Overview

overview

10

Static

static

3

f541e92a4e...5b.exe

windows7-x64

10

f541e92a4e...5b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-12-2023 17:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f541e92a4ee6f86571a04d03eeeb7d5b.exe

  • Size

    288KB

  • MD5

    f541e92a4ee6f86571a04d03eeeb7d5b

  • SHA1

    84b0c8994ef2cdec0bc1d31633cdb50afb4eb824

  • SHA256

    1615ac8c21cce75cb9e66d60151215e368f6b2aef2547feee2bf68f998702eb9

  • SHA512

    31f0369142456fa5f091168aefbcb3994c94dd9e1dcfa78b07f34d5c5340b5b55a8801c25b8ac6ec644674b7e73853a19a749cc363b017aca9b21b6025109373

  • SSDEEP

    6144:wxILdTokcUhDTuDchi3Pc/t4Jnn2lTPCbmNsdOod:l5czghif2O2lTPWOsdOa

Score
10/10
gootkit3008bankerbotnettrojan

Malware Config

Extracted

Family

gootkit

Botnet

3008

C2

tratata.zinjibil.com

buyyou.org

trktrk.org

fields.mobi
Attributes
  • vendor_id

    3008

Signatures

  • Gootkit

    Gootkit is a banking trojan, where large parts are written in node.JS.

    trojanbankerbotnetgootkit
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\f541e92a4ee6f86571a04d03eeeb7d5b.exe
    "C:\Users\Admin\AppData\Local\Temp\f541e92a4ee6f86571a04d03eeeb7d5b.exe"
    1⤵
    • Checks BIOS information in registry
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3448
    • C:\Windows\SysWOW64\mstsc.exe
      C:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\f541e92a4ee6f86571a04d03eeeb7d5b.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4072
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240642078.bat" "C:\Users\Admin\AppData\Local\Temp\f541e92a4ee6f86571a04d03eeeb7d5b.exe""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4404
        • C:\Windows\SysWOW64\attrib.exe
          attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\f541e92a4ee6f86571a04d03eeeb7d5b.exe"
          4⤵
          • Views/modifies file attributes
          PID:4756

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\240642078.bat
    Filesize

    76B

    MD5

    0940a591f34c6c8baa728b32ba55aac9

    SHA1

    da91c6f35ffc386fb19d1b87de4f6405b1c27825

    SHA256

    a1d2bc5d2ee430581313b35e0fad1dc16d3e07869c7b00c8a8770bbc7bb0acda

    SHA512

    75064f154ec57b6a768bb818b66ebd858f6286ab843f190902e46081da6faf95b40ca092832c70cd5b9b780d804bcac8a04e6eb114e877e884c603893cdec5a7

    Download Submit

  • memory/3448-0-0x0000000000560000-0x0000000000561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3448-1-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/4072-3-0x0000000000630000-0x0000000000650000-memory.dmp

    Filesize

    128KB

    Download