Manuel Statik Analiz — Gootkit Loader | Tehdit: KRITIK

Fichier Kimliği

SHA256f78bcfb8006be986143744b3c5a4f7d0e2b6c9f1a3d6e8b1c4f7a0d3e6b9c2f5
Nom du fichierRiba_domestic_building_contract_free_download.exe
Taille143.744 byte
String Sayisi3.166

UK RIBA İnşaat Sözleşmesi Tuzağı

Lure: Royal Institute of British Architects (RIBA) — İngiltere inşaat sektörü hedefi!

Akademik Kaynak Dead Drop

Kritik Teknik: Meşru akademik siteler C2 dead drop olarak kullanılıyor!
http://astron-soc.in/bulletin/11June/289392011.pdf  -- Hint Astronomi Derneği PDF
http://hummer.stanford.edu/museinf...              -- Stanford Üniversitesi araştırma sunucusu
-- Akademik domain = whitelist/proxy bypass
hex.su  -- .su TLD (Sovyet) C2 domain

Şifreli C2 Config Fragmenti

answerw='n|vCtlmclfg[+rgDao*(ro)3e|]9zo))+l5]sC2(ie(DtsD(5|[8+aG)cTv)awm;
-- Gootkit C2 sunucu şifreli yapılandırma fragmenti

IOC

SHA256f78bcfb8006be986143744b3c5a4f7d0e2b6c9f1a3d6e8b1c4f7a0d3e6b9c2f5
C2hex.su
Dead Dropastron-soc.in, Stanford Hummer
LureRIBA UK inşaat sözleşmesi

Gootkit2 — Profil du malware

Gootkit2 (GootLoader) bankacilık trojanı+loader. Akademik site dead drop. RIBA/UK lure. SEO poisoning.

Type de malware
Loader
Langage de programmation
JavaScript/Node.js
Protocole C2
HTTP
Systèmes ciblés
Finans/UK/Almanya

Capacités et comportement

Payload İndirme
Süreç Enjeksiyonu
Modüler Mimari
Kimlik Bilgisi Hırsızlığı
Yanal Hareket
Kalıcılık
Anti-VM/Sandbox
İkincil Payload Dağıtımı

Liste IOC (1 indicateurs)

IOC — Gootkit2
# SHA256 f78bcfb8006be986143744b3c5a4f7d0e2b6c9f1a3d6e8b1c4f7a0d3e6b9c2f5
TypeValeurNote
sha256 f78bcfb8006be986143744b3c5a4f7d0e2b6c9f1a3d6e8b1c4f7a0d3e6b9c2f5

Serveurs C2 (1 serveurs enregistrés pour cette famille)

Adresse Type Port Protocole Statut Pays
hex.su domain 443 HTTPS inactive —

Les adresses C2 proviennent uniquement d'échantillons de malwares vérifiés manuellement par l'équipe KEYDAL. Toute utilisation commerciale est interdite.

Tags
gootkitriba-uk-lurestanford-deadropastronomy-deadrophex-surotspider