gootkit | e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342

General

Target

e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
Size

190KB
MD5

0efd60d786dcbb576ae58e972c1a2af7
SHA1

3e5dbf1c1705301e7c74702eaf2a15dbe61633b9
SHA256

e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342
SHA512

5053692afa2765c832f1ab031d096a0be27189e9ef96ca2e6d3aa991fbd5312c16130c59ede024a32f531fe2cd6caf4d542e5b7a75d43543134f6df0b7d68c7f
SSDEEP

3072:tJHZhFQur3ZsZ3o2HO/Kmj0itWbTV8NVT+x02z6YF69XJ79eoExd8:HHZPDri3MiQtWaNdqBz6YKDbOd

Score

10^/10

gootkit 2855 banker botnet trojan

Malware Config

Extracted

Family

gootkit

Botnet

2855

C2

me.jmitchelldayton.com

otnhmtkwodm1.site

Attributes

vendor_id
2855

Signatures

Gootkit
Gootkit is a banking trojan, where large parts are written in node.JS.
trojan banker botnet gootkit

Modifies Internet Explorer Protected Mode 1 TTPs 5 IoCs

Modify Registry

T1112

Processes:

e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = "3"	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe

pid	process
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe

description	pid	process	target process
PID 1672 wrote to memory of 1608	1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
PID 1672 wrote to memory of 1608	1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
PID 1672 wrote to memory of 1608	1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
PID 1672 wrote to memory of 1608	1672	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe	e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe

C:\Users\Admin\AppData\Local\Temp\e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
"C:\Users\Admin\AppData\Local\Temp\e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe"
1⤵
- Modifies Internet Explorer Protected Mode
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
  C:\Users\Admin\AppData\Local\Temp\e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe --vwxyz
  2⤵
  PID:1608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1608-57-0x0000000000000000-mapping.dmp

Download
memory/1672-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1672-56-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1672-55-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads