Overview

overview

10

Static

static

e2a63790f6...42.exe

windows7-x64

10

e2a63790f6...42.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    51s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30/11/2022, 12:22 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe

  • Size

    190KB

  • MD5

    0efd60d786dcbb576ae58e972c1a2af7

  • SHA1

    3e5dbf1c1705301e7c74702eaf2a15dbe61633b9

  • SHA256

    e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342

  • SHA512

    5053692afa2765c832f1ab031d096a0be27189e9ef96ca2e6d3aa991fbd5312c16130c59ede024a32f531fe2cd6caf4d542e5b7a75d43543134f6df0b7d68c7f

  • SSDEEP

    3072:tJHZhFQur3ZsZ3o2HO/Kmj0itWbTV8NVT+x02z6YF69XJ79eoExd8:HHZPDri3MiQtWaNdqBz6YKDbOd

Score
10/10
gootkit2855bankerbotnettrojan

Malware Config

Extracted

Family

gootkit

Botnet

2855

C2

me.jmitchelldayton.com

otnhmtkwodm1.site
Attributes
  • vendor_id

    2855

Signatures

  • Gootkit

    Gootkit is a banking trojan, where large parts are written in node.JS.

    trojanbankerbotnetgootkit
  • Modifies Internet Explorer Protected Mode 1 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
    "C:\Users\Admin\AppData\Local\Temp\e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe"
    1⤵
    • Modifies Internet Explorer Protected Mode
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Users\Admin\AppData\Local\Temp\e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
      C:\Users\Admin\AppData\Local\Temp\e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe --vwxyz
      2⤵
        PID:1608

    Network

    • flag-unknown
      DNS
      me.jmitchelldayton.com
      e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
      Remote address:
      8.8.8.8:53
      Request
      me.jmitchelldayton.com
      IN A
      Response
      me.jmitchelldayton.com
      IN A
      185.158.248.133
    • 185.158.248.133:443
      me.jmitchelldayton.com
      e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
      152 B
       120 B
       3
      3
    • 185.158.248.133:443
      me.jmitchelldayton.com
      e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
      152 B
       120 B
       3
      3
    • 185.158.248.133:443
      me.jmitchelldayton.com
      e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
      152 B
       120 B
       3
      3
    • 185.158.248.133:443
      me.jmitchelldayton.com
      e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
      152 B
       120 B
       3
      3
    • 185.158.248.133:443
      me.jmitchelldayton.com
      e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
      152 B
       120 B
       3
      3
    • 185.158.248.133:443
      me.jmitchelldayton.com
      e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
      152 B
       120 B
       3
      3
    • 185.158.248.133:443
      me.jmitchelldayton.com
      e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
      152 B
       120 B
       3
      3
    • 185.158.248.133:443
      me.jmitchelldayton.com
      e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
      152 B
       120 B
       3
      3
    • 185.158.248.133:443
      me.jmitchelldayton.com
      e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
      152 B
       120 B
       3
      3
    • 185.158.248.133:443
      me.jmitchelldayton.com
      e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
      152 B
       120 B
       3
      3
    • 8.8.8.8:53
      me.jmitchelldayton.com
      dns
      e2a63790f641f0eef2689f693740d566b9d701ed3d30aae745ffd0ae4acec342.exe
      68 B
       84 B
       1
      1

      DNS Request

      me.jmitchelldayton.com

      DNS Response

      185.158.248.133

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1672-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1672-56-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1672-55-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.