originbotnet | cf52051f68630359830c5b2d6c9b8ff3b6e95c5667238787f2972accc0bc0201

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dovhbys.exe
Size

202KB
MD5

0bef3d69abb4fe0e2e175ce823b2aa55
SHA1

aef3193926ef341507fc931c1b375e19eb872bd3
SHA256

2e422f230bd4a88cc223995a131d6ce9316eea7087d84d059fc45a35af3ea26c
SHA512

f49e671ed2e8d0e029a214ed0b80b88b2f671ef2d1fd4f49b5da2fa64dd2d4fe2e73f615734a2f5222a5c5627474c55f54dae2f90d9b95df3c08b55fea27fbf0
SSDEEP

3072:0TkPSL1oCO72F8SgdU7sJJKGG/oADbA9McY2/mq3+Ag0FujqgA0e38:0IPSLSU8PdU7o0GuHAyc9uAOli8

Score

10^/10

originbotnet keylogger persistence rat trojan

Malware Config

Extracted

Family

originbotnet

https://mmelak.com/gate

Attributes

add_startup
false
download_folder_name
4si50kud.vpv
hide_file_startup
false
startup_directory_name
pRcub
startup_environment_name
appdata
startup_installation_name
pRcub.exe
startup_registry_name
pRcub
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0

Signatures

OriginBotnet
OriginBotnet is a remote access trojan written in C#.
trojan rat keylogger originbotnet

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lueajenw = "C:\\Users\\Admin\\AppData\\Roaming\\afoj\\soxhdmvrbwgp.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dovhbys.exe\""	dovhbys.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2792 set thread context of 5036	2792	dovhbys.exe	83

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4984	2792	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5036	dovhbys.exe
5036	dovhbys.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2792	dovhbys.exe
2792	dovhbys.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5036	dovhbys.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 3500	2792	dovhbys.exe	82
PID 2792 wrote to memory of 3500	2792	dovhbys.exe	82
PID 2792 wrote to memory of 3500	2792	dovhbys.exe	82
PID 2792 wrote to memory of 5036	2792	dovhbys.exe	83
PID 2792 wrote to memory of 5036	2792	dovhbys.exe	83
PID 2792 wrote to memory of 5036	2792	dovhbys.exe	83
PID 2792 wrote to memory of 5036	2792	dovhbys.exe	83

C:\Users\Admin\AppData\Local\Temp\dovhbys.exe
"C:\Users\Admin\AppData\Local\Temp\dovhbys.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Local\Temp\dovhbys.exe
  "C:\Users\Admin\AppData\Local\Temp\dovhbys.exe"
  2⤵
  PID:3500
- C:\Users\Admin\AppData\Local\Temp\dovhbys.exe
  "C:\Users\Admin\AppData\Local\Temp\dovhbys.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 676
  2⤵
  - Program crash
  PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2792 -ip 2792
1⤵
PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2792-0-0x00000000009B0000-0x00000000009B2000-memory.dmp

Filesize
8KB

Download
memory/5036-3-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5036-4-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5036-2-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5036-5-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5036-6-0x00000000749BE000-0x00000000749BF000-memory.dmp

Filesize
4KB

Download
memory/5036-7-0x0000000002F20000-0x0000000002F2E000-memory.dmp

Filesize
56KB

Download
memory/5036-8-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/5036-9-0x0000000005D70000-0x0000000006314000-memory.dmp

Filesize
5.6MB

Download
memory/5036-10-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/5036-11-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/5036-12-0x00000000057C0000-0x0000000005826000-memory.dmp

Filesize
408KB

Download
memory/5036-13-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/5036-14-0x0000000006AF0000-0x0000000006B82000-memory.dmp

Filesize
584KB

Download
memory/5036-15-0x0000000006FC0000-0x0000000006FCA000-memory.dmp

Filesize
40KB

Download
memory/5036-16-0x0000000007270000-0x0000000007432000-memory.dmp

Filesize
1.8MB

Download
memory/5036-17-0x0000000007970000-0x0000000007E9C000-memory.dmp

Filesize
5.2MB

Download
memory/5036-18-0x00000000749BE000-0x00000000749BF000-memory.dmp

Filesize
4KB

Download
memory/5036-19-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/5036-20-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download