gootkit | 226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b

General

Target

226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
Size

187KB
MD5

23e26f6748b07db1b464f5d237917282
SHA1

3a27db2d1ac8a8fc30d972f4b9d7f91e99d7f96f
SHA256

226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b
SHA512

53e86805989a7a18964cb44ea514d1728a97931979bdbc991011a5a88fa8a49564f1bffb59ca061666cae37eb020e87c00c9d4361c2c5fb4f696f418e5ca7d53

Score

10^/10

gootkit 2855 banker botnet trojan

Malware Config

Extracted

Family

gootkit

Botnet

2855

C2

me.jmitchelldayton.com

otnhmtkwodm1.site

Attributes

vendor_id
2855

Signatures

Gootkit
Gootkit is a banking trojan, where large parts are written in node.JS.
trojan banker botnet gootkit

Modifies Internet Explorer Protected Mode 1 TTPs 5 IoCs

Modify Registry

T1112

Processes:

226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = "3"	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe

pid	process
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe

description	pid	process	target process
PID 1604 wrote to memory of 4352	1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
PID 1604 wrote to memory of 4352	1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
PID 1604 wrote to memory of 4352	1604	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe	226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe

C:\Users\Admin\AppData\Local\Temp\226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
"C:\Users\Admin\AppData\Local\Temp\226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe"
1⤵
- Modifies Internet Explorer Protected Mode
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Users\Admin\AppData\Local\Temp\226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe
  C:\Users\Admin\AppData\Local\Temp\226792baf638fbc82be1396e926e06a6d3570f6f8b5bf14439fee0ee5af5bd9b.exe --vwxyz
  2⤵
  PID:4352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1604-130-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1604-131-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1604-132-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4352-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads