Overview

overview

10

Static

static

2d023b31be...c3.exe

windows7_x64

10

2d023b31be...c3.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    142s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    08-07-2022 14:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2d023b31befef307e418f35dccac149540e9b821ccef1630b38fad4773e0b9c3.exe

  • Size

    284KB

  • MD5

    decf1fbb274d5e4b50ea860d06e8f663

  • SHA1

    35b77da31d99efe2fe70d50bca795a02c9d78641

  • SHA256

    2d023b31befef307e418f35dccac149540e9b821ccef1630b38fad4773e0b9c3

  • SHA512

    79e59b17485ca76064314203c2d14744599ce720ae4357457679660c91c832b731f58a1dc7e999d213dc9034b171352c9e0ebc911328e087788b84d845180507

Score
10/10
gootkit1002bankerbotnettrojan

Malware Config

Extracted

Family

gootkit

Botnet

1002

C2

motherfuckingboss.com

motherfuckinboss.com
Attributes
  • vendor_id

    1002

Signatures

  • Gootkit

    Gootkit is a banking trojan, where large parts are written in node.JS.

    trojanbankerbotnetgootkit
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 6 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d023b31befef307e418f35dccac149540e9b821ccef1630b38fad4773e0b9c3.exe
    "C:\Users\Admin\AppData\Local\Temp\2d023b31befef307e418f35dccac149540e9b821ccef1630b38fad4773e0b9c3.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240545015.bat" "C:\Users\Admin\AppData\Local\Temp\2d023b31befef307e418f35dccac149540e9b821ccef1630b38fad4773e0b9c3.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Windows\SysWOW64\attrib.exe
        attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\2d023b31befef307e418f35dccac149540e9b821ccef1630b38fad4773e0b9c3.exe"
        3⤵
        • Views/modifies file attributes
        PID:2108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1
T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1
T1158

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\240545015.bat
    Filesize

    76B

    MD5

    013a15c5d961d3fdcf678c09570010e9

    SHA1

    8e865966db1711525ab68b79501f507260d5e43b

    SHA256

    0f94eb95622cd914b231a96333a854ce4cece5c14e359739266f52f37609aaf7

    SHA512

    39d65a83144493767ff60a0c91cb8e00e0bbe1aafb00ce451f3ab16591408ebf489b0f1ff83427d3349b0e147d70153b208fc0b491aff4fb89ee6e13be90e32f

    Download Submit
  • memory/2108-134-0x0000000000000000-mapping.dmp
    Download
  • memory/2872-130-0x00000000005E0000-0x00000000005E3000-memory.dmp
    Filesize

    12KB

    Download
  • memory/2872-131-0x0000000000400000-0x000000000044A000-memory.dmp
    Filesize

    296KB

    Download
  • memory/3060-132-0x0000000000000000-mapping.dmp
    Download