gootkit | 1615ac8c21cce75cb9e66d60151215e368f6b2aef2547feee2bf68f998702eb9 | Triage

Sharing

General

Target

f541e92a4ee6f86571a04d03eeeb7d5b
Size

288KB
Sample

231220-vv5l5sgcc8
MD5

f541e92a4ee6f86571a04d03eeeb7d5b
SHA1

84b0c8994ef2cdec0bc1d31633cdb50afb4eb824
SHA256

1615ac8c21cce75cb9e66d60151215e368f6b2aef2547feee2bf68f998702eb9
SHA512

31f0369142456fa5f091168aefbcb3994c94dd9e1dcfa78b07f34d5c5340b5b55a8801c25b8ac6ec644674b7e73853a19a749cc363b017aca9b21b6025109373
SSDEEP

6144:wxILdTokcUhDTuDchi3Pc/t4Jnn2lTPCbmNsdOod:l5czghif2O2lTPWOsdOa

Score

10^/10

gootkit 3008 banker botnet trojan

Malware Config

Extracted

Family

gootkit

Botnet

3008

C2

tratata.zinjibil.com

buyyou.org

trktrk.org

fields.mobi

Attributes

vendor_id
3008

Targets

- Target
  
  f541e92a4ee6f86571a04d03eeeb7d5b
- Size
  
  288KB
- MD5
  
  f541e92a4ee6f86571a04d03eeeb7d5b
- SHA1
  
  84b0c8994ef2cdec0bc1d31633cdb50afb4eb824
- SHA256
  
  1615ac8c21cce75cb9e66d60151215e368f6b2aef2547feee2bf68f998702eb9
- SHA512
  
  31f0369142456fa5f091168aefbcb3994c94dd9e1dcfa78b07f34d5c5340b5b55a8801c25b8ac6ec644674b7e73853a19a749cc363b017aca9b21b6025109373
- SSDEEP
  
  6144:wxILdTokcUhDTuDchi3Pc/t4Jnn2lTPCbmNsdOod:l5czghif2O2lTPWOsdOa
Score

10^/10

gootkit 3008 banker botnet trojan
- Gootkit
  Gootkit is a banking trojan, where large parts are written in node.JS.
  trojan banker botnet gootkit
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gootkit3008bankerbotnettrojan

behavioral2

gootkit3008bankerbotnettrojan