originbotnet | 29088b8d5480560b4adbbd65b411e32722363bcbdf0c7e1a7ba182fd9d11d25c

General

Target

SecuriteInfo.com.Win32.RATX-gen.12255.26012.exe
Size

267KB
MD5

ab928fbd4830f07cf7ac488dca1e746d
SHA1

1ae67cf7561616b8543b83c850b93b1952824be7
SHA256

29088b8d5480560b4adbbd65b411e32722363bcbdf0c7e1a7ba182fd9d11d25c
SHA512

3c3e39811b9b0a50235c7a6aec97fa7d6ebcf1afa02ccc89b484aa7b5d13c1aa85d4518c37743843c6bf95aee83e0efd723d62e38f8a0d0bb879cad457b03cf4
SSDEEP

3072:8uvgD6S2+qU3kNAwGE84AsQvnlBrII/J+M:8uvU2gKAwGE84bQ/ly

Score

10^/10

originbotnet keylogger rat trojan

Malware Config

Extracted

Family

originbotnet

C2

https://nitrosoftwares.shop/gate

Attributes

add_startup
false
download_folder_name
0uvf4vxi.zxu
hide_file_startup
false
startup_directory_name
VxxWqfE
startup_environment_name
appdata
startup_installation_name
VxxWqfE.exe
startup_registry_name
VxxWqfE
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0

Signatures

OriginBotnet
OriginBotnet is a remote access trojan written in C#.
trojan rat keylogger originbotnet

Executes dropped EXE 1 IoCs

pid	Process
2004	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1928 set thread context of 4964	1928	SecuriteInfo.com.Win32.RATX-gen.12255.26012.exe	98

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5076	4964	WerFault.exe	98

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2112	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4964	SecuriteInfo.com.Win32.RATX-gen.12255.26012.exe
4964	SecuriteInfo.com.Win32.RATX-gen.12255.26012.exe
4964	SecuriteInfo.com.Win32.RATX-gen.12255.26012.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4964	SecuriteInfo.com.Win32.RATX-gen.12255.26012.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 4964	1928	SecuriteInfo.com.Win32.RATX-gen.12255.26012.exe	98
PID 1928 wrote to memory of 4964	1928	SecuriteInfo.com.Win32.RATX-gen.12255.26012.exe	98
PID 1928 wrote to memory of 4964	1928	SecuriteInfo.com.Win32.RATX-gen.12255.26012.exe	98
PID 1928 wrote to memory of 4964	1928	SecuriteInfo.com.Win32.RATX-gen.12255.26012.exe	98
PID 1928 wrote to memory of 4964	1928	SecuriteInfo.com.Win32.RATX-gen.12255.26012.exe	98
PID 1928 wrote to memory of 4964	1928	SecuriteInfo.com.Win32.RATX-gen.12255.26012.exe	98
PID 1928 wrote to memory of 4964	1928	SecuriteInfo.com.Win32.RATX-gen.12255.26012.exe	98
PID 1928 wrote to memory of 4964	1928	SecuriteInfo.com.Win32.RATX-gen.12255.26012.exe	98
PID 1928 wrote to memory of 4092	1928	SecuriteInfo.com.Win32.RATX-gen.12255.26012.exe	99
PID 1928 wrote to memory of 4092	1928	SecuriteInfo.com.Win32.RATX-gen.12255.26012.exe	99
PID 1928 wrote to memory of 4092	1928	SecuriteInfo.com.Win32.RATX-gen.12255.26012.exe	99
PID 1928 wrote to memory of 4536	1928	SecuriteInfo.com.Win32.RATX-gen.12255.26012.exe	101
PID 1928 wrote to memory of 4536	1928	SecuriteInfo.com.Win32.RATX-gen.12255.26012.exe	101
PID 1928 wrote to memory of 4536	1928	SecuriteInfo.com.Win32.RATX-gen.12255.26012.exe	101
PID 1928 wrote to memory of 2796	1928	SecuriteInfo.com.Win32.RATX-gen.12255.26012.exe	100
PID 1928 wrote to memory of 2796	1928	SecuriteInfo.com.Win32.RATX-gen.12255.26012.exe	100
PID 1928 wrote to memory of 2796	1928	SecuriteInfo.com.Win32.RATX-gen.12255.26012.exe	100
PID 4536 wrote to memory of 2112	4536	cmd.exe	105
PID 4536 wrote to memory of 2112	4536	cmd.exe	105
PID 4536 wrote to memory of 2112	4536	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.12255.26012.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.12255.26012.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.12255.26012.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.12255.26012.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 808
    3⤵
    - Program crash
    PID:5076
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
  2⤵
  PID:4092
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.12255.26012.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
  2⤵
  PID:2796
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4964 -ip 4964
1⤵
PID:3780

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
1⤵
- Executes dropped EXE
PID:2004
- C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
  2⤵
  PID:2988
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
  2⤵
  PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
267KB

MD5
ab928fbd4830f07cf7ac488dca1e746d

SHA1
1ae67cf7561616b8543b83c850b93b1952824be7

SHA256
29088b8d5480560b4adbbd65b411e32722363bcbdf0c7e1a7ba182fd9d11d25c

SHA512
3c3e39811b9b0a50235c7a6aec97fa7d6ebcf1afa02ccc89b484aa7b5d13c1aa85d4518c37743843c6bf95aee83e0efd723d62e38f8a0d0bb879cad457b03cf4

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
267KB

MD5
ab928fbd4830f07cf7ac488dca1e746d

SHA1
1ae67cf7561616b8543b83c850b93b1952824be7

SHA256
29088b8d5480560b4adbbd65b411e32722363bcbdf0c7e1a7ba182fd9d11d25c

SHA512
3c3e39811b9b0a50235c7a6aec97fa7d6ebcf1afa02ccc89b484aa7b5d13c1aa85d4518c37743843c6bf95aee83e0efd723d62e38f8a0d0bb879cad457b03cf4

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
170KB

MD5
371cc32d0624faeb79c7b2e80f8a6620

SHA1
4ca8786c6668650cf031044aeed801690d819ee9

SHA256
48171d4c13bc30c8336ba1c0000f065f7b5189a57a8cf3ff4259f851c981b052

SHA512
f22242281f87a3178bcb192291debb9144e27fffddb45d192092591f1e15b08ac2d0dd40130774bb77b2f367d1a92f00578b6daa7992db3580d5985bcc3b022f

Download Submit
memory/1928-4-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/1928-5-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/1928-6-0x00000000006D0000-0x00000000006DC000-memory.dmp

Filesize
48KB

Download
memory/1928-0-0x00000000001E0000-0x0000000000228000-memory.dmp

Filesize
288KB

Download
memory/1928-1-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/1928-10-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/1928-3-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/1928-2-0x0000000005320000-0x00000000058C4000-memory.dmp

Filesize
5.6MB

Download
memory/2004-16-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/2004-17-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/4964-7-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4964-13-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/4964-18-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/4964-9-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads