ioc[.]one - OSINT Cyber Threat Intelligence Database

Goot to Loot—How a Gootloader Infection Led to Credential Access - ReliaQuest

Tags

attack-pattern:

Data Credentials - T1589.001 Domains - T1583.001 Domains - T1584.001 Javascript - T1059.007 Kerberoasting - T1558.003 Lsass Memory - T1003.001 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Remote Desktop Protocol - T1021.001 Rundll32 - T1218.011 Scheduled Task - T1053.005 Seo Poisoning - T1608.006 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002 Account Discovery - T1087 Credential Dumping - T1003 Kerberoasting - T1208 Powershell - T1086 Remote Access Tools - T1219 Remote Desktop Protocol - T1076 Rundll32 - T1085 Scheduled Task - T1053

Show in Graph

Common Information

Type	Value
UUID	08254934-3d2c-4197-b90e-e99723d1bd8c
Fingerprint	2c9fd9911323a1c5
Analysis status	DONE
Considered CTI value	2
Text language
Published	June 22, 2023, 1:11 p.m.
Added to db	Oct. 24, 2023, 1:18 p.m.
Last updated	Nov. 17, 2024, 6:55 p.m.
Headline	Goot to Loot—How a Gootloader Infection Led to Credential Access
Title	Goot to Loot—How a Gootloader Infection Led to Credential Access - ReliaQuest
Detected Hints/Tags/Attributes	83/1/59

Source URLs

	Redirection	Url
Details	Source	https://www.reliaquest.com/blog/gootloader-infection-credential-access/

URL Provider

Details	Provider	Source level domain
Details	reliaquest.com	www.reliaquest.com

Attributes

Details	Type	#Events	Value
Details	Domain	1	salamancaespectacular.com
Details	Domain	1	demo.petsure.com
Details	Domain	1	cacommerciallaw.com
Details	Domain	1	docs.vrent.techvill.net
Details	Domain	1	eu9.richhost.eu
Details	Domain	339	system.net
Details	Domain	1	emailbuilder.a6uat.co.uk
Details	Domain	1	wildlife.org
Details	Domain	1	spinomenal.com
Details	Domain	1	airjust.de
Details	Domain	1	maharat-rt.com
Details	Domain	1	jocarsa.com
Details	Domain	1	ddman-vpn.ddns.net
Details	Domain	1	gahar.ir
Details	Domain	1	anevaz.com.br
Details	Domain	1	pornmagazine.club
Details	Domain	1	phone.do
Details	File	376	wscript.exe
Details	File	30	c:\windows\system32\wscript.exe
Details	File	1	c:\users\exampleuser\appdata\local\temp\ temp1_what_is_the_difference_between_legal_ruled_and_wide_ruled_paper_7301 .zip
Details	File	1	29094.js
Details	File	1	paint.js
Details	File	1	design.log
Details	File	19	1.js
Details	File	155	cscript.exe
Details	File	69	comsvcs.dll
Details	File	2	lsassdump.dmp
Details	File	127	c:\windows\system32\rundll32.exe
Details	File	27	c:\windows\system32\comsvcs.dll
Details	File	1	c:\lsassdump.dmp
Details	File	27	procdump.exe
Details	File	478	lsass.exe
Details	File	1	toolreg.exe
Details	sha256	1	f2afd46cfef3883fc858ca7b7730d4d6ee56a7aedbdb1b1f7bda7dba054f489e
Details	sha256	1	c3a62fce18a62c8db3b43b5fa776f650fbfc91ecf66457f51a0149034fb53670
Details	sha256	1	72ecfa3693ce5858332c9cee21b608a8f0c2dc3462d56e8bc9955c550a09d55d
Details	IPv4	1	94.156.189.36
Details	IPv4	1	217.145.84.64
Details	IPv4	1	167.172.154.244
Details	IPv4	1	66.33.211.237
Details	Url	1	https://demo.petsure.com/xmlrpc.php
Details	Url	1	https://cacommerciallaw.com/xmlrpc.php
Details	Url	1	https://docs.vrent.techvill.net/xmlrpc.php
Details	Url	1	ftp://eu9.richhost.eu/procdump/procdump.exe
Details	Url	1	ftp://eu9.richhost.eu/procdump/system
Details	Url	1	ftp://eu9.richhost.eu/procdump/sam
Details	Url	1	https://emailbuilder.a6uat.co.uk/download.php
Details	Url	1	https://wildlife.org/xmlrpc.php
Details	Url	1	https://spinomenal.com/xmlrpc.php
Details	Url	1	https://airjust.de/xmlrpc.php
Details	Url	1	https://maharat-rt.com/xmlrpc.php
Details	Url	1	https://jocarsa.com/xmlrpc.php
Details	Url	1	http://ddman-vpn.ddns.net/wordpress/xmlrpc.php
Details	Url	1	https://gahar.ir/xmlrpc.php
Details	Url	1	https://anevaz.com.br/xmlrpc.php
Details	Url	1	https://pornmagazine.club/xmlrpc.php
Details	Url	1	https://phone.do/xmlrpc.php
Details	Windows Registry Key	1	HKU\ExampleUserSID\SOFTWARE\453694B5D3\17016
Details	Windows Registry Key	1	HKU\ExampleUserSID\SOFTWARE\3144EAACD7\636