Overview

overview

10

Static

static

46041271b0...34.exe

windows7_x64

10

46041271b0...34.exe

windows10-2004_x64

1

Analysis

  • max time kernel
    41s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    07-07-2022 10:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    46041271b0d9461b5dab77b643ae0cd3195f227c677504a7b485497f1c5a7634.exe

  • Size

    268KB

  • MD5

    809ff40a9619745b5e753168d638a100

  • SHA1

    2465e77e211ab7f88d2c7d61af5f5e2a7f8d5f5a

  • SHA256

    46041271b0d9461b5dab77b643ae0cd3195f227c677504a7b485497f1c5a7634

  • SHA512

    dc9bee27760392ccbfaf6eba89d83501babe0900e32555fdeec05b25c33f1c95097d379ad5d51a094613a1288f51678c8f9cef5979245ffd0f02edafbec98745

Score
10/10
gootkit410bankerbotnettrojan

Malware Config

Extracted

Family

gootkit

Botnet

410

C2

parking.dynophyl.com

parked.dynonortheast.com

trktrk.eu

smeinsurances.co.uk
Attributes
  • vendor_id

    410

Signatures

  • Gootkit

    Gootkit is a banking trojan, where large parts are written in node.JS.

    trojanbankerbotnetgootkit
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\46041271b0d9461b5dab77b643ae0cd3195f227c677504a7b485497f1c5a7634.exe
    "C:\Users\Admin\AppData\Local\Temp\46041271b0d9461b5dab77b643ae0cd3195f227c677504a7b485497f1c5a7634.exe"
    1⤵
    • Checks BIOS information in registry
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:284
    • C:\Windows\SysWOW64\mstsc.exe
      C:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\46041271b0d9461b5dab77b643ae0cd3195f227c677504a7b485497f1c5a7634.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7112069.bat" "C:\Users\Admin\AppData\Local\Temp\46041271b0d9461b5dab77b643ae0cd3195f227c677504a7b485497f1c5a7634.exe""
        3⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:1220
        • C:\Windows\SysWOW64\attrib.exe
          attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\46041271b0d9461b5dab77b643ae0cd3195f227c677504a7b485497f1c5a7634.exe"
          4⤵
          • Views/modifies file attributes
          PID:1972

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7112069.bat
    Filesize

    72B

    MD5

    f1ea40a1834566cfe7c1107a90c525c6

    SHA1

    f26e722b6645b8089ec61d68610703d6d579c13d

    SHA256

    74798a0304625bb7030dc6e8bdd746495f572f3463413376632d59ec29f48865

    SHA512

    4539da72f35500ef55ac3c04fc55c00f5f5b0375eccea6ab7b92ccc9f23ee2d47aa0d31220ad0c7033d4d09c0c2cc845d5517c8f8a36c9792027b6c5a7143b50

    Download Submit

  • memory/284-54-0x00000000763E1000-0x00000000763E3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/284-56-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

    Download

  • memory/1220-58-0x0000000000000000-mapping.dmp

    Download

  • memory/1972-61-0x0000000000000000-mapping.dmp

    Download

  • memory/2016-55-0x0000000000000000-mapping.dmp

    Download

  • memory/2016-59-0x0000000000080000-0x00000000000A0000-memory.dmp

    Filesize

    128KB

    Download