Overview

overview

10

Static

static

3

8064cb2d62...2c.exe

windows7-x64

10

8064cb2d62...2c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2023 09:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8064cb2d6272e464ae5962292422152c.exe

  • Size

    349KB

  • MD5

    8064cb2d6272e464ae5962292422152c

  • SHA1

    47bad41a2192dc9392e70ce8118d4028b79655fb

  • SHA256

    282d2563e428a52e763353b3f2155984f9e0f483d6386300822f8da86f023750

  • SHA512

    e2eff22eec6dd9e3aa41d338d0cde642c975c0ee2dfa46f4fe6c9b480306d3ad7af5b87d4758c66877a79e4d6df7c95323d953bf8a8e42078c5c2bab5237de88

  • SSDEEP

    6144:48IFCVf+vT9N2g/f4+HYVFn9u53jU4A8llwr9sEpDQC0Ta+:jVWvZcg/N+ni3jUUlwtpD90Ta

Score
10/10
gootkit163bankerbotnettrojan

Malware Config

Extracted

Family

gootkit

Botnet

163

C2

api.gallantlystreaming.org

asapgetnode.club

pop3.verihostname.work
Attributes
  • vendor_id

    163

Signatures

  • Gootkit

    Gootkit is a banking trojan, where large parts are written in node.JS.

    trojanbankerbotnetgootkit
  • Deletes itself 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 8 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\8064cb2d6272e464ae5962292422152c.exe
    "C:\Users\Admin\AppData\Local\Temp\8064cb2d6272e464ae5962292422152c.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\259414343.bat" "C:\Users\Admin\AppData\Local\Temp\8064cb2d6272e464ae5962292422152c.exe""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2720
  • C:\Windows\SysWOW64\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\8064cb2d6272e464ae5962292422152c.exe"
    1⤵
    • Views/modifies file attributes
    PID:2824

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\259414343.bat
    Filesize

    76B

    MD5

    48589d1c664fb45ade0b261f99c95392

    SHA1

    296cb9ac6faac798c5c87e3b1921128bae891eea

    SHA256

    c63258dfa64e40e53714401e3da36dd2576d9c24a032d15f79abad1904b89e07

    SHA512

    32a4f553d78f8b7500775f70d64b9ae3df6d4afd4c8638551bbe45d45e3a9bc43880f5960ac8cef708d6df294875465bdbc2abd3db717de1561071241f45f02b

    Download Submit

  • memory/1516-1-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/1516-0-0x00000000003E0000-0x00000000003E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1516-10-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download