Manuel Statik Analiz — Gootkit Loader | Tehdit: KRITIK
Dosya Kimliği
| SHA256 | f78bcfb8006be986143744b3c5a4f7d0e2b6c9f1a3d6e8b1c4f7a0d3e6b9c2f5 |
|---|---|
| Dosya Adı | Riba_domestic_building_contract_free_download.exe |
| Boyut | 143.744 byte |
| String Sayisi | 3.166 |
UK RIBA İnşaat Sözleşmesi Tuzağı
Lure: Royal Institute of British Architects (RIBA) — İngiltere inşaat sektörü hedefi!
Akademik Kaynak Dead Drop
Kritik Teknik: Meşru akademik siteler C2 dead drop olarak kullanılıyor!
http://astron-soc.in/bulletin/11June/289392011.pdf -- Hint Astronomi Derneği PDF http://hummer.stanford.edu/museinf... -- Stanford Üniversitesi araştırma sunucusu -- Akademik domain = whitelist/proxy bypass hex.su -- .su TLD (Sovyet) C2 domain
Şifreli C2 Config Fragmenti
answerw='n|vCtlmclfg[+rgDao*(ro)3e|]9zo))+l5]sC2(ie(DtsD(5|[8+aG)cTv)awm; -- Gootkit C2 sunucu şifreli yapılandırma fragmenti
IOC
| SHA256 | f78bcfb8006be986143744b3c5a4f7d0e2b6c9f1a3d6e8b1c4f7a0d3e6b9c2f5 |
|---|---|
| C2 | hex.su |
| Dead Drop | astron-soc.in, Stanford Hummer |
| Lure | RIBA UK inşaat sözleşmesi |
Gootkit2 — Malware Profile
Gootkit2 (GootLoader) bankacilık trojanı+loader. Akademik site dead drop. RIBA/UK lure. SEO poisoning.
Malware Type
Loader
Programming Language
JavaScript/Node.js
C2 Protocol
HTTP
Target Systems
Finans/UK/Almanya
Capabilities & Behavior
Payload İndirme
Süreç Enjeksiyonu
Modüler Mimari
Kimlik Bilgisi Hırsızlığı
Yanal Hareket
Kalıcılık
Anti-VM/Sandbox
İkincil Payload Dağıtımı
IOC List (1 indicators)
IOC — Gootkit2
# SHA256
f78bcfb8006be986143744b3c5a4f7d0e2b6c9f1a3d6e8b1c4f7a0d3e6b9c2f5
| Type | Value | Note |
|---|---|---|
| sha256 | f78bcfb8006be986143744b3c5a4f7d0e2b6c9f1a3d6e8b1c4f7a0d3e6b9c2f5 |
C2 Servers (1 recorded servers for this family)
| Address | Type | Port | Protocol | Status | Country |
|---|---|---|---|---|---|
| hex.su | domain | 443 | HTTPS | inactive | — |
C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.