Dosya Kimligi
| SHA256 | 3009c78448fb115e11ce5eaffa2e238a78bbe69c1f4ea01e8d0af32ce8a4d2d4 |
|---|---|
| Dosya Adi | Legal_Case_Management_Guide_2025.zip |
| Boyut | 87.335.340 byte (87MB) |
| String Sayisi | 387.630 (ZIP icerigi) |
Sosyal Muhendislik Yemi
GootLoader Zinciri
ZIP (87MB)
└── obfuske_js_loader.js (Windows Script Host ile calistirilir)
└── Sifrelenmis ikinci asama JS
└── HTTPS C2 ile iletisim
└── Cobalt Strike / IcedID / Kronos yukleme
GootLoader Hakkinda
GootLoader, 2020'den beri aktif olan JavaScript tabanli bir loader ailesidir. Gootkit bankaci truva aticisinin gelismis bir modulu olarak basladi ve zamanla bagimsiz bir MaaS (Malware-as-a-Service) halini aldi. SEO zehirleme yoluyla hukuk, muhasebe, sigorta ve finans sektorlerini hedefler. Obfuske JavaScript, Windows Script Host (WScript) ile calistirilir ve HTTPS C2'den ikinci asama payload indirir.
IOC
| SHA256 | 3009c78448fb115e11ce5eaffa2e238a78bbe69c1f4ea01e8d0af32ce8a4d2d4 |
|---|---|
| Lure | Legal_Case_Management_Guide_2025.zip |
| C2 | HTTPS (JS obfuske) |
Gootloader — Malware Profile
GootLoader/GootKit v3 JavaScript loader. SEO zehirleme kampanyasi. Hukuki belge lurü. JScript dropper.
Technical Details
Varyanta gore C/C#/VBS/PS1, anti-analysis (VM/debugger check), persistence (Registry/Task Scheduler/Startup folder), payload decryption ve injection (shellcode/PE), fileless execution teknikleri
Capabilities & Behavior
IOC List (1 indicators)
# SHA256
3009c78448fb115e11ce5eaffa2e238a78bbe69c1f4ea01e8d0af32ce8a4d2d4
| Type | Value | Note |
|---|---|---|
| sha256 | 3009c78448fb115e11ce5eaffa2e238a78bbe69c1f4ea01e8d0af32ce8a4d2d4 |
C2 Servers (3 recorded servers for this family)
| Address | Type | Port | Protocol | Status | Country |
|---|---|---|---|---|---|
| 23.227.203.68 | ip | 443 | HTTPS | active | US |
| 216.122.229.106 | ip | 443 | HTTPS | inactive | US |
| login.itwrx.com | domain | 443 | HTTPS | inactive | US |
C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.