gootkit | 1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc

Analysis

max time kernel
31s
max time network
44s
platform
windows7_x64
resource
win7-20220414-en
submitted
07-06-2022 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe
Size

117KB
MD5

ada4085a5d32e6a930ef5a30f798e58d
SHA1

f36563de3e43af2d3fcaf706e4bc2f9b177eaa79
SHA256

1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc
SHA512

91ca02156a111de3d23c3dc23a1682b3066dbd21b075b64f74426a3bd279bf89dd719cbac8f1730a43b8b534ca6811b3d6cd054b5fd163a215da529b4ac6371d

Score

10^/10

gootkit 1234 banker botnet trojan

Malware Config

Extracted

Family

gootkit

Botnet

1234

zalipon.wollega.com

trussardi.qunamti.com

luga5lindalupina.com

Attributes

vendor_id
1234

Signatures

Gootkit
Gootkit is a banking trojan, where large parts are written in node.JS.
trojan banker botnet gootkit

Deletes itself 1 IoCs

pid	Process
1128	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe
976	mstsc.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1720	1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 976	1720	1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe	28
PID 1720 wrote to memory of 976	1720	1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe	28
PID 1720 wrote to memory of 976	1720	1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe	28
PID 1720 wrote to memory of 976	1720	1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe	28
PID 1720 wrote to memory of 976	1720	1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe	28
PID 1720 wrote to memory of 976	1720	1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe	28
PID 1720 wrote to memory of 976	1720	1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe	28
PID 1720 wrote to memory of 976	1720	1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe	28
PID 1720 wrote to memory of 976	1720	1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe	28
PID 976 wrote to memory of 1128	976	mstsc.exe	29
PID 976 wrote to memory of 1128	976	mstsc.exe	29
PID 976 wrote to memory of 1128	976	mstsc.exe	29
PID 976 wrote to memory of 1128	976	mstsc.exe	29
PID 1128 wrote to memory of 1068	1128	cmd.exe	31
PID 1128 wrote to memory of 1068	1128	cmd.exe	31
PID 1128 wrote to memory of 1068	1128	cmd.exe	31
PID 1128 wrote to memory of 1068	1128	cmd.exe	31

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1068	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe
"C:\Users\Admin\AppData\Local\Temp\1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\mstsc.exe
  C:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\7084801.bat" "C:\Users\Admin\AppData\Local\Temp\1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe""
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe"
      4⤵
      Views/modifies file attributes
      PID:1068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7084801.bat

Filesize
72B

MD5
3b773e77d96d70b05c74a9ad25c717d4

SHA1
3523e8d731a311348ea5660f99689c1becb2cc1a

SHA256
493da04951f92133b3dadeb357258c197badf7b8e572978fa1cd712f36fbb712

SHA512
fa6be6afef744ddef55fe2dd11aebcabf12335c089605538917d65a06fc6953c5b4a05ffc6f35fca39562567a54ba9d42483bf0f81c752211c6c687f97ddee95

Download Submit
memory/976-58-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/1720-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download