gootkit | 282d2563e428a52e763353b3f2155984f9e0f483d6386300822f8da86f023750

Analysis

max time kernel
144s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2023 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8064cb2d6272e464ae5962292422152c.exe
Size

349KB
MD5

8064cb2d6272e464ae5962292422152c
SHA1

47bad41a2192dc9392e70ce8118d4028b79655fb
SHA256

282d2563e428a52e763353b3f2155984f9e0f483d6386300822f8da86f023750
SHA512

e2eff22eec6dd9e3aa41d338d0cde642c975c0ee2dfa46f4fe6c9b480306d3ad7af5b87d4758c66877a79e4d6df7c95323d953bf8a8e42078c5c2bab5237de88
SSDEEP

6144:48IFCVf+vT9N2g/f4+HYVFn9u53jU4A8llwr9sEpDQC0Ta+:jVWvZcg/N+ni3jUUlwtpD90Ta

Score

10^/10

gootkit 163 banker botnet trojan

Malware Config

Extracted

Family

gootkit

Botnet

163

api.gallantlystreaming.org

asapgetnode.club

pop3.verihostname.work

Attributes

vendor_id
163

Signatures

Gootkit
Gootkit is a banking trojan, where large parts are written in node.JS.
trojan banker botnet gootkit

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8064cb2d6272e464ae5962292422152c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	8064cb2d6272e464ae5962292422152c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

8064cb2d6272e464ae5962292422152c.execmd.exe

description	pid	process	target process
PID 4072 wrote to memory of 212	4072	8064cb2d6272e464ae5962292422152c.exe	cmd.exe
PID 4072 wrote to memory of 212	4072	8064cb2d6272e464ae5962292422152c.exe	cmd.exe
PID 4072 wrote to memory of 212	4072	8064cb2d6272e464ae5962292422152c.exe	cmd.exe
PID 212 wrote to memory of 5096	212	cmd.exe	attrib.exe
PID 212 wrote to memory of 5096	212	cmd.exe	attrib.exe
PID 212 wrote to memory of 5096	212	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

5096 attrib.exe

pid	process
5096	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8064cb2d6272e464ae5962292422152c.exe
"C:\Users\Admin\AppData\Local\Temp\8064cb2d6272e464ae5962292422152c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240622500.bat" "C:\Users\Admin\AppData\Local\Temp\8064cb2d6272e464ae5962292422152c.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\8064cb2d6272e464ae5962292422152c.exe"
    3⤵
    - Views/modifies file attributes
    PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240622500.bat

Filesize
76B

MD5
87feb5f39f1124cf814c8c3a3c6950b3

SHA1
83487372b3cea4b18abdac260b85f69c0444ec59

SHA256
b6097138995a0b358c605b5df56d47e628ce2cab948280e16d93e82a5aa97f40

SHA512
12ff12733c811258f704ab79ff62f5f84d1bc36f31b72646f991ad11255ae7f1ecd9791a1ef754691df9337d8c64dc6ab24905061a13f44ded88b76812a11e17

Download Submit
memory/4072-0-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/4072-1-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download