originbotnet | 948c9b868e733196f7ee76f792e1fd0f3fb244799b3628c6560338354d434001

General

Target

948c9b868e733196f7ee76f792e1fd0f3fb244799b3628c6560338354d434001_JC.exe
Size

213KB
MD5

e1e3a47bfc74d2078d4d1a9a9e6cc044
SHA1

911c1dd3eb97fc6306ed2ba18bf19cfb4a26a91d
SHA256

948c9b868e733196f7ee76f792e1fd0f3fb244799b3628c6560338354d434001
SHA512

6bfdc502511d3832bbdb80fcd80a96cf4e04f293df637d92f8cb00b48a9f452ddff2b7e1528463e117fbc39935f1f0d4fe4a54a820696e063ecc39185485ee2f
SSDEEP

6144:PYa658UM+kV2Rp/azKjeYoRuEKhGSWQ1B:PY78UNFaYokuSzB

Score

10^/10

originbotnet keylogger rat trojan

Malware Config

Extracted

Family

originbotnet

C2

https://veit-intl.com/gate

Attributes

add_startup
false
download_folder_name
3khaalk1.i2q
hide_file_startup
false
startup_directory_name
jpWCq
startup_environment_name
appdata
startup_installation_name
jpWCq.exe
startup_registry_name
jpWCq
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0

Signatures

OriginBotnet
OriginBotnet is a remote access trojan written in C#.
trojan rat keylogger originbotnet

Executes dropped EXE 3 IoCs

pid	Process
3032	xmehsooyn.exe
2744	xmehsooyn.exe
2772	xmehsooyn.exe

Loads dropped DLL 3 IoCs

pid	Process
2228	948c9b868e733196f7ee76f792e1fd0f3fb244799b3628c6560338354d434001_JC.exe
3032	xmehsooyn.exe
3032	xmehsooyn.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3032 set thread context of 2772	3032	xmehsooyn.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2772	xmehsooyn.exe
2772	xmehsooyn.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3032	xmehsooyn.exe
3032	xmehsooyn.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	xmehsooyn.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 3032	2228	948c9b868e733196f7ee76f792e1fd0f3fb244799b3628c6560338354d434001_JC.exe	28
PID 2228 wrote to memory of 3032	2228	948c9b868e733196f7ee76f792e1fd0f3fb244799b3628c6560338354d434001_JC.exe	28
PID 2228 wrote to memory of 3032	2228	948c9b868e733196f7ee76f792e1fd0f3fb244799b3628c6560338354d434001_JC.exe	28
PID 2228 wrote to memory of 3032	2228	948c9b868e733196f7ee76f792e1fd0f3fb244799b3628c6560338354d434001_JC.exe	28
PID 3032 wrote to memory of 2744	3032	xmehsooyn.exe	29
PID 3032 wrote to memory of 2744	3032	xmehsooyn.exe	29
PID 3032 wrote to memory of 2744	3032	xmehsooyn.exe	29
PID 3032 wrote to memory of 2744	3032	xmehsooyn.exe	29
PID 3032 wrote to memory of 2772	3032	xmehsooyn.exe	30
PID 3032 wrote to memory of 2772	3032	xmehsooyn.exe	30
PID 3032 wrote to memory of 2772	3032	xmehsooyn.exe	30
PID 3032 wrote to memory of 2772	3032	xmehsooyn.exe	30
PID 3032 wrote to memory of 2772	3032	xmehsooyn.exe	30

C:\Users\Admin\AppData\Local\Temp\948c9b868e733196f7ee76f792e1fd0f3fb244799b3628c6560338354d434001_JC.exe
"C:\Users\Admin\AppData\Local\Temp\948c9b868e733196f7ee76f792e1fd0f3fb244799b3628c6560338354d434001_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\xmehsooyn.exe
  "C:\Users\Admin\AppData\Local\Temp\xmehsooyn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Users\Admin\AppData\Local\Temp\xmehsooyn.exe
    "C:\Users\Admin\AppData\Local\Temp\xmehsooyn.exe"
    3⤵
    - Executes dropped EXE
    PID:2744
- - C:\Users\Admin\AppData\Local\Temp\xmehsooyn.exe
    "C:\Users\Admin\AppData\Local\Temp\xmehsooyn.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qtefffid.rmi

Filesize
127KB

MD5
e29649cb4878fd97121053cab4fca567

SHA1
b9991cf44574c85b2831c5d97fdd7e1a7282f2a5

SHA256
56ba422c35e92078217446bbf9c34f11be3df1fe2913d6b6608861bd8f634611

SHA512
8b0f4e95e23165e7e3a0e93ea93aa0d66cf0b9236e80bd4256f33fc832bdbbb3c54330b99af09d7d14c03703a06b97a241c9f4bd90f8e8050e91d7bf0e3dde89

