{
	"id": "d30392a8-e6bf-42b9-871e-48e5fb6140c1",
	"created_at": "2026-04-06T00:07:05.109614Z",
	"updated_at": "2026-04-10T03:21:46.316471Z",
	"deleted_at": null,
	"sha1_hash": "9e52260fcdcddbb16feb1ef7cd1a2479c4a2a858",
	"title": "Gootloader Isn't Broken - Malasada Tech",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3718270,
	"plain_text": "Gootloader Isn't Broken - Malasada Tech\r\nBy By Aaron Samala\r\nPublished: 2024-05-13 · Archived: 2026-04-05 14:16:18 UTC\r\nDetailed visualization of a cybersecurity workspace analyzing Gootloader malware.\r\nBLUF:\r\nThe Gootloader isn’t broken (as previously posted on this site in: Gootkit is broken right now); this post follows the\r\nanalysis steps that @Gootloader‘s video shows us using Process Monitor and Burp Suite Proxy intercept.\r\nhttps://malasada.tech/gootloader-isnt-broken/\r\nPage 1 of 7\n\nIntro:\r\nI used to routinely check on the @GootloaderSites Twitter Bot posts for up to date IOCs to search for. At some\r\npoint they were removed from Twitter, and I thought it was the end of it. Since I’ve started blogging and doing more\r\nresearch during my off-duty time, I’ve been more immersed in the Twitter alternative – Mastadon. I’ve found that\r\nthe Twitter Bot moved to Mastadon under the same name @GootloaderSites. I was glad to see they’re still around! I\r\nreviewed their latest blog “My-Game Retired? Latest Changes to Gootloader” where they discussed a lot of GREAT\r\ninfo, and shared a link to their Youtube video “Gootloader Malware Technical Deep Dive“. This post documents\r\nfollowing @GootloaderSites‘ steps in their video.\r\nRunning in a local VM:\r\nFollowed steps from Gootloader Malware Technical Deep Dive by @Gootloader.\r\nRan my go-to dork to find a Gootloader fake forum: “site:*.it enterprise agreement”.\r\nDownloaded a Gootloader sample direct from the source at https[:]//caputosfizinapoletani[.]it/enterprise-agreement-ramsay-health. Interestingly, Firefox threw a warning.\r\nI uploaded it to VT if you wanted to see:\r\nhttps://www.virustotal.com/gui/file/225053ce7e06b780e6acb968f3efc876ce329e37ff4cbfa716f960a8fc5ba77d/behavior\r\nDownloaded Process Monitor, set the Process Name to contain script.\r\nDownloaded Burpsuite, Enabled Proxy Intercept\r\nConfigured Windows manual proxy to go through Burp Suite (127.0.0.1:8080)\r\nConfigured the Powershell default profile to enable transcripts via “start-transcript”.\r\nExecuted the JS file.\r\nProcess Monitor shows it’s writing to “Interface Programming.dat”\r\nhttps://malasada.tech/gootloader-isnt-broken/\r\nPage 2 of 7\n\nIt looks like it creates “Multi-million Dollar.js”. At this point, I’m not too savvy with reading Process Monitor yet.\r\nIn the future I’ll research more and figure out how to give better explanations.\r\nI couldn’t find the process in Process Monitor for the task scheduling part. I suspect I may need to modify the\r\nProcess Monitor filter. I’ll figure that out later and provide updates. Here’s a snip of the Task that was added.\r\nhttps://malasada.tech/gootloader-isnt-broken/\r\nPage 3 of 7\n\nHere is a copy of the PS transcript below. The highlighted portion is the PS commands that are executed. You can\r\nsee below it, that it is timing out because I’ve got Burp Suite Interceptor on, and I haven’t pressed any button yet.\r\nNote that it doesn’t error out on the enumeration commands as it does in the Any Run sessions.\r\nYou can see there appears to be some questionable beaconing domains that should raise some flags. For example,\r\nI’m assuming that domains 4, 8, and 9 are likely domains that don’t comply with corporate usage policies.\r\nHere’s a snip of the Burp Suite Interceptor. I would like to see the packet output from this in a future analysis. Take\r\nnote of the previously observed enumeration data that is GZIPd and then B64 encoded into the Cookie values. Also\r\ntake note of the host field.\r\nhttps://malasada.tech/gootloader-isnt-broken/\r\nPage 4 of 7\n\nThe host field is not in the RFC compliant place. RFC 7230 section 5.4\r\n(https://datatracker.ietf.org/doc/html/rfc7230#section-5.4) states: “Since the Host field-value is critical information\r\nfor handling a request, a user agent SHOULD generate Host as the first header field following the request-line.” as\r\nseen below.\r\nIf you observe PCAP with a GET request that shows the User-Agent field is a web browser, but it is not RFC 7230\r\ncompliant, you should scrutinize it.\r\nRunning it in Any Run:\r\nhttps://malasada.tech/gootloader-isnt-broken/\r\nPage 5 of 7\n\nHere’s a snip from the Anyrun session showing the Gootloader Powershell script erroring out\r\n(https://app.any.run/tasks/10a07fb3-6e8c-426f-a647-3f2b94eef7a9):\r\nThe last lines of the PowerShell transcript show the error. Because the PS executes in my local Win 11 VM, but it\r\nerrors out in the Any Run Win 7 VM, I am speculating that their recent change might use PS commands that don’t\r\nwork in Win 7. In a previous post (https://malasada.tech/gootkit-is-broken-right-now/) we discussed how the\r\nGootloader PS stopped working. This post shows that previous post was incorrect.\r\nThis leads me to question if the Any Run’s $150 a month cost is worth it if I’m restricted to a Win 7 VM that\r\ndoesn’t execute the Gootloader PS. It’s unfortunate because Any Run is VERY convenient for quick and easy\r\nanalysis – especially since they added the Script Tracer capabilities.\r\nTODO:\r\nIn a future post, I’ll dive into the following:\r\nImproving the Process Monitor filter,\r\nCreating filters in Burp Suite so that only the beaconing domains are intercepted,\r\nRunning TOR on the local VM so that we can Forward the beacon packets and evaluate the responses, and\r\nDoing a deep dive to evaluate the RFC 7230 Section 5.4 compliance for PS System.Net.WebRequest to see\r\nif PCAP shows it is non-compliant.\r\nSummary:\r\nThe Gootloader isn’t down as I’ve previously posted. You can perform simple analysis on a local VM running\r\nProcess Monitor and Burp Suite, with minimal configuration.\r\nPost navigation\r\nhttps://malasada.tech/gootloader-isnt-broken/\r\nPage 6 of 7\n\nSource: https://malasada.tech/gootloader-isnt-broken/\r\nhttps://malasada.tech/gootloader-isnt-broken/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://malasada.tech/gootloader-isnt-broken/"
	],
	"report_names": [
		"gootloader-isnt-broken"
	],
	"threat_actors": [],
	"ts_created_at": 1775434025,
	"ts_updated_at": 1775791306,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9e52260fcdcddbb16feb1ef7cd1a2479c4a2a858.pdf",
		"text": "https://archive.orkl.eu/9e52260fcdcddbb16feb1ef7cd1a2479c4a2a858.txt",
		"img": "https://archive.orkl.eu/9e52260fcdcddbb16feb1ef7cd1a2479c4a2a858.jpg"
	}
}