gootkit | 3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9

General

Target

3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
Size

189KB
MD5

3cb577465c985e8b34afc6e40fa8d458
SHA1

4c416ba9ac99e0357dfd30fe39eb897d51bd8195
SHA256

3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9
SHA512

473d1e066af7dd35052bbf8b3cfa87aa273d87754c532f059a224ab19818b103fe76d2ffcdb9b2e0e59c1aa8505538e17abbd175ca40724b2a9452da84653673

Score

10^/10

gootkit 2855 banker botnet trojan

Malware Config

Extracted

Family

gootkit

Botnet

2855

C2

me.jmitchelldayton.com

otnhmtkwodm1.site

Attributes

vendor_id
2855

Signatures

Gootkit
Gootkit is a banking trojan, where large parts are written in node.JS.
trojan banker botnet gootkit

Modifies Internet Explorer Protected Mode 1 TTPs 5 IoCs

Modify Registry

T1112

Processes:

3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = "3"	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe

pid	process
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe

description	pid	process	target process
PID 1664 wrote to memory of 1056	1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
PID 1664 wrote to memory of 1056	1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
PID 1664 wrote to memory of 1056	1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
PID 1664 wrote to memory of 1056	1664	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe	3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe

C:\Users\Admin\AppData\Local\Temp\3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
"C:\Users\Admin\AppData\Local\Temp\3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe"
1⤵
- Modifies Internet Explorer Protected Mode
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\AppData\Local\Temp\3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe
  C:\Users\Admin\AppData\Local\Temp\3079b740d91179832f75ba23052eca8c19983252c274740be1e045cb588886c9.exe --vwxyz
  2⤵
  PID:1056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1056-57-0x0000000000000000-mapping.dmp

Download
memory/1664-55-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1664-54-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1664-56-0x0000000076C81000-0x0000000076C83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads