originbotnet | 163918e075f9f05489c3a68bdc7fef36651632a3c8b59817f3e0cbd1fb172b55

General

Target

T10987654568900000.exe
Size

243KB
MD5

ab42940ac139ecb001ecb4069eaeca10
SHA1

cbc3519648660e4645c4845d59da3c4cd398e3b9
SHA256

163918e075f9f05489c3a68bdc7fef36651632a3c8b59817f3e0cbd1fb172b55
SHA512

3fe4041b1f08dfd5dbb195692364dc613c61480abe6a8eb83c218030e6bb1bae69b5af809cb05701028f9b09a1a79576891be807adfed2bfa5a5b04d14b362bb
SSDEEP

6144:AYa6pEVDnUE2PtG6HzwclJJMTayK+jzso6HPzXoQMQxLA:AYT6ItG+wcXmKChcbXNNx8

Score

10^/10

originbotnet keylogger rat trojan

Malware Config

Extracted

Family

originbotnet

C2

https://mmelak.com/gate

Attributes

add_startup
false
download_folder_name
4si50kud.vpv
hide_file_startup
false
startup_directory_name
pRcub
startup_environment_name
appdata
startup_installation_name
pRcub.exe
startup_registry_name
pRcub
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0

Signatures

OriginBotnet
OriginBotnet is a remote access trojan written in C#.
trojan rat keylogger originbotnet

Executes dropped EXE 3 IoCs

pid	Process
2976	atujtxaw.exe
116	atujtxaw.exe
368	atujtxaw.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2976 set thread context of 368	2976	atujtxaw.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4672	368	WerFault.exe	91

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
368	atujtxaw.exe
368	atujtxaw.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2976	atujtxaw.exe
2976	atujtxaw.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	368	atujtxaw.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2976	2872	T10987654568900000.exe	89
PID 2872 wrote to memory of 2976	2872	T10987654568900000.exe	89
PID 2872 wrote to memory of 2976	2872	T10987654568900000.exe	89
PID 2976 wrote to memory of 116	2976	atujtxaw.exe	90
PID 2976 wrote to memory of 116	2976	atujtxaw.exe	90
PID 2976 wrote to memory of 116	2976	atujtxaw.exe	90
PID 2976 wrote to memory of 368	2976	atujtxaw.exe	91
PID 2976 wrote to memory of 368	2976	atujtxaw.exe	91
PID 2976 wrote to memory of 368	2976	atujtxaw.exe	91
PID 2976 wrote to memory of 368	2976	atujtxaw.exe	91

C:\Users\Admin\AppData\Local\Temp\T10987654568900000.exe
"C:\Users\Admin\AppData\Local\Temp\T10987654568900000.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\atujtxaw.exe
  "C:\Users\Admin\AppData\Local\Temp\atujtxaw.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Users\Admin\AppData\Local\Temp\atujtxaw.exe
    "C:\Users\Admin\AppData\Local\Temp\atujtxaw.exe"
    3⤵
    - Executes dropped EXE
    PID:116
- - C:\Users\Admin\AppData\Local\Temp\atujtxaw.exe
    "C:\Users\Admin\AppData\Local\Temp\atujtxaw.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:368
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 1856
      4⤵
      Program crash
      PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 368 -ip 368
1⤵
PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\atujtxaw.exe

Filesize
150KB

MD5
b989f8cd3fd688cd1556d8c6737b06d8

SHA1
2aab018888aee67bb41930f79c0b24e51c0e82f0

SHA256
58cdbf4e6b2ff930888bbabc1109487c7afe0327ca9fed259367e120dfdf1f7c

SHA512
4f2879a90420b4066290ec8bd880b7d00a590876de91929386e667973a302fe944a33a63f432ab9b42496c3800f993a143fe101467869ed398c7a51b7086c521

Download Submit
C:\Users\Admin\AppData\Local\Temp\atujtxaw.exe

Filesize
150KB

MD5
b989f8cd3fd688cd1556d8c6737b06d8

SHA1
2aab018888aee67bb41930f79c0b24e51c0e82f0

SHA256
58cdbf4e6b2ff930888bbabc1109487c7afe0327ca9fed259367e120dfdf1f7c

SHA512
4f2879a90420b4066290ec8bd880b7d00a590876de91929386e667973a302fe944a33a63f432ab9b42496c3800f993a143fe101467869ed398c7a51b7086c521

Download Submit
C:\Users\Admin\AppData\Local\Temp\atujtxaw.exe

Filesize
150KB

MD5
b989f8cd3fd688cd1556d8c6737b06d8

SHA1
2aab018888aee67bb41930f79c0b24e51c0e82f0

SHA256
58cdbf4e6b2ff930888bbabc1109487c7afe0327ca9fed259367e120dfdf1f7c

SHA512
4f2879a90420b4066290ec8bd880b7d00a590876de91929386e667973a302fe944a33a63f432ab9b42496c3800f993a143fe101467869ed398c7a51b7086c521

Download Submit
C:\Users\Admin\AppData\Local\Temp\atujtxaw.exe

Filesize
150KB

MD5
b989f8cd3fd688cd1556d8c6737b06d8

SHA1
2aab018888aee67bb41930f79c0b24e51c0e82f0

SHA256
58cdbf4e6b2ff930888bbabc1109487c7afe0327ca9fed259367e120dfdf1f7c

SHA512
4f2879a90420b4066290ec8bd880b7d00a590876de91929386e667973a302fe944a33a63f432ab9b42496c3800f993a143fe101467869ed398c7a51b7086c521

Download Submit
C:\Users\Admin\AppData\Local\Temp\xthwmal.jjk

Filesize
127KB

MD5
ca6c9d418e2d3f038cd8b92eba29a27a

SHA1
c1ffe291145d336b9c6a637baa6fcc7c16e96c29

SHA256
efbafccca4a14520ef9af84db37b2e539a8b611e72be7f358cae583a022ef839

SHA512
d85ba798e6d364fe0f4ae369b538d01a6464bdb48a091e252567b954f8ccac5d9d6df64c1dce44fe8fd23fb4996127ddbc06f8296967ec3c392cb95663bb368b

Download Submit
memory/368-15-0x0000000002C10000-0x0000000002C1E000-memory.dmp

Filesize
56KB

Download
memory/368-20-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/368-10-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/368-12-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/368-13-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/368-14-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download
memory/368-16-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/368-30-0x0000000007880000-0x0000000007DAC000-memory.dmp

Filesize
5.2MB

Download
memory/368-17-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/368-18-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/368-19-0x0000000005A30000-0x0000000005FD4000-memory.dmp

Filesize
5.6MB

Download
memory/368-8-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/368-21-0x0000000005610000-0x0000000005676000-memory.dmp

Filesize
408KB

Download
memory/368-22-0x0000000006A80000-0x0000000006B12000-memory.dmp

Filesize
584KB

Download
memory/368-23-0x0000000006E50000-0x0000000006E5A000-memory.dmp

Filesize
40KB

Download
memory/368-24-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download
memory/368-25-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/368-26-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/368-27-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/368-28-0x0000000007180000-0x0000000007342000-memory.dmp

Filesize
1.8MB

Download
memory/368-29-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/2976-5-0x0000000000F90000-0x0000000000F92000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing