Overview

overview

10

Static

static

10

1c402ae634...cc.exe

windows7_x64

10

1c402ae634...cc.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    106s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    07-06-2022 16:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe

  • Size

    117KB

  • MD5

    ada4085a5d32e6a930ef5a30f798e58d

  • SHA1

    f36563de3e43af2d3fcaf706e4bc2f9b177eaa79

  • SHA256

    1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc

  • SHA512

    91ca02156a111de3d23c3dc23a1682b3066dbd21b075b64f74426a3bd279bf89dd719cbac8f1730a43b8b534ca6811b3d6cd054b5fd163a215da529b4ac6371d

Score
10/10
gootkit1234bankerbotnettrojan

Malware Config

Extracted

Family

gootkit

Botnet

1234

C2

zalipon.wollega.com

trussardi.qunamti.com

luga5lindalupina.com
Attributes
  • vendor_id

    1234

Signatures

  • Gootkit

    Gootkit is a banking trojan, where large parts are written in node.JS.

    trojanbankerbotnetgootkit
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe
    "C:\Users\Admin\AppData\Local\Temp\1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe"
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4872
    • C:\Windows\SysWOW64\mstsc.exe
      C:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4512
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240582390.bat" "C:\Users\Admin\AppData\Local\Temp\1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2968
        • C:\Windows\SysWOW64\attrib.exe
          attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\1c402ae634eac550f21d698329fca0c62a50450a5b373f9f492eef2f4fa1a2cc.exe"
          4⤵
          • Views/modifies file attributes
          PID:1132

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1
T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1
T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\240582390.bat
    Filesize

    76B

    MD5

    c0cae19bd38ad9464cd2c4b32ffd8d51

    SHA1

    bf78e086d84eec43e95222bfcf916f0762cc8c8e

    SHA256

    0ab179707dc29bfd558e692dc7965ae02bdeb826581d400d23fd0d97d5b307b9

    SHA512

    6291fe7fef48a490f7f3c25b5209417ccf3c3f63e6ef490c7c7d2118d9465afab3630e8150c43e1b9b671c2a0515614a84fdd19314c274cc58b6284b6dd2259b

    Download Submit
  • memory/1132-134-0x0000000000000000-mapping.dmp
    Download
  • memory/2968-132-0x0000000000000000-mapping.dmp
    Download
  • memory/4512-130-0x0000000000000000-mapping.dmp
    Download
  • memory/4512-131-0x0000000000AC0000-0x0000000000AE0000-memory.dmp
    Filesize

    128KB

    Download