gootkit | 7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989

General

Target

7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
Size

190KB
MD5

cfe77040029dbc2a5a6a416c02017bd0
SHA1

3b01ffd567b3443d0613f867a69ce4a60d2d7a26
SHA256

7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989
SHA512

5bbc23aee0b94c774b9d0795e94f019f2c86e1966a6bbfec0bca0b71fc0c3caa01754fc8960e70fdfa92cc627bc06602a90aba96d2af25b09b7b2e4d1ec21332

Score

10^/10

gootkit 2855 banker botnet trojan

Malware Config

Extracted

Family

gootkit

Botnet

2855

C2

me.jmitchelldayton.com

otnhmtkwodm1.site

Attributes

vendor_id
2855

Signatures

Gootkit
Gootkit is a banking trojan, where large parts are written in node.JS.
trojan banker botnet gootkit

Modifies Internet Explorer Protected Mode 1 TTPs 5 IoCs

Modify Registry

T1112

Processes:

7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = "3"	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe

pid	process
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe

description	pid	process	target process
PID 4556 wrote to memory of 3664	4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
PID 4556 wrote to memory of 3664	4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
PID 4556 wrote to memory of 3664	4556	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe	7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe

C:\Users\Admin\AppData\Local\Temp\7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
"C:\Users\Admin\AppData\Local\Temp\7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe"
1⤵
- Modifies Internet Explorer Protected Mode
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Users\Admin\AppData\Local\Temp\7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe
  C:\Users\Admin\AppData\Local\Temp\7af90590d1cd4e6f6d9d54bfc65e827d5ed0b062241e92d0a71eb991d079d989.exe --vwxyz
  2⤵
  PID:3664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3664-132-0x0000000000000000-mapping.dmp

Download
memory/4556-131-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4556-130-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads