{
	"id": "eb4fa8ba-59b1-412e-9252-08248c7ae2e7",
	"created_at": "2026-04-06T00:19:04.329274Z",
	"updated_at": "2026-04-10T13:12:28.526922Z",
	"deleted_at": null,
	"sha1_hash": "d2dbbd4088a0502bdfc639302bbae7ef9fff7ae4",
	"title": "Gootkit Banking Trojan | Deep Dive into Anti-Analysis Features - SentinelLabs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1977846,
	"plain_text": "Gootkit Banking Trojan | Deep Dive into Anti-Analysis Features -\r\nSentinelLabs\r\nBy Daniel Bunce\r\nPublished: 2019-08-15 · Archived: 2026-04-05 17:08:32 UTC\r\nIn this post, Daniel discusses the Gootkit malware banking trojan and its use of Anti Analysis techniques.\r\nThe Gootkit Banking Trojan was discovered back in 2014, and utilizes the Node.JS library to perform a range of\r\nmalicious tasks, from website injections and password grabbing, all the way up to video recording and remote\r\nVNC capabilities. Since its discovery in 2014, the actors behind Gootkit have continued to update the codebase to\r\nslow down analysis and thwart automated sandboxes. This post will take a look into the first stage of Gootkit,\r\nwhich contains the unpacking phase and a malicious downloader that sets up the infected system, and its multiple\r\nanti-analysis mechanisms.\r\nUnpacking\r\nMD5 of Packed Sample: 0b50ae28e1c6945d23f59dd2e17b5632\r\nWith this specific sample, the unpacking routine is fairly trivial, as it performs self-injection. Simply put, the\r\nunpacker will:\r\nAllocate a region of memory -\u003e Decrypt shellcode and copy to the allocated region -\u003e Execute the\r\nshellcode, decrypting the first stage Gootkit executable -\u003e Overwrite unpacked with decrypted\r\nexecutable -\u003e Change protections on the decrypted executable and transfer execution to it.\r\nTherefore, in order to unpack it, place breakpoints on both VirtualAlloc and VirtualProtect , and look out for\r\nexecutable headers appearing in the allocated regions of memory.\r\nhttps://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/\r\nPage 1 of 10\n\nMD5 of Unpacked Sample: c342af62302936720e52679bc431d5a8\r\nImmediately upon opening the sample in IDA, you’ll notice the use of the CreateThread API – this is used\r\nexcessively throughout the binary, potentially as an anti-dynamic analysis method. It becomes quite difficult to\r\ndebug the program due to the fact that multiple threads are running at once; however, this can be avoided by\r\nfocusing on one thread per execution. Static analysis methods are also hindered, due to the levels of obfuscation\r\nutilized by the sample. Whilst there are quite a few strings in plaintext, nearly all of the important strings used are\r\ndecrypted at run time, using a simple but effective XOR algorithm. Not only are the strings encrypted, they are\r\nalso stored as stack strings, making it more complex to extract the important data. \r\nAs mentioned previously, the algorithm is fairly simple. Essentially what happens is there are 2 different “strings”.\r\nThe first string (typically shorter), will loop around, XOR’ing each byte with a byte of the second string. An\r\nexample of this algorithm in Python can be seen below.\r\nhttps://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/\r\nPage 2 of 10\n\nThe example above will return the string kernel32.dll .\r\nBefore Gootkit begins to perform its malicious routines, it first checks the arguments passed to it – this determines\r\nthe path it follows. The possible arguments that Gootkit accepts are:\r\n--reinstall\r\n--service\r\n-test\r\n--vwxyz\r\nIf no argument is given, Gootkit will perform a setup routine, and then execute itself with the --vwxyz argument.\r\nThe -test argument simply causes the process to exit, whereas the --reinstall argument will reinstall\r\nGootkit using the persistence method that we will be covering in the next post. Finally, the --service argument\r\nwill simply set an additional environment variable, specifically the variable name USERNAME_REQUIRED, with\r\nthe value set as TRUE. In this post we, will be focusing primarily on the setup phase, to understand the steps\r\nGootkit takes before executing itself with the --vwxyz argument.\r\nAnti-Analysis Functionality\r\nAs mentioned previously, Gootkit packs plenty of Anti-Analysis features to evade sandboxes, prevent execution in\r\na Virtual Machine, and slow down analysis. Interestingly, the functions responsible for these features are skipped\r\nif a specific environment variable is set. The variable that is set during runtime is named crackmeololo , and the\r\nvalue given to it is navigator . When it comes to checking the value, rather than compare it to a string, Gootkit\r\nwill utilize CRC-32/JAMCRC hashing in order to check the validity. If the CRC hashes don’t match, the system\r\nchecks begin.\r\nhttps://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/\r\nPage 3 of 10\n\nThe first check that Gootkit performs is a filename check. Simply put, there is a hardcoded list of CRC hashed\r\nfilenames inside the binary, which are compared against the hash of the current filename. If a match is found,\r\nGootkit will create a batch file that will delete the original executable. The process will then exit. A list of the\r\nfilenames that Gootkit searches for can be seen below.\r\nSAMPLE.EXE\r\nMALWARE.EXE\r\nBOT.EXE\r\nSANDBOX.EXE\r\nTEST.EXE\r\nKLAVME.EXE\r\nMYAPP.EXE\r\nTESTAPP.EXE\r\nhttps://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/\r\nPage 4 of 10\n\nThe next checks are performed almost immediately after the filename check. Gootkit will create another thread,\r\nwhere it will output the string “MP3 file corrupted” using OutputDebugStringA , and then check the environment\r\nvariable crackmeololo once again. If the CRC hashes match, it will continue on to decrypt the on board\r\nconfiguration – if not, it will perform a more in depth check of the environment.\r\nFirst, it begins by opening the registry key HardwareDESCRIPTIONSystemCentralProcessor0, and then queries\r\nthe ProcessorNameString, comparing the value to Xeon. The Xeon processor is used in servers primarily, and not\r\nin laptops or desktops. This is a good indicator that the malware is running in a sandbox, so if it is detected,\r\nGootkit will enter an endless sleep-loop cycle.\r\nhttps://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/\r\nPage 5 of 10\n\nIf Xeon is not detected, execution will resume; however, the next check is a lot more intensive. Similar to the\r\nfilename check, Gootkit also contains a hardcoded list of MAC address identifiers used to detect sandboxes or\r\nVMs. After loading RPCRT4.DLL, it will call UuidCreateSequential , which uses the MAC Address to create a\r\nGUID. If any of the values match, it will enter an infinite sleep-loop cycle once again. A list of the hardcoded\r\nMAC Addresses along with the corresponding vendors can be seen below.\r\nF01FAF00 Dell\r\n00505600 VMWare\r\n8002700 PCS System Technology GmbH\r\n000C2900 VMWare\r\n00056900 VMWare\r\nhttps://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/\r\nPage 6 of 10\n\n0003FF00 Microsoft\r\n001C4200 Parallels\r\n00163E00 XenSource\r\nNext, Gootkit will call GetModuleHandleA in an attempt to get a handle to either dbghelp.dll and sbiedll.dll, in an\r\nattempt to detect a present debugger or the sandbox Sandboxie. If a handle is returned successfully, an infinite\r\nsleep cycle will occur. Continuing on, the current username will be retrieved with a call to GetUserNameA , and\r\ncompared to CurrentUser and Sandbox. The computer name will then be retrieved and compared to SANDBOX\r\nand 7SILVIA. As you may have guessed, if any of these match, the sample will enter into an infinite sleep cycle.\r\nhttps://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/\r\nPage 7 of 10\n\nContinuing on, Gootkit will query HARDWAREDESCRIPTIONSystemSystemBiosVersion and compare the value\r\nto; AMI, BOCHS, VBOX, QEMU, SMCI,  INTEL  – 6040000, FTNT-1, and SONI. Once again, match = infinite\r\nsleep cycle. \r\nhttps://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/\r\nPage 8 of 10\n\nYet another registry query is performed, this time with the key HARDWAREDescriptionSystemVideoBiosVersion,\r\nwith the value being compared to VirtualBox. Finally, it queries\r\n SOFTWAREMicrosoftWindowsCurrentVersionSystemBiosVersion or\r\nHARDWAREDESCRIPTIONSystemSystemBiosVersion for 3 values that correspond to Joe Sandbox and\r\nCWSandbox:\r\n55274-640-2673064-23950: Joe Sandbox\r\n76487-644-3177037-23510: CWSandbox\r\n76487-337-8429955-22614: CWSandbox\r\nIf all checks are passed, then execution of the sample will continue, by setting up persistence and retrieving the\r\npayload from the C2 server. Before doing that, it will check its filename once again, using the same CRC hashing\r\nhttps://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/\r\nPage 9 of 10\n\nwe saw earlier.\r\nIn the next post, we will take a look at the persistence method used by Gootkit, and take a look at the --\r\nreinstall pathway, as well as the communications routine used by the sample to retrieve the final stage.\r\nSource: https://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/\r\nhttps://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/"
	],
	"report_names": [
		"gootkit-banking-trojan-deep-dive-anti-analysis-features"
	],
	"threat_actors": [
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434744,
	"ts_updated_at": 1775826748,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d2dbbd4088a0502bdfc639302bbae7ef9fff7ae4.pdf",
		"text": "https://archive.orkl.eu/d2dbbd4088a0502bdfc639302bbae7ef9fff7ae4.txt",
		"img": "https://archive.orkl.eu/d2dbbd4088a0502bdfc639302bbae7ef9fff7ae4.jpg"
	}
}