gootkit | 1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc

General

Target

1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe
Size

117KB
MD5

ada4085a5d32e6a930ef5a30f798e58d
SHA1

f36563de3e43af2d3fcaf706e4bc2f9b177eaa79
SHA256

1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc
SHA512

91ca02156a111de3d23c3dc23a1682b3066dbd21b075b64f74426a3bd279bf89dd719cbac8f1730a43b8b534ca6811b3d6cd054b5fd163a215da529b4ac6371d

Score

10^/10

gootkit 1234 banker botnet trojan

Malware Config

Extracted

Family

gootkit

Botnet

1234

C2

zalipon.wollega.com

trussardi.qunamti.com

luga5lindalupina.com

Attributes

vendor_id
1234

Signatures

Gootkit
Gootkit is a banking trojan, where large parts are written in node.JS.
trojan banker botnet gootkit
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1128 cmd.exe

pid	process
1128	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

mstsc.exe

pid	process
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe

pid process

1720 1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe

pid	process
1720	1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exemstsc.execmd.exe

description	pid	process	target process
PID 1720 wrote to memory of 976	1720	1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe	mstsc.exe
PID 1720 wrote to memory of 976	1720	1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe	mstsc.exe
PID 1720 wrote to memory of 976	1720	1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe	mstsc.exe
PID 1720 wrote to memory of 976	1720	1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe	mstsc.exe
PID 1720 wrote to memory of 976	1720	1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe	mstsc.exe
PID 1720 wrote to memory of 976	1720	1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe	mstsc.exe
PID 1720 wrote to memory of 976	1720	1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe	mstsc.exe
PID 1720 wrote to memory of 976	1720	1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe	mstsc.exe
PID 1720 wrote to memory of 976	1720	1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe	mstsc.exe
PID 976 wrote to memory of 1128	976	mstsc.exe	cmd.exe
PID 976 wrote to memory of 1128	976	mstsc.exe	cmd.exe
PID 976 wrote to memory of 1128	976	mstsc.exe	cmd.exe
PID 976 wrote to memory of 1128	976	mstsc.exe	cmd.exe
PID 1128 wrote to memory of 1068	1128	cmd.exe	attrib.exe
PID 1128 wrote to memory of 1068	1128	cmd.exe	attrib.exe
PID 1128 wrote to memory of 1068	1128	cmd.exe	attrib.exe
PID 1128 wrote to memory of 1068	1128	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1068 attrib.exe

pid	process
1068	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe
"C:\Users\Admin\AppData\Local\Temp\1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\mstsc.exe
C:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7084801.bat" "C:\Users\Admin\AppData\Local\Temp\1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe""
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\SysWOW64\attrib.exe
attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe"
4⤵
- Views/modifies file attributes
PID:1068

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7084801.bat
Filesize
72B

MD5
3b773e77d96d70b05c74a9ad25c717d4

SHA1
3523e8d731a311348ea5660f99689c1becb2cc1a

SHA256
493da04951f92133b3dadeb357258c197badf7b8e572978fa1cd712f36fbb712

SHA512
fa6be6afef744ddef55fe2dd11aebcabf12335c089605538917d65a06fc6953c5b4a05ffc6f35fca39562567a54ba9d42483bf0f81c752211c6c687f97ddee95

Download Submit
memory/976-55-0x0000000000000000-mapping.dmp

Download
memory/976-58-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/1068-60-0x0000000000000000-mapping.dmp

Download
memory/1128-57-0x0000000000000000-mapping.dmp

Download
memory/1720-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing