originbotnet | 948c9b868e733196f7ee76f792e1fd0f3fb244799b3628c6560338354d434001

Analysis

max time kernel
4s
max time network
22s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

948c9b868e733196f7ee76f792e1fd0f3fb244799b3628c6560338354d434001_JC.exe
Size

213KB
MD5

e1e3a47bfc74d2078d4d1a9a9e6cc044
SHA1

911c1dd3eb97fc6306ed2ba18bf19cfb4a26a91d
SHA256

948c9b868e733196f7ee76f792e1fd0f3fb244799b3628c6560338354d434001
SHA512

6bfdc502511d3832bbdb80fcd80a96cf4e04f293df637d92f8cb00b48a9f452ddff2b7e1528463e117fbc39935f1f0d4fe4a54a820696e063ecc39185485ee2f
SSDEEP

6144:PYa658UM+kV2Rp/azKjeYoRuEKhGSWQ1B:PY78UNFaYokuSzB

Score

10^/10

originbotnet keylogger rat trojan

Malware Config

Signatures

OriginBotnet
OriginBotnet is a remote access trojan written in C#.
trojan rat keylogger originbotnet

Executes dropped EXE 2 IoCs

pid	Process
244	xmehsooyn.exe
4408	xmehsooyn.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 244 set thread context of 4408	244	xmehsooyn.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
244	xmehsooyn.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 244	4828	948c9b868e733196f7ee76f792e1fd0f3fb244799b3628c6560338354d434001_JC.exe	82
PID 4828 wrote to memory of 244	4828	948c9b868e733196f7ee76f792e1fd0f3fb244799b3628c6560338354d434001_JC.exe	82
PID 4828 wrote to memory of 244	4828	948c9b868e733196f7ee76f792e1fd0f3fb244799b3628c6560338354d434001_JC.exe	82
PID 244 wrote to memory of 4408	244	xmehsooyn.exe	83
PID 244 wrote to memory of 4408	244	xmehsooyn.exe	83
PID 244 wrote to memory of 4408	244	xmehsooyn.exe	83
PID 244 wrote to memory of 4408	244	xmehsooyn.exe	83

C:\Users\Admin\AppData\Local\Temp\948c9b868e733196f7ee76f792e1fd0f3fb244799b3628c6560338354d434001_JC.exe
"C:\Users\Admin\AppData\Local\Temp\948c9b868e733196f7ee76f792e1fd0f3fb244799b3628c6560338354d434001_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Users\Admin\AppData\Local\Temp\xmehsooyn.exe
  "C:\Users\Admin\AppData\Local\Temp\xmehsooyn.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:244
- - C:\Users\Admin\AppData\Local\Temp\xmehsooyn.exe
    "C:\Users\Admin\AppData\Local\Temp\xmehsooyn.exe"
    3⤵
    - Executes dropped EXE
    PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qtefffid.rmi

Filesize
127KB

MD5
e29649cb4878fd97121053cab4fca567

SHA1
b9991cf44574c85b2831c5d97fdd7e1a7282f2a5

SHA256
56ba422c35e92078217446bbf9c34f11be3df1fe2913d6b6608861bd8f634611

SHA512
8b0f4e95e23165e7e3a0e93ea93aa0d66cf0b9236e80bd4256f33fc832bdbbb3c54330b99af09d7d14c03703a06b97a241c9f4bd90f8e8050e91d7bf0e3dde89

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmehsooyn.exe

Filesize
149KB

MD5
ed1fa891f5d44b307daf70cbee692ba4

SHA1
1b4df28db0834874b21f77cebebc40e3ddbd19c2

SHA256
3aac4ef006e22854f893180fab7c4f07b07346849efd87169ef6d1e24208bbc6

SHA512
b73cec6b79aa3e953e63d0b305d96ded5b49d677abb0fb306f0af53db7979961bb28247f1f6eb2e6ef1a634c87576bb903d0dd176ec43a3c4f276f33b525d3cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmehsooyn.exe

Filesize
149KB

MD5
ed1fa891f5d44b307daf70cbee692ba4

SHA1
1b4df28db0834874b21f77cebebc40e3ddbd19c2

SHA256
3aac4ef006e22854f893180fab7c4f07b07346849efd87169ef6d1e24208bbc6

SHA512
b73cec6b79aa3e953e63d0b305d96ded5b49d677abb0fb306f0af53db7979961bb28247f1f6eb2e6ef1a634c87576bb903d0dd176ec43a3c4f276f33b525d3cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmehsooyn.exe

Filesize
149KB

MD5
ed1fa891f5d44b307daf70cbee692ba4

SHA1
1b4df28db0834874b21f77cebebc40e3ddbd19c2

SHA256
3aac4ef006e22854f893180fab7c4f07b07346849efd87169ef6d1e24208bbc6

SHA512
b73cec6b79aa3e953e63d0b305d96ded5b49d677abb0fb306f0af53db7979961bb28247f1f6eb2e6ef1a634c87576bb903d0dd176ec43a3c4f276f33b525d3cf

Download Submit
memory/244-5-0x00000000009A0000-0x00000000009A2000-memory.dmp

Filesize
8KB

Download
memory/4408-7-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4408-9-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4408-10-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4408-12-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download