Manuel Statik Analiz — Gootkit Loader | Tehdit: KRITIK

Dosya Kimliği

SHA256f78bcfb8006be986143744b3c5a4f7d0e2b6c9f1a3d6e8b1c4f7a0d3e6b9c2f5
Dosya AdıRiba_domestic_building_contract_free_download.exe
Boyut143.744 byte
String Sayisi3.166

UK RIBA İnşaat Sözleşmesi Tuzağı

Lure: Royal Institute of British Architects (RIBA) — İngiltere inşaat sektörü hedefi!

Akademik Kaynak Dead Drop

Kritik Teknik: Meşru akademik siteler C2 dead drop olarak kullanılıyor!
http://astron-soc.in/bulletin/11June/289392011.pdf  -- Hint Astronomi Derneği PDF
http://hummer.stanford.edu/museinf...              -- Stanford Üniversitesi araştırma sunucusu
-- Akademik domain = whitelist/proxy bypass
hex.su  -- .su TLD (Sovyet) C2 domain

Şifreli C2 Config Fragmenti

answerw='n|vCtlmclfg[+rgDao*(ro)3e|]9zo))+l5]sC2(ie(DtsD(5|[8+aG)cTv)awm;
-- Gootkit C2 sunucu şifreli yapılandırma fragmenti

IOC

SHA256f78bcfb8006be986143744b3c5a4f7d0e2b6c9f1a3d6e8b1c4f7a0d3e6b9c2f5
C2hex.su
Dead Dropastron-soc.in, Stanford Hummer
LureRIBA UK inşaat sözleşmesi

Gootkit2 — Malware Profile

Gootkit2 (GootLoader) bankacilık trojanı+loader. Akademik site dead drop. RIBA/UK lure. SEO poisoning.

Malware Type
Loader
Programming Language
JavaScript/Node.js
C2 Protocol
HTTP
Target Systems
Finans/UK/Almanya

Capabilities & Behavior

Payload İndirme
Süreç Enjeksiyonu
Modüler Mimari
Kimlik Bilgisi Hırsızlığı
Yanal Hareket
Kalıcılık
Anti-VM/Sandbox
İkincil Payload Dağıtımı

IOC List (1 indicators)

IOC — Gootkit2
# SHA256 f78bcfb8006be986143744b3c5a4f7d0e2b6c9f1a3d6e8b1c4f7a0d3e6b9c2f5
TypeValueNote
sha256 f78bcfb8006be986143744b3c5a4f7d0e2b6c9f1a3d6e8b1c4f7a0d3e6b9c2f5

C2 Servers (1 recorded servers for this family)

Address Type Port Protocol Status Country
hex.su domain 443 HTTPS inactive —

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
gootkitriba-uk-lurestanford-deadropastronomy-deadrophex-surotspider