gootkit | 282d2563e428a52e763353b3f2155984f9e0f483d6386300822f8da86f023750 | Triage

Sharing

General

Target

8064cb2d6272e464ae5962292422152c
Size

349KB
Sample

231222-k6ql9agdd2
MD5

8064cb2d6272e464ae5962292422152c
SHA1

47bad41a2192dc9392e70ce8118d4028b79655fb
SHA256

282d2563e428a52e763353b3f2155984f9e0f483d6386300822f8da86f023750
SHA512

e2eff22eec6dd9e3aa41d338d0cde642c975c0ee2dfa46f4fe6c9b480306d3ad7af5b87d4758c66877a79e4d6df7c95323d953bf8a8e42078c5c2bab5237de88
SSDEEP

6144:48IFCVf+vT9N2g/f4+HYVFn9u53jU4A8llwr9sEpDQC0Ta+:jVWvZcg/N+ni3jUUlwtpD90Ta

Score

10^/10

gootkit 163 banker botnet trojan

Malware Config

Extracted

Family

gootkit

Botnet

163

C2

api.gallantlystreaming.org

asapgetnode.club

pop3.verihostname.work

Attributes

vendor_id
163

Targets

- Target
  
  8064cb2d6272e464ae5962292422152c
- Size
  
  349KB
- MD5
  
  8064cb2d6272e464ae5962292422152c
- SHA1
  
  47bad41a2192dc9392e70ce8118d4028b79655fb
- SHA256
  
  282d2563e428a52e763353b3f2155984f9e0f483d6386300822f8da86f023750
- SHA512
  
  e2eff22eec6dd9e3aa41d338d0cde642c975c0ee2dfa46f4fe6c9b480306d3ad7af5b87d4758c66877a79e4d6df7c95323d953bf8a8e42078c5c2bab5237de88
- SSDEEP
  
  6144:48IFCVf+vT9N2g/f4+HYVFn9u53jU4A8llwr9sEpDQC0Ta+:jVWvZcg/N+ni3jUUlwtpD90Ta
Score

10^/10

gootkit 163 banker botnet trojan
- Gootkit
  Gootkit is a banking trojan, where large parts are written in node.JS.
  trojan banker botnet gootkit
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

gootkit163bankerbotnettrojan

behavioral2

gootkit163bankerbotnettrojan