originbotnet | b48656a73f039dfc48e237f13a15133739b2f26af136b9540f038e922f98b2c0

Analysis

max time kernel
140s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

champ.exe
Size

382KB
MD5

1ac6fd0301c47ecb144702fd7a9ffe22
SHA1

5282863ed30d9ce822657957774dd2109b07108d
SHA256

b48656a73f039dfc48e237f13a15133739b2f26af136b9540f038e922f98b2c0
SHA512

85fe94b89498d4fa62a865566bbf3e643825bd59eb6a875418f041fcf780970f2acfba18f79fd4ef94e618d714c3c31d7a803a078bbd7efeabbf0d251c7da6a1
SSDEEP

6144:6M2Pj8FwLjp4/8Af3Dmw2OWD07Zv7gR2z5za/7RZZ039F1VTGxVKOY31NXbxaMSW:6MAj8FwLm/SlD07Zv7ggz5G/7HZ039FY

Score

10^/10

originbotnet keylogger rat trojan

Malware Config

Extracted

Family

originbotnet

http://wjjiutia.com/gate

Attributes

add_startup
true
download_folder_name
phjjylsh.agr
hide_file_startup
true
startup_directory_name
snuXV
startup_environment_name
appdata
startup_installation_name
snuXV.exe
startup_registry_name
snuXV
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0

Signatures

OriginBotnet
OriginBotnet is a remote access trojan written in C#.
trojan rat keylogger originbotnet

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1144 set thread context of 1780	1144	champ.exe	92

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4436	1780	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1144	champ.exe
1144	champ.exe
1144	champ.exe
1144	champ.exe
1780	champ.exe
1780	champ.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1144	champ.exe
Token: SeDebugPrivilege	1780	champ.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 316	1144	champ.exe	91
PID 1144 wrote to memory of 316	1144	champ.exe	91
PID 1144 wrote to memory of 316	1144	champ.exe	91
PID 1144 wrote to memory of 1780	1144	champ.exe	92
PID 1144 wrote to memory of 1780	1144	champ.exe	92
PID 1144 wrote to memory of 1780	1144	champ.exe	92
PID 1144 wrote to memory of 1780	1144	champ.exe	92
PID 1144 wrote to memory of 1780	1144	champ.exe	92
PID 1144 wrote to memory of 1780	1144	champ.exe	92
PID 1144 wrote to memory of 1780	1144	champ.exe	92
PID 1144 wrote to memory of 1780	1144	champ.exe	92

C:\Users\Admin\AppData\Local\Temp\champ.exe
"C:\Users\Admin\AppData\Local\Temp\champ.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Users\Admin\AppData\Local\Temp\champ.exe
  "C:\Users\Admin\AppData\Local\Temp\champ.exe"
  2⤵
  PID:316
- C:\Users\Admin\AppData\Local\Temp\champ.exe
  "C:\Users\Admin\AppData\Local\Temp\champ.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 808
    3⤵
    - Program crash
    PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1780 -ip 1780
1⤵
PID:816

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\champ.exe.log

Filesize
1KB

MD5
7cad59aef5a93f093b6ba494f13f796f

SHA1
3cef97b77939bfc06dfd3946fc1a8cd159f67100

SHA256
1e1b444fe2d8772f6709b22b94bb5b0aa7fa590f6a693705d9bf1f2f71267a55

SHA512
8cedd03efec34c6226a01fd6b4831a689be16545ea6b849cd96f775e0722bfefd4b47f3dd8401d2080d341d4319f75995ece60de44352a1f86a2e5dc01e6210b

Download Submit
memory/1144-8-0x0000000074F50000-0x0000000075700000-memory.dmp

Filesize
7.7MB

Download
memory/1144-10-0x00000000070A0000-0x00000000070AA000-memory.dmp

Filesize
40KB

Download
memory/1144-3-0x00000000057A0000-0x0000000005832000-memory.dmp

Filesize
584KB

Download
memory/1144-4-0x0000000005840000-0x0000000005B94000-memory.dmp

Filesize
3.3MB

Download
memory/1144-5-0x0000000005730000-0x0000000005740000-memory.dmp

Filesize
64KB

Download
memory/1144-6-0x0000000005C40000-0x0000000005C4A000-memory.dmp

Filesize
40KB

Download
memory/1144-7-0x00000000063F0000-0x0000000006400000-memory.dmp

Filesize
64KB

Download
memory/1144-1-0x0000000074F50000-0x0000000075700000-memory.dmp

Filesize
7.7MB

Download
memory/1144-2-0x0000000005CA0000-0x0000000006244000-memory.dmp

Filesize
5.6MB

Download
memory/1144-11-0x0000000008860000-0x00000000088A8000-memory.dmp

Filesize
288KB

Download
memory/1144-9-0x0000000005730000-0x0000000005740000-memory.dmp

Filesize
64KB

Download
memory/1144-12-0x000000000AFF0000-0x000000000B08C000-memory.dmp

Filesize
624KB

Download
memory/1144-17-0x0000000074F50000-0x0000000075700000-memory.dmp

Filesize
7.7MB

Download
memory/1144-0-0x0000000000D50000-0x0000000000DB6000-memory.dmp

Filesize
408KB

Download
memory/1780-16-0x0000000074F50000-0x0000000075700000-memory.dmp

Filesize
7.7MB

Download
memory/1780-13-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1780-18-0x0000000074F50000-0x0000000075700000-memory.dmp

Filesize
7.7MB

Download