Openhunting Threat Library

Kegotip

Kegotip
(Type: Info stealer)

(IBM) One of Kegotip’s main functions is scraping email addresses from hard drives of endpoints it infects, even crossing to additional partitions on the endpoint. This generates quite a handsome bounty for its operators, likely in the form of the {{Necurs}} botnet itself, which then uses these addresses in its spam runs. Kegotip has been appearing alongside {{Dridex}} and {{Locky}} infections since April 2016, either via the {{RockLoader}} or {{Upatre}}.

[News Analysis] Trends:

Total Trend: 1

Trend Per Year
1
2020


Trend Per Month
1
May 2020



[News Analysis] News Mention Another Threat Name:

20 - AndroMut20 - Bart20 - Dridex20 - FlawedAmmyy20 - FlawedGrace20 - Gandcrab20 - Get220 - GlobeImposter20 - Jaff20 - Kegotip20 - Locky20 - Necurs20 - Philadephia Ransom20 - Pony20 - QuantLoader20 - Rockloader20 - SDBbot20 - ServHelper20 - Shifu20 - Snatch20 - TrickBot


[TTP Analysis] Technique Performance:



[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
Domain Timestamp
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

A brief history of TA505

2020-05-21 by Intel 471 from Intel 471

Basic Information (Credit @etda.or.th)

Tool: Kegotip

Names: Kegotip

Description: (IBM) One of Kegotip’s main functions is scraping email addresses from hard drives of endpoints it infects, even crossing to additional partitions on the endpoint. This generates quite a handsome bounty for its operators, likely in the form of the {{Necurs}} botnet itself, which then uses these addresses in its spam runs. Kegotip has been appearing alongside {{Dridex}} and {{Locky}} infections since April 2016, either via the {{RockLoader}} or {{Upatre}}.

Category: Malware

Type: Info stealer

Information: https://securityintelligence.com/the-necurs-botnet-a-pandoras-box-of-malicious-spam/

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.kegotip

Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:kegotip

Last-card-change: 2020-04-23

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact