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe
    "C:\Users\Admin\AppData\Local\Temp\087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe"
    1⤵
    • Checks BIOS information in registry
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3716
    • C:\Windows\SysWOW64\mstsc.exe
      C:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240584515.bat" "C:\Users\Admin\AppData\Local\Temp\087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Windows\SysWOW64\attrib.exe
          attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe"
          4⤵
          • Views/modifies file attributes
          PID:4300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1
T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1
T1158

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\240584515.bat
    Filesize

    76B

    MD5

    a0b56dbfec40bc9e00e413253c74041c

    SHA1

    0495a408fa21c4002a858bece5ede1bc78a1c6fd

    SHA256

    c5f526e250b512ac9415ac62599c08dfc9a27e2e44d5dd309b08948b1653c81a

    SHA512

    f6d75d4474456fa9755b6516c638e617b4edb75afaf86e7b5a107967426daa2e4736dbac9600e3c31a27b6294b8bb0149fcac862091130f4ef749d708c30e647

    Download Submit
  • memory/2640-130-0x0000000000000000-mapping.dmp
    Download
  • memory/2640-132-0x0000000000350000-0x0000000000370000-memory.dmp
    Filesize

    128KB

    Download
  • memory/2824-133-0x0000000000000000-mapping.dmp
    Download
  • memory/3716-131-0x0000000000400000-0x0000000000442000-memory.dmp
    Filesize

    264KB

    Download
  • memory/4300-135-0x0000000000000000-mapping.dmp
    Download