Overview

overview

10

Static

static

3

SecuriteIn...62.exe

windows7-x64

10

SecuriteIn...62.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    76s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/10/2023, 10:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.RATX-gen.23117.32662.exe

  • Size

    542KB

  • MD5

    cb8d2cb4372947471ba2f6a7bc3a9c35

  • SHA1

    bcf8b0c9f36c33902b11c5e3b3942143068f52ce

  • SHA256

    4f09e1857f411cee21a8f8b56535dcf67937ec013873c180215c6420856b4e17

  • SHA512

    65fe838186ef865cc4229b04df7268aa1c410fafe64d7264fb6489e5158ec0cbc690730451d1e5c1e22d5010c20771419071f5b512052a7b7bd9382e62a01163

  • SSDEEP

    1536:NPd/84RBumqgMUAxEUZ45zT8VXJci2ejtP7nRCHlTigBVrFuOL5aZcThsZ:ZuvgMUOEUvVXJV2ejtlyluOLb

Score
10/10
originbotnetkeyloggerrattrojan

Malware Config

Extracted

Family

originbotnet

C2

https://lamba.nitrosoftwares.shop/gate

Attributes
  • add_startup

    false

  • download_folder_name

    zeyy4dqc.kds

  • hide_file_startup

    false

  • startup_directory_name

    efUDQ

  • startup_environment_name

    appdata

  • startup_installation_name

    efUDQ.exe

  • startup_registry_name

    efUDQ

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0

Signatures

  • OriginBotnet

    OriginBotnet is a remote access trojan written in C#.

    trojanratkeyloggeroriginbotnet
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.23117.32662.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.23117.32662.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1336
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.23117.32662.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.23117.32662.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5000
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 1364
        3⤵
        • Program crash
        PID:704
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.23117.32662.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
      2⤵
        PID:416
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1620
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        2⤵
          PID:4168
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        1⤵
        • Creates scheduled task(s)
        PID:2332
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 5000 -ip 5000
        1⤵
          PID:3768
        • C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
          C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
          1⤵
            PID:1324

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
            Filesize

            542KB

            MD5

            cb8d2cb4372947471ba2f6a7bc3a9c35

            SHA1

            bcf8b0c9f36c33902b11c5e3b3942143068f52ce

            SHA256

            4f09e1857f411cee21a8f8b56535dcf67937ec013873c180215c6420856b4e17

            SHA512

            65fe838186ef865cc4229b04df7268aa1c410fafe64d7264fb6489e5158ec0cbc690730451d1e5c1e22d5010c20771419071f5b512052a7b7bd9382e62a01163

            Download Submit

          • C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
            Filesize

            542KB

            MD5

            cb8d2cb4372947471ba2f6a7bc3a9c35

            SHA1

            bcf8b0c9f36c33902b11c5e3b3942143068f52ce

            SHA256

            4f09e1857f411cee21a8f8b56535dcf67937ec013873c180215c6420856b4e17

            SHA512

            65fe838186ef865cc4229b04df7268aa1c410fafe64d7264fb6489e5158ec0cbc690730451d1e5c1e22d5010c20771419071f5b512052a7b7bd9382e62a01163

            Download Submit

          • memory/1324-26-0x0000000075070000-0x0000000075820000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/1324-25-0x0000000075070000-0x0000000075820000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/1336-1-0x0000000075070000-0x0000000075820000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/1336-2-0x0000000005480000-0x0000000005A24000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/1336-3-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1336-4-0x0000000075070000-0x0000000075820000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/1336-5-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1336-6-0x0000000000C20000-0x0000000000C2C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1336-11-0x0000000075070000-0x0000000075820000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/1336-0-0x0000000000550000-0x00000000005DE000-memory.dmp

            Filesize

            568KB

            Download

          • memory/5000-14-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5000-17-0x00000000065D0000-0x00000000065DA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/5000-18-0x0000000075070000-0x0000000075820000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/5000-19-0x00000000067C0000-0x0000000006982000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/5000-20-0x0000000006EC0000-0x00000000073EC000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/5000-21-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5000-22-0x0000000075070000-0x0000000075820000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/5000-16-0x00000000060F0000-0x0000000006182000-memory.dmp

            Filesize

            584KB

            Download

          • memory/5000-15-0x0000000004D50000-0x0000000004DB6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/5000-9-0x00000000003F0000-0x00000000003FE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/5000-10-0x0000000075070000-0x0000000075820000-memory.dmp

            Filesize

            7.7MB

            Download