SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gootkit (Back to overview)

GootKit

aka: Waldek, Xswkit, talalpek
VTCollection     URLhaus      

Gootkit is a banking trojan consisting of an x86 loader and a payload embedding nodejs as well as a set of js scripts. The loader downloads the payload, stores it in registry and injects it in a copy of the loader process. The loader also contains two encrypted DLLs intended to be injected into each browser process launched in order to place the payload in man in the browser and allow it to apply the webinjects received from the command and control server on HTTPx exchanges. This allows Gootkit to intercept HTTPx requests and responses, steal their content or modify it according to the webinjects.

References
2023-01-09TrendmicroFe Cureg, Hitomi Kimura, Ryan Maglaque, Trent Bessell
Gootkit Loader Actively Targets Australian Healthcare Industry
GootLoader GootKit
2022-09-22deepwatchBen Nichols, Eric Ford
Is Gootloader Working with a Foreign Intelligence Service?
GootKit
2022-07-27Trend MicroBuddy Tancio, Jed Valderama
Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike
Cobalt Strike GootKit Kronos REvil SunCrypt
2022-05-09The DFIR ReportThe DFIR Report
SEO Poisoning – A Gootloader Story
GootLoader LaZagne Cobalt Strike GootKit
2022-03-22Red CanaryRed Canary
2022 Threat Detection Report
FAKEUPDATES Silver Sparrow BazarBackdoor Cobalt Strike GootKit Yellow Cockatoo RAT
2021-11-26Twitter (@jhencinski)Jon Hencinski
Twitter Thread on weelky MDR recap from expel.io
GootKit Squirrelwaffle
2021-11-10BlackberryCodi Starks, Ryan Chapman
REvil Under the Microscope
GootKit REvil
2021-09-03Trend MicroMohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-06-07KasperskyAnton Kuzmenko
Gootkit: the cautious Trojan
GootKit
2021-03-02Github (microsoft)Microsoft
Microsoft-365-Defender-Hunting-Queries for hunting Gootkit malware delivery and C2
GootKit
2021-03-02Twitter (@MsftSecIntel)Microsoft Security Intelligence
Tweet on Gootkit malware campaign
GootKit
2021-03-01Sophos LabsAndrew Brandt, Gabor Szappanos
“Gootloader” expands its payload delivery options
GootKit
2021-02-02CRONUPGermán Fernández
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-01-19Palo Alto Networks Unit 42Brad Duncan
Wireshark Tutorial: Examining Emotet Infection Traffic
Emotet GootKit IcedID QakBot TrickBot
2020-12-11Trend MicroMarc Lanzendorfer
Investigating the Gootkit Loader
GootKit
2020-11-30Malwarebyteshasherezade, Jérôme Segura
German users targeted with Gootkit banker or REvil ransomware
GootKit REvil
2020-04-13BlackberryMasaki Kasuya, Tatsuya Hasegawa
Threat Spotlight: Gootkit Banking Trojan
Azorult GootKit
2019-10-02Dissecting MalwareMarius Genheimer
Nicht so goot - Breaking down Gootkit and Jasper (+ FTCODE)
FTCODE JasperLoader GootKit
2019-08-29SentinelOneDaniel Bunce
Gootkit Banking Trojan | Part 2: Persistence & Other Capabilities
GootKit
2019-08-15SentinelOneDaniel Bunce
Gootkit Banking Trojan | Deep Dive into Anti-Analysis Features
GootKit
2019-08-15Sentinel LABSDaniel Bunce
Gootkit Banking Trojan | Deep Dive into Anti-Analysis Features
GootKit
2019-03-23Open MalwareDanny Quist
Reverse Engineering Gootkit with Ghidra Part I
GootKit
2019-02-14CertegoMatteo Lodi
Malware Tales: Gootkit
GootKit
2018-11-01CERT La PosteChristophe Rieunier, Thomas Dubier
Analyse du malware bancaire Gootkit et de ses mécanismes de protection
GootKit
2018-05-20Youtube (OALabs)Sergei Frankoff
Unpacking Gootkit Part 2 - Debugging Anti-Analysis Tricks With IDA Pro and x64dbg
GootKit
2018-03-04Youtube (OALabs)Sergei Frankoff
Unpacking Gootkit Malware With IDA Pro and X64dbg - Subscriber Request
Cold$eal GootKit
2018-02-13JuniperPaul Kimayong
New Gootkit Banking Trojan variant pushes the limits on evasive behavior
GootKit
2017-03-01SecurityIntelligenceGadi Ostrovsky, Limor Kessem
GootKit Developers Dress It Up With Web Traffic Proxy
GootKit
2016-12-01US-CERTUS-CERT
Alert (TA16-336A): Avalanche (crimeware-as-a-service infrastructure)
GootKit
2016-10-27Kaspersky LabsAlexey Shulmin, Sergey Yunakovsky
Inside the Gootkit C&C server
GootKit
2016-07-08SecurityIntelligenceLimor Kessem
GootKit: Bobbing and Weaving to Avoid Prying Eyes
GootKit
2015-04-13CERT Societe GeneraleCERT Societe Generale
Analyzing Gootkit's persistence mechanism (new ASEP inside!)
GootKit
2015-03-30Trend MicroCedric Pernet, Dark Luo
Fake Judicial Spam Leads to Backdoor with Fake Certificate Authority
GootKit
2014-04-09Dr.WebDr.Web
BackDoor.Gootkit.112—a new multi-purpose backdoor
GootKit
Yara Rules
[TLP:WHITE] win_gootkit_auto (20241030 | Detects win.gootkit.)
rule win_gootkit_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.gootkit."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83ec30 53 8bc1 0f57c0 56 57 8d4df8 }
            // n = 7, score = 1700
            //   83ec30               | sub                 esp, 0x30
            //   53                   | push                ebx
            //   8bc1                 | mov                 eax, ecx
            //   0f57c0               | xorps               xmm0, xmm0
            //   56                   | push                esi
            //   57                   | push                edi
            //   8d4df8               | lea                 ecx, [ebp - 8]

        $sequence_1 = { 833b00 7406 837b0400 7502 }
            // n = 4, score = 1700
            //   833b00               | cmp                 dword ptr [ebx], 0
            //   7406                 | je                  8
            //   837b0400             | cmp                 dword ptr [ebx + 4], 0
            //   7502                 | jne                 4

        $sequence_2 = { 7407 33c9 e8???????? 8b5dfc ff75f4 6a00 ff15???????? }
            // n = 7, score = 1700
            //   7407                 | je                  9
            //   33c9                 | xor                 ecx, ecx
            //   e8????????           |                     
            //   8b5dfc               | mov                 ebx, dword ptr [ebp - 4]
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   6a00                 | push                0
            //   ff15????????         |                     

        $sequence_3 = { 6a02 5b 8975f0 e8???????? 8d45fc 33d2 }
            // n = 6, score = 1700
            //   6a02                 | push                2
            //   5b                   | pop                 ebx
            //   8975f0               | mov                 dword ptr [ebp - 0x10], esi
            //   e8????????           |                     
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   33d2                 | xor                 edx, edx

        $sequence_4 = { 59 85c0 0f84af000000 2bc6 8bce 8bd0 e8???????? }
            // n = 7, score = 1700
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax
            //   0f84af000000         | je                  0xb5
            //   2bc6                 | sub                 eax, esi
            //   8bce                 | mov                 ecx, esi
            //   8bd0                 | mov                 edx, eax
            //   e8????????           |                     

        $sequence_5 = { 51 8bcb e8???????? 59 85c0 740c }
            // n = 6, score = 1700
            //   51                   | push                ecx
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax
            //   740c                 | je                  0xe

        $sequence_6 = { ff15???????? 50 ffd6 8bc7 893d???????? }
            // n = 5, score = 1700
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   8bc7                 | mov                 eax, edi
            //   893d????????         |                     

        $sequence_7 = { 55 8bec 83ec14 53 57 8955f4 8bd9 }
            // n = 7, score = 1700
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec14               | sub                 esp, 0x14
            //   53                   | push                ebx
            //   57                   | push                edi
            //   8955f4               | mov                 dword ptr [ebp - 0xc], edx
            //   8bd9                 | mov                 ebx, ecx

        $sequence_8 = { f3aa 68???????? ff15???????? 50 }
            // n = 4, score = 1200
            //   f3aa                 | rep stosb           byte ptr es:[edi], al
            //   68????????           |                     
            //   ff15????????         |                     
            //   50                   | push                eax

        $sequence_9 = { 8b7df4 32c0 8b4de4 f3aa }
            // n = 4, score = 1200
            //   8b7df4               | mov                 edi, dword ptr [ebp - 0xc]
            //   32c0                 | xor                 al, al
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   f3aa                 | rep stosb           byte ptr es:[edi], al

        $sequence_10 = { 50 68???????? ff15???????? 85c0 7505 e8???????? }
            // n = 6, score = 1100
            //   50                   | push                eax
            //   68????????           |                     
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7505                 | jne                 7
            //   e8????????           |                     

        $sequence_11 = { 50 e8???????? 83c40c 68fd000000 }
            // n = 4, score = 1100
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   68fd000000           | push                0xfd

        $sequence_12 = { 50 8b4508 8b00 99 52 50 }
            // n = 6, score = 1000
            //   50                   | push                eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   99                   | cdq                 
            //   52                   | push                edx
            //   50                   | push                eax

        $sequence_13 = { c705????????01000000 c705????????02000000 8be5 5d c3 55 }
            // n = 6, score = 900
            //   c705????????01000000     |     
            //   c705????????02000000     |     
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp

        $sequence_14 = { 833d????????00 750a 6a32 ff15???????? }
            // n = 4, score = 800
            //   833d????????00       |                     
            //   750a                 | jne                 0xc
            //   6a32                 | push                0x32
            //   ff15????????         |                     

        $sequence_15 = { e8???????? 6a0c 6a08 ff15???????? }
            // n = 4, score = 800
            //   e8????????           |                     
            //   6a0c                 | push                0xc
            //   6a08                 | push                8
            //   ff15????????         |                     

        $sequence_16 = { 6808020000 6a00 ff15???????? 50 ff15???????? }
            // n = 5, score = 800
            //   6808020000           | push                0x208
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_17 = { 6a02 ff15???????? 6888130000 ff15???????? }
            // n = 4, score = 700
            //   6a02                 | push                2
            //   ff15????????         |                     
            //   6888130000           | push                0x1388
            //   ff15????????         |                     

        $sequence_18 = { 8d45fc 50 6a01 6a01 6a00 6800000002 }
            // n = 6, score = 600
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   6a01                 | push                1
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   6800000002           | push                0x2000000

        $sequence_19 = { e8???????? 85c0 750c c705????????03000000 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   750c                 | jne                 0xe
            //   c705????????03000000     |     

        $sequence_20 = { e8???????? 85c0 740d 6810270000 }
            // n = 4, score = 400
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   740d                 | je                  0xf
            //   6810270000           | push                0x2710

        $sequence_21 = { 68???????? 51 51 ff15???????? 50 }
            // n = 5, score = 300
            //   68????????           |                     
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   50                   | push                eax

        $sequence_22 = { 53 53 53 8901 }
            // n = 4, score = 300
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   8901                 | mov                 dword ptr [ecx], eax

        $sequence_23 = { 83faff 7508 ff15???????? 8bd0 }
            // n = 4, score = 200
            //   83faff               | cmp                 edx, -1
            //   7508                 | jne                 0xa
            //   ff15????????         |                     
            //   8bd0                 | mov                 edx, eax

        $sequence_24 = { ff15???????? ffc3 83fb0a 7cd5 33c0 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   ffc3                 | inc                 ebx
            //   83fb0a               | cmp                 ebx, 0xa
            //   7cd5                 | jl                  0xffffffd7
            //   33c0                 | xor                 eax, eax

        $sequence_25 = { 7550 ff15???????? 8bf8 893d???????? }
            // n = 4, score = 200
            //   7550                 | jne                 0x52
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   893d????????         |                     

        $sequence_26 = { 8d4204 3bc8 7344 2bca }
            // n = 4, score = 200
            //   8d4204               | lea                 eax, [edx + 4]
            //   3bc8                 | cmp                 ecx, eax
            //   7344                 | jae                 0x46
            //   2bca                 | sub                 ecx, edx

        $sequence_27 = { 0f104850 0f114f50 0f104060 0f114760 8b4070 894770 }
            // n = 6, score = 200
            //   0f104850             | movups              xmm1, xmmword ptr [eax + 0x50]
            //   0f114f50             | movups              xmmword ptr [edi + 0x50], xmm1
            //   0f104060             | movups              xmm0, xmmword ptr [eax + 0x60]
            //   0f114760             | movups              xmmword ptr [edi + 0x60], xmm0
            //   8b4070               | mov                 eax, dword ptr [eax + 0x70]
            //   894770               | mov                 dword ptr [edi + 0x70], eax

        $sequence_28 = { 8bf2 8d4601 57 50 }
            // n = 4, score = 200
            //   8bf2                 | mov                 esi, edx
            //   8d4601               | lea                 eax, [esi + 1]
            //   57                   | push                edi
            //   50                   | push                eax

        $sequence_29 = { 8b8de4fdffff 8b36 85f6 75a2 8b3f }
            // n = 5, score = 200
            //   8b8de4fdffff         | mov                 ecx, dword ptr [ebp - 0x21c]
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   85f6                 | test                esi, esi
            //   75a2                 | jne                 0xffffffa4
            //   8b3f                 | mov                 edi, dword ptr [edi]

        $sequence_30 = { 53 33db e8???????? ff15???????? 8bc8 }
            // n = 5, score = 200
            //   53                   | push                ebx
            //   33db                 | xor                 ebx, ebx
            //   e8????????           |                     
            //   ff15????????         |                     
            //   8bc8                 | mov                 ecx, eax

        $sequence_31 = { 0f104010 0f110f 0f104820 0f114710 }
            // n = 4, score = 200
            //   0f104010             | movups              xmm0, xmmword ptr [eax + 0x10]
            //   0f110f               | movups              xmmword ptr [edi], xmm1
            //   0f104820             | movups              xmm1, xmmword ptr [eax + 0x20]
            //   0f114710             | movups              xmmword ptr [edi + 0x10], xmm0

        $sequence_32 = { 3cff 7552 807e0125 754c 8b5e02 }
            // n = 5, score = 200
            //   3cff                 | cmp                 al, 0xff
            //   7552                 | jne                 0x54
            //   807e0125             | cmp                 byte ptr [esi + 1], 0x25
            //   754c                 | jne                 0x4e
            //   8b5e02               | mov                 ebx, dword ptr [esi + 2]

        $sequence_33 = { ff15???????? 85c0 7510 8d4864 ff15???????? }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7510                 | jne                 0x12
            //   8d4864               | lea                 ecx, [eax + 0x64]
            //   ff15????????         |                     

        $sequence_34 = { 0f104050 0f114f40 0f104860 0f114750 }
            // n = 4, score = 200
            //   0f104050             | movups              xmm0, xmmword ptr [eax + 0x50]
            //   0f114f40             | movups              xmmword ptr [edi + 0x40], xmm1
            //   0f104860             | movups              xmm1, xmmword ptr [eax + 0x60]
            //   0f114750             | movups              xmmword ptr [edi + 0x50], xmm0

        $sequence_35 = { 0f114710 0f104030 0f114f20 0f104840 0f114730 0f104050 0f114f40 }
            // n = 7, score = 200
            //   0f114710             | movups              xmmword ptr [edi + 0x10], xmm0
            //   0f104030             | movups              xmm0, xmmword ptr [eax + 0x30]
            //   0f114f20             | movups              xmmword ptr [edi + 0x20], xmm1
            //   0f104840             | movups              xmm1, xmmword ptr [eax + 0x40]
            //   0f114730             | movups              xmmword ptr [edi + 0x30], xmm0
            //   0f104050             | movups              xmm0, xmmword ptr [eax + 0x50]
            //   0f114f40             | movups              xmmword ptr [edi + 0x40], xmm1

        $sequence_36 = { 7323 8b33 eb19 3ce9 7508 8b4601 83c605 }
            // n = 7, score = 200
            //   7323                 | jae                 0x25
            //   8b33                 | mov                 esi, dword ptr [ebx]
            //   eb19                 | jmp                 0x1b
            //   3ce9                 | cmp                 al, 0xe9
            //   7508                 | jne                 0xa
            //   8b4601               | mov                 eax, dword ptr [esi + 1]
            //   83c605               | add                 esi, 5

    condition:
        7 of them and filesize < 516096
}
Download all Yara Rules