gootkit | 18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448

General

Target

18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
Size

190KB
MD5

aa9aadce68be8d37d9bed2253ebdec5a
SHA1

beee06b9313094fa884a5f88d01f30ea8ec42085
SHA256

18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448
SHA512

85e3fa262938f163fb3aeaab1d07db7fbbb297cb92480ccf608c744361909051ab1dcb289e2621acca91f2681b5312b95f8fc7ea72aded5cce11c378b5b6c430

Score

10^/10

gootkit 2855 banker botnet trojan

Malware Config

Extracted

Family

gootkit

Botnet

2855

C2

me.jmitchelldayton.com

otnhmtkwodm1.site

Attributes

vendor_id
2855

Signatures

Gootkit
Gootkit is a banking trojan, where large parts are written in node.JS.
trojan banker botnet gootkit

Modifies Internet Explorer Protected Mode 1 TTPs 5 IoCs

Modify Registry

T1112

Processes:

18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = "3"	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe

pid	process
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe

description	pid	process	target process
PID 2476 wrote to memory of 4552	2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
PID 2476 wrote to memory of 4552	2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
PID 2476 wrote to memory of 4552	2476	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe	18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe

C:\Users\Admin\AppData\Local\Temp\18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
"C:\Users\Admin\AppData\Local\Temp\18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe"
1⤵
- Modifies Internet Explorer Protected Mode
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Users\Admin\AppData\Local\Temp\18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe
  C:\Users\Admin\AppData\Local\Temp\18001d0fc59814fb6054d924f2b5f6c299b9e7a9c5ae2cd2f55826554d3bb448.exe --vwxyz
  2⤵
  PID:4552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2476-130-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2476-131-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4552-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads