gootkit | 2d023b31befef307e418f35dccac149540e9b821ccef1630b38fad4773e0b9c3 | Triage

Sharing

General

Target

2d023b31befef307e418f35dccac149540e9b821ccef1630b38fad4773e0b9c3
Size

284KB
Sample

220708-rqrypsdfdr
MD5

decf1fbb274d5e4b50ea860d06e8f663
SHA1

35b77da31d99efe2fe70d50bca795a02c9d78641
SHA256

2d023b31befef307e418f35dccac149540e9b821ccef1630b38fad4773e0b9c3
SHA512

79e59b17485ca76064314203c2d14744599ce720ae4357457679660c91c832b731f58a1dc7e999d213dc9034b171352c9e0ebc911328e087788b84d845180507

Score

10^/10

gootkit 1002 banker botnet trojan

Malware Config

Extracted

Family

gootkit

Botnet

1002

C2

motherfuckingboss.com

motherfuckinboss.com

Attributes

vendor_id
1002

Targets

- Target
  
  2d023b31befef307e418f35dccac149540e9b821ccef1630b38fad4773e0b9c3
- Size
  
  284KB
- MD5
  
  decf1fbb274d5e4b50ea860d06e8f663
- SHA1
  
  35b77da31d99efe2fe70d50bca795a02c9d78641
- SHA256
  
  2d023b31befef307e418f35dccac149540e9b821ccef1630b38fad4773e0b9c3
- SHA512
  
  79e59b17485ca76064314203c2d14744599ce720ae4357457679660c91c832b731f58a1dc7e999d213dc9034b171352c9e0ebc911328e087788b84d845180507
Score

10^/10

gootkit 1002 banker botnet trojan
- Gootkit
  Gootkit is a banking trojan, where large parts are written in node.JS.
  trojan banker botnet gootkit
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gootkit1002bankerbotnettrojan

behavioral2

gootkit1002bankerbotnettrojan