originbotnet | 9349ee0572a4968cf3270cc6d8505e314ec98706b2de10dc1417b3b6197b7c4f

General

Target

SecuriteInfo.com.Win32.RATX-gen.8034.27212.exe
Size

542KB
MD5

5f9584f6c166a954bdd76b21217bf837
SHA1

02a3cdf937e8a7a7f7c817a72e1506984b544604
SHA256

9349ee0572a4968cf3270cc6d8505e314ec98706b2de10dc1417b3b6197b7c4f
SHA512

8e9649882acacd8f6c62fc6cb66507b5cd4aa2c165d02098d80a2c92f178463c31266582933a55093f5ab60c13179fbf652d81e83520788bbd46886946df4c3e
SSDEEP

1536:6WH/84RBumqgHXKrfcR8wZT5fryc+b5HfPWuMOTIiD/InRCHlTigBVrFuOL5aZc0:XEvgHKcR8wDre5Pz3zqyluOLb

Score

10^/10

originbotnet keylogger rat trojan

Malware Config

Extracted

Family

originbotnet

C2

https://nitrosoftwares.shop/gate

Attributes

add_startup
false
download_folder_name
jr3qf214.fmt
hide_file_startup
false
startup_directory_name
MrmassY
startup_environment_name
appdata
startup_installation_name
MrmassY.exe
startup_registry_name
MrmassY
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0

Signatures

OriginBotnet
OriginBotnet is a remote access trojan written in C#.
trojan rat keylogger originbotnet

Executes dropped EXE 1 IoCs

pid	Process
2516	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4408 set thread context of 3612	4408	SecuriteInfo.com.Win32.RATX-gen.8034.27212.exe	99

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3940	3612	WerFault.exe	99

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4664	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3612	SecuriteInfo.com.Win32.RATX-gen.8034.27212.exe
3612	SecuriteInfo.com.Win32.RATX-gen.8034.27212.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3612	SecuriteInfo.com.Win32.RATX-gen.8034.27212.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 3612	4408	SecuriteInfo.com.Win32.RATX-gen.8034.27212.exe	99
PID 4408 wrote to memory of 3612	4408	SecuriteInfo.com.Win32.RATX-gen.8034.27212.exe	99
PID 4408 wrote to memory of 3612	4408	SecuriteInfo.com.Win32.RATX-gen.8034.27212.exe	99
PID 4408 wrote to memory of 3612	4408	SecuriteInfo.com.Win32.RATX-gen.8034.27212.exe	99
PID 4408 wrote to memory of 3612	4408	SecuriteInfo.com.Win32.RATX-gen.8034.27212.exe	99
PID 4408 wrote to memory of 3612	4408	SecuriteInfo.com.Win32.RATX-gen.8034.27212.exe	99
PID 4408 wrote to memory of 3612	4408	SecuriteInfo.com.Win32.RATX-gen.8034.27212.exe	99
PID 4408 wrote to memory of 3612	4408	SecuriteInfo.com.Win32.RATX-gen.8034.27212.exe	99
PID 4408 wrote to memory of 3748	4408	SecuriteInfo.com.Win32.RATX-gen.8034.27212.exe	102
PID 4408 wrote to memory of 3748	4408	SecuriteInfo.com.Win32.RATX-gen.8034.27212.exe	102
PID 4408 wrote to memory of 3748	4408	SecuriteInfo.com.Win32.RATX-gen.8034.27212.exe	102
PID 4408 wrote to memory of 4676	4408	SecuriteInfo.com.Win32.RATX-gen.8034.27212.exe	101
PID 4408 wrote to memory of 4676	4408	SecuriteInfo.com.Win32.RATX-gen.8034.27212.exe	101
PID 4408 wrote to memory of 4676	4408	SecuriteInfo.com.Win32.RATX-gen.8034.27212.exe	101
PID 4408 wrote to memory of 4692	4408	SecuriteInfo.com.Win32.RATX-gen.8034.27212.exe	100
PID 4408 wrote to memory of 4692	4408	SecuriteInfo.com.Win32.RATX-gen.8034.27212.exe	100
PID 4408 wrote to memory of 4692	4408	SecuriteInfo.com.Win32.RATX-gen.8034.27212.exe	100
PID 4676 wrote to memory of 4664	4676	cmd.exe	107
PID 4676 wrote to memory of 4664	4676	cmd.exe	107
PID 4676 wrote to memory of 4664	4676	cmd.exe	107

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.8034.27212.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.8034.27212.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.8034.27212.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.8034.27212.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 816
    3⤵
    - Program crash
    PID:3940
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.8034.27212.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
  2⤵
  PID:4692
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:4664
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
  2⤵
  PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3612 -ip 3612
1⤵
PID:3900

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
1⤵
- Executes dropped EXE
PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
542KB

MD5
5f9584f6c166a954bdd76b21217bf837

SHA1
02a3cdf937e8a7a7f7c817a72e1506984b544604

SHA256
9349ee0572a4968cf3270cc6d8505e314ec98706b2de10dc1417b3b6197b7c4f

SHA512
8e9649882acacd8f6c62fc6cb66507b5cd4aa2c165d02098d80a2c92f178463c31266582933a55093f5ab60c13179fbf652d81e83520788bbd46886946df4c3e

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
542KB

MD5
5f9584f6c166a954bdd76b21217bf837

SHA1
02a3cdf937e8a7a7f7c817a72e1506984b544604

SHA256
9349ee0572a4968cf3270cc6d8505e314ec98706b2de10dc1417b3b6197b7c4f

SHA512
8e9649882acacd8f6c62fc6cb66507b5cd4aa2c165d02098d80a2c92f178463c31266582933a55093f5ab60c13179fbf652d81e83520788bbd46886946df4c3e

Download Submit
memory/2516-17-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/2516-16-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/3612-7-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3612-13-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/3612-9-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/4408-6-0x0000000001290000-0x000000000129C000-memory.dmp

Filesize
48KB

Download
memory/4408-1-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/4408-10-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/4408-5-0x0000000002FA0000-0x0000000002FB0000-memory.dmp

Filesize
64KB

Download
memory/4408-4-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/4408-3-0x0000000002FA0000-0x0000000002FB0000-memory.dmp

Filesize
64KB

Download
memory/4408-2-0x0000000005BC0000-0x0000000006164000-memory.dmp

Filesize
5.6MB

Download
memory/4408-0-0x0000000000CC0000-0x0000000000D4E000-memory.dmp

Filesize
568KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads