gootkit | 8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d

General

Target

8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
Size

249KB
MD5

de55f92fcc38046896677011e9a4fc2c
SHA1

1e5d3815b41cc57d7315126cdff526f3ca8c4bbe
SHA256

8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d
SHA512

816840838360389cfde7b634cb61206a1b6480f3165050b4faa1f8bf2d99efc7790e201f10f56963e8de4df80c7c6c9ef701c7c1628e4ddc740732537f0ce555

Score

10^/10

gootkit 777 banker botnet trojan

Malware Config

Extracted

Family

gootkit

Botnet

777

C2

chaabattent.com

kladrykroptur.com

madregobilsg.com

kerymarynicegross.com

pillygreamstronh.com

Attributes

vendor_id
777

Signatures

Gootkit
Gootkit is a banking trojan, where large parts are written in node.JS.
trojan banker botnet gootkit

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe

Modifies Internet Explorer Protected Mode 1 TTPs 5 IoCs

Modify Registry

T1112

Processes:

8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = "3"	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe

pid	process
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe

description	pid	process	target process
PID 4820 wrote to memory of 4192	4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
PID 4820 wrote to memory of 4192	4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
PID 4820 wrote to memory of 4192	4820	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe	8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe

C:\Users\Admin\AppData\Local\Temp\8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
"C:\Users\Admin\AppData\Local\Temp\8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe"
1⤵
- Checks BIOS information in registry
- Modifies Internet Explorer Protected Mode
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Users\Admin\AppData\Local\Temp\8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe
  C:\Users\Admin\AppData\Local\Temp\8c338feff17e2893d8ef36b0477d6b8e44c6146d4223e0013c99f89a01116a7d.exe --vwxyz
  2⤵
  - Checks BIOS information in registry
  PID:4192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4192-132-0x0000000000000000-mapping.dmp

Download
memory/4192-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4820-131-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4820-130-0x00000000004B0000-0x00000000004B3000-memory.dmp

Filesize
12KB

Download
memory/4820-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads