originbotnet | cf52051f68630359830c5b2d6c9b8ff3b6e95c5667238787f2972accc0bc0201

General

Target

cf52051f68630359830c5b2d6c9b8ff3b6e95c5667238787f2972accc0bc0201.exe
Size

251KB
MD5

abf939bc3a20a604f88b1dd4399ca2d7
SHA1

c656a5989a07d9b104c1eb144d4609d50264bee4
SHA256

cf52051f68630359830c5b2d6c9b8ff3b6e95c5667238787f2972accc0bc0201
SHA512

a623060911ddd9fd4ecd8725a9ef6324f391a46fd800fb425b3b2fe7f3affe9c8bfabb6f5b9b9b55aff49cdc24f610530889ba159014dd49974d1431b3797abd
SSDEEP

6144:PYa6dVy0sCLFy97dXRusmcsTA1A05WntAI00cSz4B:PYRnnLFojusmBqCue4B

Score

10^/10

originbotnet keylogger persistence rat trojan

Malware Config

Extracted

Family

originbotnet

C2

https://mmelak.com/gate

Attributes

add_startup
false
download_folder_name
4si50kud.vpv
hide_file_startup
false
startup_directory_name
pRcub
startup_environment_name
appdata
startup_installation_name
pRcub.exe
startup_registry_name
pRcub
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0

Signatures

OriginBotnet
OriginBotnet is a remote access trojan written in C#.
trojan rat keylogger originbotnet

Executes dropped EXE 2 IoCs

pid	Process
3540	dovhbys.exe
2200	dovhbys.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lueajenw = "C:\\Users\\Admin\\AppData\\Roaming\\afoj\\soxhdmvrbwgp.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dovhbys.exe\" "	dovhbys.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3540 set thread context of 2200	3540	dovhbys.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2200	dovhbys.exe
2200	dovhbys.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3540	dovhbys.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2200	dovhbys.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 3540	2332	cf52051f68630359830c5b2d6c9b8ff3b6e95c5667238787f2972accc0bc0201.exe	89
PID 2332 wrote to memory of 3540	2332	cf52051f68630359830c5b2d6c9b8ff3b6e95c5667238787f2972accc0bc0201.exe	89
PID 2332 wrote to memory of 3540	2332	cf52051f68630359830c5b2d6c9b8ff3b6e95c5667238787f2972accc0bc0201.exe	89
PID 3540 wrote to memory of 2200	3540	dovhbys.exe	91
PID 3540 wrote to memory of 2200	3540	dovhbys.exe	91
PID 3540 wrote to memory of 2200	3540	dovhbys.exe	91
PID 3540 wrote to memory of 2200	3540	dovhbys.exe	91

C:\Users\Admin\AppData\Local\Temp\cf52051f68630359830c5b2d6c9b8ff3b6e95c5667238787f2972accc0bc0201.exe
"C:\Users\Admin\AppData\Local\Temp\cf52051f68630359830c5b2d6c9b8ff3b6e95c5667238787f2972accc0bc0201.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\dovhbys.exe
  "C:\Users\Admin\AppData\Local\Temp\dovhbys.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Users\Admin\AppData\Local\Temp\dovhbys.exe
    "C:\Users\Admin\AppData\Local\Temp\dovhbys.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4152,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4124 /prefetch:8
1⤵
PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dovhbys.exe

Filesize
202KB

MD5
0bef3d69abb4fe0e2e175ce823b2aa55

SHA1
aef3193926ef341507fc931c1b375e19eb872bd3

SHA256
2e422f230bd4a88cc223995a131d6ce9316eea7087d84d059fc45a35af3ea26c

SHA512
f49e671ed2e8d0e029a214ed0b80b88b2f671ef2d1fd4f49b5da2fa64dd2d4fe2e73f615734a2f5222a5c5627474c55f54dae2f90d9b95df3c08b55fea27fbf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdzgbm.x

Filesize
127KB

MD5
14f6f66657f3d78232fe641023655aea

SHA1
209e74b51b29234ef5c01eee7aca467e55a17c57

SHA256
d5eec48e87ade3f293b7e0732125a7eb9994e4ef0ccb7d2e69cad474bb645424

SHA512
7d72576d8e10ea80daaf76f6c778d17c7980d263b3ec625f5b13fe5cb18436a44d3329e57fd6fa00a9543802e6963aa940d18e48571d215df5c845716889e5f9

Download Submit
memory/2200-17-0x0000000005610000-0x0000000005BB4000-memory.dmp

Filesize
5.6MB

Download
memory/2200-18-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/2200-10-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2200-12-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2200-13-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2200-14-0x000000007456E000-0x000000007456F000-memory.dmp

Filesize
4KB

Download
memory/2200-15-0x00000000028E0000-0x00000000028EE000-memory.dmp

Filesize
56KB

Download
memory/2200-16-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/2200-28-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/2200-8-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2200-19-0x0000000004ED0000-0x0000000004F36000-memory.dmp

Filesize
408KB

Download
memory/2200-20-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/2200-21-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/2200-22-0x0000000006430000-0x00000000064C2000-memory.dmp

Filesize
584KB

Download
memory/2200-23-0x00000000065C0000-0x00000000065CA000-memory.dmp

Filesize
40KB

Download
memory/2200-24-0x00000000068A0000-0x0000000006A62000-memory.dmp

Filesize
1.8MB

Download
memory/2200-25-0x0000000006FA0000-0x00000000074CC000-memory.dmp

Filesize
5.2MB

Download
memory/2200-26-0x000000007456E000-0x000000007456F000-memory.dmp

Filesize
4KB

Download
memory/2200-27-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/3540-5-0x0000000000F30000-0x0000000000F32000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads