GootLoader | Threat Level: high | Type: Loader

Cryptographic Identifiers

SHA2564e9b0f6ab987c7867ed23efe917794d053da4fb6dc52bda85cd6687fe97ec7ef
MD53cfad915e1db0af563175b0369da7354
File Typezip
Size97557.6 KB
First Seen2025-12-29
File NameLegal_Case_Management_Guide_2025.zip
TagsGootLoader, zip

Malware Family: GootLoader

GootLoader, SEO zehirleme ile yayılır.

TypeLoader
Programming LanguageJavaScript
Target PlatformWindows
C2 ProtocolHTTPS
PurposeSEO zehirleme loader
First Seen Year2020
AliasesGootKit

Threat Indicators (IOC)

  • SHA256: 4e9b0f6ab987c7867ed23efe917794d053da4fb6dc52bda85cd6687fe97ec7ef
  • MD5: 3cfad915e1db0af563175b0369da7354

System Cleanup Guide

  1. Disconnect the system from the network — the loader may be downloading more malware
  2. Analyze every downloaded payload
  3. Inspect all network traffic and cut suspicious connections
  4. Run a full antivirus scan
  5. Consider reimaging the system

YARA Rule Hints

rule GootLoader_SHA256 {
    meta:
        description = "GootLoader sample: 4e9b0f6ab987c786"
        threat_level = "high"
        first_seen = "2025-12-29"
    condition:
        hash.sha256(0, filesize) == "4e9b0f6ab987c7867ed23efe917794d053da4fb6dc52bda85cd6687fe97ec7ef"
}

Gootloader — Malware Profile

GootLoader/GootKit v3 JavaScript loader. SEO zehirleme kampanyasi. Hukuki belge lurü. JScript dropper.

Malware Type
Loader
Programming Language
JavaScript
C2 Protocol
HTTPS
Target Systems
Windows
Also Known As (AKA)
GootKit

Technical Details

Varyanta gore C/C#/VBS/PS1, anti-analysis (VM/debugger check), persistence (Registry/Task Scheduler/Startup folder), payload decryption ve injection (shellcode/PE), fileless execution teknikleri

Capabilities & Behavior

Payload İndirme
Süreç Enjeksiyonu
Modüler Mimari
Kimlik Bilgisi Hırsızlığı
Yanal Hareket
Kalıcılık
Anti-VM/Sandbox
İkincil Payload Dağıtımı

IOC List (2 indicators)

IOC — GootLoader
# SHA256 4e9b0f6ab987c7867ed23efe917794d053da4fb6dc52bda85cd6687fe97ec7ef # MD5 3cfad915e1db0af563175b0369da7354
TypeValueNote
sha256 4e9b0f6ab987c7867ed23efe917794d053da4fb6dc52bda85cd6687fe97ec7ef
md5 3cfad915e1db0af563175b0369da7354

C2 Servers (3 recorded servers for this family)

Address Type Port Protocol Status Country
23.227.203.68 ip 443 HTTPS active US
216.122.229.106 ip 443 HTTPS inactive US
login.itwrx.com domain 443 HTTPS inactive US

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
gootloaderloadermalwarehighsha256analizzenginleştirilmiş