gootkit | 1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc

Analysis

max time kernel
106s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
07-06-2022 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe
Size

117KB
MD5

ada4085a5d32e6a930ef5a30f798e58d
SHA1

f36563de3e43af2d3fcaf706e4bc2f9b177eaa79
SHA256

1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc
SHA512

91ca02156a111de3d23c3dc23a1682b3066dbd21b075b64f74426a3bd279bf89dd719cbac8f1730a43b8b534ca6811b3d6cd054b5fd163a215da529b4ac6371d

Score

10^/10

gootkit 1234 banker botnet trojan

Malware Config

Extracted

Family

gootkit

Botnet

1234

zalipon.wollega.com

trussardi.qunamti.com

luga5lindalupina.com

Attributes

vendor_id
1234

Signatures

Gootkit
Gootkit is a banking trojan, where large parts are written in node.JS.
trojan banker botnet gootkit

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe
4512	mstsc.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4872	1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 4512	4872	1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe	79
PID 4872 wrote to memory of 4512	4872	1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe	79
PID 4872 wrote to memory of 4512	4872	1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe	79
PID 4872 wrote to memory of 4512	4872	1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe	79
PID 4872 wrote to memory of 4512	4872	1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe	79
PID 4872 wrote to memory of 4512	4872	1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe	79
PID 4872 wrote to memory of 4512	4872	1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe	79
PID 4872 wrote to memory of 4512	4872	1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe	79
PID 4512 wrote to memory of 2968	4512	mstsc.exe	80
PID 4512 wrote to memory of 2968	4512	mstsc.exe	80
PID 4512 wrote to memory of 2968	4512	mstsc.exe	80
PID 2968 wrote to memory of 1132	2968	cmd.exe	82
PID 2968 wrote to memory of 1132	2968	cmd.exe	82
PID 2968 wrote to memory of 1132	2968	cmd.exe	82

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1132	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe
"C:\Users\Admin\AppData\Local\Temp\1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Windows\SysWOW64\mstsc.exe
  C:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240582390.bat" "C:\Users\Admin\AppData\Local\Temp\1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe"
      4⤵
      Views/modifies file attributes
      PID:1132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240582390.bat

Filesize
76B

MD5
c0cae19bd38ad9464cd2c4b32ffd8d51

SHA1
bf78e086d84eec43e95222bfcf916f0762cc8c8e

SHA256
0ab179707dc29bfd558e692dc7965ae02bdeb826581d400d23fd0d97d5b307b9

SHA512
6291fe7fef48a490f7f3c25b5209417ccf3c3f63e6ef490c7c7d2118d9465afab3630e8150c43e1b9b671c2a0515614a84fdd19314c274cc58b6284b6dd2259b

Download Submit
memory/4512-131-0x0000000000AC0000-0x0000000000AE0000-memory.dmp

Filesize
128KB

Download