originbotnet | 5994d3897dc6097f95ccb74dae995b87274b19d4fd62df21c226607b0d94cbc6

General

Target

5994d3897dc6097f95ccb74dae995b87274b19d4fd62df21c226607b0d94cbc6_JC.exe
Size

242KB
MD5

edefce3c8aa728e6d8718dcc75b801e2
SHA1

6b2c25817ce660c25bc9651d86a7cf816d719c7c
SHA256

5994d3897dc6097f95ccb74dae995b87274b19d4fd62df21c226607b0d94cbc6
SHA512

7ea3335facdd569b0b52c750e95c89ee17afac2e48cd56380b179cd9490d89c4288e03f02c90ac8d5564716f1b964645e9ab483f379d41d1a1ceda0680926ba4
SSDEEP

6144:vYa6jAf0x2IBUqkLIjdAmSPIA640Mb2WtvS8Y4Cn:vYhAf0x2IB2UoaMbZzY4u

Score

10^/10

originbotnet keylogger rat trojan

Malware Config

Extracted

Family

originbotnet

C2

https://veit-intl.com/gate

Attributes

add_startup
false
download_folder_name
3khaalk1.i2q
hide_file_startup
false
startup_directory_name
jpWCq
startup_environment_name
appdata
startup_installation_name
jpWCq.exe
startup_registry_name
jpWCq
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0

Signatures

OriginBotnet
OriginBotnet is a remote access trojan written in C#.
trojan rat keylogger originbotnet

Executes dropped EXE 2 IoCs

pid	Process
3704	mixeadxj.exe
3876	mixeadxj.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3704 set thread context of 3876	3704	mixeadxj.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4548	3876	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3876	mixeadxj.exe
3876	mixeadxj.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3704	mixeadxj.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3876	mixeadxj.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 3704	2836	5994d3897dc6097f95ccb74dae995b87274b19d4fd62df21c226607b0d94cbc6_JC.exe	83
PID 2836 wrote to memory of 3704	2836	5994d3897dc6097f95ccb74dae995b87274b19d4fd62df21c226607b0d94cbc6_JC.exe	83
PID 2836 wrote to memory of 3704	2836	5994d3897dc6097f95ccb74dae995b87274b19d4fd62df21c226607b0d94cbc6_JC.exe	83
PID 3704 wrote to memory of 3876	3704	mixeadxj.exe	84
PID 3704 wrote to memory of 3876	3704	mixeadxj.exe	84
PID 3704 wrote to memory of 3876	3704	mixeadxj.exe	84
PID 3704 wrote to memory of 3876	3704	mixeadxj.exe	84

C:\Users\Admin\AppData\Local\Temp\5994d3897dc6097f95ccb74dae995b87274b19d4fd62df21c226607b0d94cbc6_JC.exe
"C:\Users\Admin\AppData\Local\Temp\5994d3897dc6097f95ccb74dae995b87274b19d4fd62df21c226607b0d94cbc6_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Users\Admin\AppData\Local\Temp\mixeadxj.exe
  "C:\Users\Admin\AppData\Local\Temp\mixeadxj.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Users\Admin\AppData\Local\Temp\mixeadxj.exe
    "C:\Users\Admin\AppData\Local\Temp\mixeadxj.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3876
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 1928
      4⤵
      Program crash
      PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3876 -ip 3876
1⤵
PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\duettqyyyhf.h

Filesize
127KB

MD5
95dee8bea6062105bca7ddd48f0ee530

SHA1
12885ed175cbdc045b1680417a09fdfe3eedf92d

SHA256
88709b14f9fc1c86c77b5ed4df9dc5681acff4adf262c07d90cf34e0fea56b36

SHA512
21cb99482c71b57dfb82344ab30fb8bdd402083f8f47b46b50a7cc82fcae76e2261d9a308ebb0151723e0df402b850e068b023d03419c4649f32a19ab661540f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mixeadxj.exe

Filesize
194KB

MD5
73b044e7501d50af41e3511053670f1f

SHA1
9bfdc82fe231a3fae3ff8a69f4c7573755776c80

SHA256
1d2d19ac9e878d2c18078b27fed909d409648a64bb16e52f257271cc0cc9f60c

SHA512
11e46820e8b3b8414601d37219368c8356212e936f919d9d55d45389ef0bbfd08a411c2183258836449d6ed336a202e05fe6ed97993abef8b4511873d6e28c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mixeadxj.exe

Filesize
194KB

MD5
73b044e7501d50af41e3511053670f1f

SHA1
9bfdc82fe231a3fae3ff8a69f4c7573755776c80

SHA256
1d2d19ac9e878d2c18078b27fed909d409648a64bb16e52f257271cc0cc9f60c

SHA512
11e46820e8b3b8414601d37219368c8356212e936f919d9d55d45389ef0bbfd08a411c2183258836449d6ed336a202e05fe6ed97993abef8b4511873d6e28c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mixeadxj.exe

Filesize
194KB

MD5
73b044e7501d50af41e3511053670f1f

SHA1
9bfdc82fe231a3fae3ff8a69f4c7573755776c80

SHA256
1d2d19ac9e878d2c18078b27fed909d409648a64bb16e52f257271cc0cc9f60c

SHA512
11e46820e8b3b8414601d37219368c8356212e936f919d9d55d45389ef0bbfd08a411c2183258836449d6ed336a202e05fe6ed97993abef8b4511873d6e28c5a

Download Submit
memory/3704-5-0x0000000001590000-0x0000000001592000-memory.dmp

Filesize
8KB

Download
memory/3876-15-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/3876-18-0x0000000005190000-0x00000000051F6000-memory.dmp

Filesize
408KB

Download
memory/3876-11-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3876-12-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3876-13-0x0000000074320000-0x0000000074AD0000-memory.dmp

Filesize
7.7MB

Download
memory/3876-7-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3876-14-0x0000000002930000-0x000000000293E000-memory.dmp

Filesize
56KB

Download
memory/3876-16-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/3876-17-0x00000000055C0000-0x0000000005B64000-memory.dmp

Filesize
5.6MB

Download
memory/3876-9-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3876-19-0x0000000006490000-0x0000000006522000-memory.dmp

Filesize
584KB

Download
memory/3876-20-0x0000000006890000-0x000000000689A000-memory.dmp

Filesize
40KB

Download
memory/3876-21-0x0000000074320000-0x0000000074AD0000-memory.dmp

Filesize
7.7MB

Download
memory/3876-22-0x0000000006C00000-0x0000000006DC2000-memory.dmp

Filesize
1.8MB

Download
memory/3876-23-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/3876-24-0x0000000007300000-0x000000000782C000-memory.dmp

Filesize
5.2MB

Download
memory/3876-25-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/3876-26-0x0000000074320000-0x0000000074AD0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing