originbotnet | 163918e075f9f05489c3a68bdc7fef36651632a3c8b59817f3e0cbd1fb172b55

General

Target

T10987654568900000.exe
Size

243KB
MD5

ab42940ac139ecb001ecb4069eaeca10
SHA1

cbc3519648660e4645c4845d59da3c4cd398e3b9
SHA256

163918e075f9f05489c3a68bdc7fef36651632a3c8b59817f3e0cbd1fb172b55
SHA512

3fe4041b1f08dfd5dbb195692364dc613c61480abe6a8eb83c218030e6bb1bae69b5af809cb05701028f9b09a1a79576891be807adfed2bfa5a5b04d14b362bb
SSDEEP

6144:AYa6pEVDnUE2PtG6HzwclJJMTayK+jzso6HPzXoQMQxLA:AYT6ItG+wcXmKChcbXNNx8

Score

10^/10

originbotnet keylogger rat trojan

Malware Config

Extracted

Family

originbotnet

C2

https://mmelak.com/gate

Attributes

add_startup
false
download_folder_name
4si50kud.vpv
hide_file_startup
false
startup_directory_name
pRcub
startup_environment_name
appdata
startup_installation_name
pRcub.exe
startup_registry_name
pRcub
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0

Signatures

OriginBotnet
OriginBotnet is a remote access trojan written in C#.
trojan rat keylogger originbotnet

Executes dropped EXE 2 IoCs

pid	Process
2560	atujtxaw.exe
2032	atujtxaw.exe

Loads dropped DLL 2 IoCs

pid	Process
1244	T10987654568900000.exe
2560	atujtxaw.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2560 set thread context of 2032	2560	atujtxaw.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2032	atujtxaw.exe
2032	atujtxaw.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2560	atujtxaw.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	atujtxaw.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2560	1244	T10987654568900000.exe	28
PID 1244 wrote to memory of 2560	1244	T10987654568900000.exe	28
PID 1244 wrote to memory of 2560	1244	T10987654568900000.exe	28
PID 1244 wrote to memory of 2560	1244	T10987654568900000.exe	28
PID 2560 wrote to memory of 2032	2560	atujtxaw.exe	29
PID 2560 wrote to memory of 2032	2560	atujtxaw.exe	29
PID 2560 wrote to memory of 2032	2560	atujtxaw.exe	29
PID 2560 wrote to memory of 2032	2560	atujtxaw.exe	29
PID 2560 wrote to memory of 2032	2560	atujtxaw.exe	29

C:\Users\Admin\AppData\Local\Temp\T10987654568900000.exe
"C:\Users\Admin\AppData\Local\Temp\T10987654568900000.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\atujtxaw.exe
  "C:\Users\Admin\AppData\Local\Temp\atujtxaw.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Local\Temp\atujtxaw.exe
    "C:\Users\Admin\AppData\Local\Temp\atujtxaw.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\atujtxaw.exe

Filesize
150KB

MD5
b989f8cd3fd688cd1556d8c6737b06d8

SHA1
2aab018888aee67bb41930f79c0b24e51c0e82f0

SHA256
58cdbf4e6b2ff930888bbabc1109487c7afe0327ca9fed259367e120dfdf1f7c

SHA512
4f2879a90420b4066290ec8bd880b7d00a590876de91929386e667973a302fe944a33a63f432ab9b42496c3800f993a143fe101467869ed398c7a51b7086c521

Download Submit
C:\Users\Admin\AppData\Local\Temp\atujtxaw.exe

Filesize
150KB

MD5
b989f8cd3fd688cd1556d8c6737b06d8

SHA1
2aab018888aee67bb41930f79c0b24e51c0e82f0

SHA256
58cdbf4e6b2ff930888bbabc1109487c7afe0327ca9fed259367e120dfdf1f7c

SHA512
4f2879a90420b4066290ec8bd880b7d00a590876de91929386e667973a302fe944a33a63f432ab9b42496c3800f993a143fe101467869ed398c7a51b7086c521

Download Submit
C:\Users\Admin\AppData\Local\Temp\atujtxaw.exe

Filesize
150KB

MD5
b989f8cd3fd688cd1556d8c6737b06d8

SHA1
2aab018888aee67bb41930f79c0b24e51c0e82f0

SHA256
58cdbf4e6b2ff930888bbabc1109487c7afe0327ca9fed259367e120dfdf1f7c

SHA512
4f2879a90420b4066290ec8bd880b7d00a590876de91929386e667973a302fe944a33a63f432ab9b42496c3800f993a143fe101467869ed398c7a51b7086c521

Download Submit
C:\Users\Admin\AppData\Local\Temp\xthwmal.jjk

Filesize
127KB

MD5
ca6c9d418e2d3f038cd8b92eba29a27a

SHA1
c1ffe291145d336b9c6a637baa6fcc7c16e96c29

SHA256
efbafccca4a14520ef9af84db37b2e539a8b611e72be7f358cae583a022ef839

SHA512
d85ba798e6d364fe0f4ae369b538d01a6464bdb48a091e252567b954f8ccac5d9d6df64c1dce44fe8fd23fb4996127ddbc06f8296967ec3c392cb95663bb368b

Download Submit
\Users\Admin\AppData\Local\Temp\atujtxaw.exe

Filesize
150KB

MD5
b989f8cd3fd688cd1556d8c6737b06d8

SHA1
2aab018888aee67bb41930f79c0b24e51c0e82f0

SHA256
58cdbf4e6b2ff930888bbabc1109487c7afe0327ca9fed259367e120dfdf1f7c

SHA512
4f2879a90420b4066290ec8bd880b7d00a590876de91929386e667973a302fe944a33a63f432ab9b42496c3800f993a143fe101467869ed398c7a51b7086c521

Download Submit
\Users\Admin\AppData\Local\Temp\atujtxaw.exe

Filesize
150KB

MD5
b989f8cd3fd688cd1556d8c6737b06d8

SHA1
2aab018888aee67bb41930f79c0b24e51c0e82f0

SHA256
58cdbf4e6b2ff930888bbabc1109487c7afe0327ca9fed259367e120dfdf1f7c

SHA512
4f2879a90420b4066290ec8bd880b7d00a590876de91929386e667973a302fe944a33a63f432ab9b42496c3800f993a143fe101467869ed398c7a51b7086c521

Download Submit
memory/2032-14-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2032-10-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2032-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2032-16-0x00000000002E0000-0x00000000002EE000-memory.dmp

Filesize
56KB

Download
memory/2032-17-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/2032-18-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download
memory/2032-19-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download
memory/2032-20-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2032-21-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/2032-22-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download
memory/2560-6-0x0000000000150000-0x0000000000152000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing