originbotnet | 4_sample[.]bin | Triage

Sharing

Copy URL Twitter E-mail

General

Target

4_sample.bin
Size

29KB
MD5

737e1085d39f64c7fdc846c9bf041bca
SHA1

eebed46b91bc7e3999d70c796bed80626502ac96
SHA256

3a7ba1b580177fe12f5560bab6af386ff1c7ed6dd56b190f8e574475bb35d970
SHA512

c8ec11f77d763e3497cc82540373fbcc06f347eef9d9d2c5d8e9cbabf7ac069f87aff779180b49ed5cbe246523c5741b963c8a3cc32be16fb621c5c480517a7f
SSDEEP

768:TLeDYBMtlGdTRyWHngyKFSThxIilCiuhWGV5:TQYBQl83HvT/NCiucGV5

Score

10^/10

originbotnet

Malware Config

Extracted

Family

originbotnet

C2

https://nitrosoftwares.shop/gate

Attributes

add_startup
false
download_folder_name
4yyaqgto.m0g
hide_file_startup
false
startup_directory_name
hhlquS
startup_environment_name
appdata
startup_installation_name
hhlquS.exe
startup_registry_name
hhlquS
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0

Signatures

Originbotnet family
originbotnet

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
4_sample.bin

Files

4_sample.bin
.exe windows:4 windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