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmehsooyn.exe

Filesize
149KB

MD5
ed1fa891f5d44b307daf70cbee692ba4

SHA1
1b4df28db0834874b21f77cebebc40e3ddbd19c2

SHA256
3aac4ef006e22854f893180fab7c4f07b07346849efd87169ef6d1e24208bbc6

SHA512
b73cec6b79aa3e953e63d0b305d96ded5b49d677abb0fb306f0af53db7979961bb28247f1f6eb2e6ef1a634c87576bb903d0dd176ec43a3c4f276f33b525d3cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmehsooyn.exe

Filesize
149KB

MD5
ed1fa891f5d44b307daf70cbee692ba4

SHA1
1b4df28db0834874b21f77cebebc40e3ddbd19c2

SHA256
3aac4ef006e22854f893180fab7c4f07b07346849efd87169ef6d1e24208bbc6

SHA512
b73cec6b79aa3e953e63d0b305d96ded5b49d677abb0fb306f0af53db7979961bb28247f1f6eb2e6ef1a634c87576bb903d0dd176ec43a3c4f276f33b525d3cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmehsooyn.exe

Filesize
149KB

MD5
ed1fa891f5d44b307daf70cbee692ba4

SHA1
1b4df28db0834874b21f77cebebc40e3ddbd19c2

SHA256
3aac4ef006e22854f893180fab7c4f07b07346849efd87169ef6d1e24208bbc6

SHA512
b73cec6b79aa3e953e63d0b305d96ded5b49d677abb0fb306f0af53db7979961bb28247f1f6eb2e6ef1a634c87576bb903d0dd176ec43a3c4f276f33b525d3cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmehsooyn.exe

Filesize
149KB

MD5
ed1fa891f5d44b307daf70cbee692ba4

SHA1
1b4df28db0834874b21f77cebebc40e3ddbd19c2

SHA256
3aac4ef006e22854f893180fab7c4f07b07346849efd87169ef6d1e24208bbc6

SHA512
b73cec6b79aa3e953e63d0b305d96ded5b49d677abb0fb306f0af53db7979961bb28247f1f6eb2e6ef1a634c87576bb903d0dd176ec43a3c4f276f33b525d3cf

Download Submit
\Users\Admin\AppData\Local\Temp\xmehsooyn.exe

Filesize
149KB

MD5
ed1fa891f5d44b307daf70cbee692ba4

SHA1
1b4df28db0834874b21f77cebebc40e3ddbd19c2

SHA256
3aac4ef006e22854f893180fab7c4f07b07346849efd87169ef6d1e24208bbc6

SHA512
b73cec6b79aa3e953e63d0b305d96ded5b49d677abb0fb306f0af53db7979961bb28247f1f6eb2e6ef1a634c87576bb903d0dd176ec43a3c4f276f33b525d3cf

Download Submit
\Users\Admin\AppData\Local\Temp\xmehsooyn.exe

Filesize
149KB

MD5
ed1fa891f5d44b307daf70cbee692ba4

SHA1
1b4df28db0834874b21f77cebebc40e3ddbd19c2

SHA256
3aac4ef006e22854f893180fab7c4f07b07346849efd87169ef6d1e24208bbc6

SHA512
b73cec6b79aa3e953e63d0b305d96ded5b49d677abb0fb306f0af53db7979961bb28247f1f6eb2e6ef1a634c87576bb903d0dd176ec43a3c4f276f33b525d3cf

Download Submit
\Users\Admin\AppData\Local\Temp\xmehsooyn.exe

Filesize
149KB

MD5
ed1fa891f5d44b307daf70cbee692ba4

SHA1
1b4df28db0834874b21f77cebebc40e3ddbd19c2

SHA256
3aac4ef006e22854f893180fab7c4f07b07346849efd87169ef6d1e24208bbc6

SHA512
b73cec6b79aa3e953e63d0b305d96ded5b49d677abb0fb306f0af53db7979961bb28247f1f6eb2e6ef1a634c87576bb903d0dd176ec43a3c4f276f33b525d3cf

Download Submit
memory/2772-16-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2772-12-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2772-17-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2772-18-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/2772-19-0x0000000004AE0000-0x0000000004B20000-memory.dmp

Filesize
256KB

Download
memory/2772-20-0x00000000001D0000-0x00000000001DE000-memory.dmp

Filesize
56KB

Download
memory/2772-21-0x0000000004AE0000-0x0000000004B20000-memory.dmp

Filesize
256KB

Download
memory/2772-22-0x0000000004AE0000-0x0000000004B20000-memory.dmp

Filesize
256KB

Download
memory/2772-23-0x0000000004AE0000-0x0000000004B20000-memory.dmp

Filesize
256KB

Download
memory/2772-24-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2772-25-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/2772-26-0x0000000004AE0000-0x0000000004B20000-memory.dmp

Filesize
256KB

Download
memory/3032-6-0x0000000000130000-0x0000000000132000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing