gootkit | daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296

General

Target

daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
Size

189KB
MD5

70a6c66362517d855bbdd73568329da6
SHA1

61891b1f935071b98d64708b2c444083e1f4e2e2
SHA256

daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296
SHA512

3eccec491b7feffd5bc56792b66ec9d164ff1e3c84dfb44c70dbf536608b3f23fef898bd7a5f1759105770562e8399b2b25147b2cc462d28140389a0dd9fe565

Score

10^/10

gootkit 2855 banker botnet trojan

Malware Config

Extracted

Family

gootkit

Botnet

2855

C2

me.jmitchelldayton.com

otnhmtkwodm1.site

Attributes

vendor_id
2855

Signatures

Gootkit
Gootkit is a banking trojan, where large parts are written in node.JS.
trojan banker botnet gootkit

Modifies Internet Explorer Protected Mode 1 TTPs 5 IoCs

Modify Registry

T1112

Processes:

daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = "3"	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe

pid	process
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe

description	pid	process	target process
PID 4136 wrote to memory of 2976	4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
PID 4136 wrote to memory of 2976	4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
PID 4136 wrote to memory of 2976	4136	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe	daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe

C:\Users\Admin\AppData\Local\Temp\daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
"C:\Users\Admin\AppData\Local\Temp\daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe"
1⤵
- Modifies Internet Explorer Protected Mode
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Users\Admin\AppData\Local\Temp\daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe
  C:\Users\Admin\AppData\Local\Temp\daf467c1c3d8cc8f7f692afa01d60027e310070b28e467e7b75f638025c95296.exe --vwxyz
  2⤵
  PID:2976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2976-133-0x0000000000000000-mapping.dmp

Download
memory/4136-130-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4136-131-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4136-132-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads