originbotnet | f6332f23fa99f7881e3793645d71e1643279391fce24eb1ff5a58adc318aec2a

General

Target

f6332f23fa99f7881e3793645d71e1643279391fce24eb1ff5a58adc318aec2a_JC.exe
Size

338KB
MD5

dbadf9908b622af274db313906a95d3f
SHA1

de94f8284be7bee5880623c68fbc14a44ea61aa5
SHA256

f6332f23fa99f7881e3793645d71e1643279391fce24eb1ff5a58adc318aec2a
SHA512

dcb8055cddc77ac267b726019ec68a4a200f27531cffd291fa59bd15950c02c4ae21ec2265a09334fd05b6d8cb15cbfac35beaa4ededeb788dc7b8470adfe521
SSDEEP

6144:e84kJM8GgA188qLgXERTxM/BRhDm1l4Rh0xIpTYx2ap/mZX1BUCvEHX:h4kpy88cgXERTxMJRel4Rh0ep0xRp/ms

Score

10^/10

originbotnet keylogger persistence rat trojan

Malware Config

Extracted

Family

originbotnet

C2

https://grdhfour.shop/gate

Attributes

add_startup
false
download_folder_name
4tmn4xe4.gde
hide_file_startup
false
startup_directory_name
rOUfBC
startup_environment_name
appdata
startup_installation_name
rOUfBC.exe
startup_registry_name
rOUfBC
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0

Signatures

OriginBotnet
OriginBotnet is a remote access trojan written in C#.
trojan rat keylogger originbotnet

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lmqpfbpay = "C:\\Users\\Admin\\AppData\\Roaming\\Lmqpfbpay.exe"	f6332f23fa99f7881e3793645d71e1643279391fce24eb1ff5a58adc318aec2a_JC.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2292 set thread context of 320	2292	f6332f23fa99f7881e3793645d71e1643279391fce24eb1ff5a58adc318aec2a_JC.exe	83

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3092	320	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2292	f6332f23fa99f7881e3793645d71e1643279391fce24eb1ff5a58adc318aec2a_JC.exe
320	f6332f23fa99f7881e3793645d71e1643279391fce24eb1ff5a58adc318aec2a_JC.exe
320	f6332f23fa99f7881e3793645d71e1643279391fce24eb1ff5a58adc318aec2a_JC.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2292	f6332f23fa99f7881e3793645d71e1643279391fce24eb1ff5a58adc318aec2a_JC.exe
Token: SeDebugPrivilege	320	f6332f23fa99f7881e3793645d71e1643279391fce24eb1ff5a58adc318aec2a_JC.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 320	2292	f6332f23fa99f7881e3793645d71e1643279391fce24eb1ff5a58adc318aec2a_JC.exe	83
PID 2292 wrote to memory of 320	2292	f6332f23fa99f7881e3793645d71e1643279391fce24eb1ff5a58adc318aec2a_JC.exe	83
PID 2292 wrote to memory of 320	2292	f6332f23fa99f7881e3793645d71e1643279391fce24eb1ff5a58adc318aec2a_JC.exe	83
PID 2292 wrote to memory of 320	2292	f6332f23fa99f7881e3793645d71e1643279391fce24eb1ff5a58adc318aec2a_JC.exe	83
PID 2292 wrote to memory of 320	2292	f6332f23fa99f7881e3793645d71e1643279391fce24eb1ff5a58adc318aec2a_JC.exe	83
PID 2292 wrote to memory of 320	2292	f6332f23fa99f7881e3793645d71e1643279391fce24eb1ff5a58adc318aec2a_JC.exe	83
PID 2292 wrote to memory of 320	2292	f6332f23fa99f7881e3793645d71e1643279391fce24eb1ff5a58adc318aec2a_JC.exe	83
PID 2292 wrote to memory of 320	2292	f6332f23fa99f7881e3793645d71e1643279391fce24eb1ff5a58adc318aec2a_JC.exe	83

C:\Users\Admin\AppData\Local\Temp\f6332f23fa99f7881e3793645d71e1643279391fce24eb1ff5a58adc318aec2a_JC.exe
"C:\Users\Admin\AppData\Local\Temp\f6332f23fa99f7881e3793645d71e1643279391fce24eb1ff5a58adc318aec2a_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\f6332f23fa99f7881e3793645d71e1643279391fce24eb1ff5a58adc318aec2a_JC.exe
  C:\Users\Admin\AppData\Local\Temp\f6332f23fa99f7881e3793645d71e1643279391fce24eb1ff5a58adc318aec2a_JC.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:320
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 808
    3⤵
    - Program crash
    PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 320 -ip 320
1⤵
PID:3096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f6332f23fa99f7881e3793645d71e1643279391fce24eb1ff5a58adc318aec2a_JC.exe.log

Filesize
927B

MD5
4a911455784f74e368a4c2c7876d76f4

SHA1
a1700a0849ffb4f26671eb76da2489946b821c34

SHA256
264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c

SHA512
4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d

Download Submit
memory/320-8-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/320-11-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/320-13-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/2292-1-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/2292-0-0x00000000006D0000-0x0000000000728000-memory.dmp

Filesize
352KB

Download
memory/2292-2-0x00000000050C0000-0x0000000005100000-memory.dmp

Filesize
256KB

Download
memory/2292-3-0x00000000051F0000-0x0000000005200000-memory.dmp

Filesize
64KB

Download
memory/2292-4-0x0000000005100000-0x000000000512E000-memory.dmp

Filesize
184KB

Download
memory/2292-5-0x0000000005130000-0x000000000517C000-memory.dmp

Filesize
304KB

Download
memory/2292-6-0x00000000059B0000-0x0000000005F54000-memory.dmp

Filesize
5.6MB

Download
memory/2292-12-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads