latentbot | 1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999

Analysis

max time kernel
144s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe
Size

208KB
MD5

a7ce8ea97df340e6f7a77dcbe065a617
SHA1

fc6a7ed72833e438e752274fe61812fb2e2988f4
SHA256

1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999
SHA512

b30a69779a775097aecd3b0f9e060291a1d4c0c7e202f1334fc5d9ae43c4fa6a09d803f46b0b7fc6855adeabdf87912a7326694425dc91eb3ff9868103d36593
SSDEEP

3072:2TDMqqDLy/kr+HnCV3wJJEi78QB7NoL0Kl9cUrfXkDUYGDYyMfz:5qqDLukrYnCVAJeCAYKl9cUrfkgYGG

Score

10^/10

latentbot netwire botnet rat stealer trojan upx

Malware Config

Extracted

Family

netwire

knudandersen.zapto.org:21000

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
07.02.17
keylogger_dir
C:\NVIDIA\profile\
lock_executable
false
offline_keylogger
true
password
1@wi%252ReNd5y0576Z*
registry_autorun
false
use_mutex
false

Extracted

Family

latentbot

knudandersen.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

NetWire RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/3860-8-0x0000000000400000-0x0000000000424000-memory.dmp	netwire
behavioral2/memory/3860-12-0x0000000000400000-0x0000000000424000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3860-2-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/3860-4-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/3860-6-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/3860-7-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/3860-8-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/3860-12-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\.Identifier	explorer.exe
File opened for modification	C:\Windows\SysWOW64\.Identifier	explorer.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1108	3556	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe
3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe
3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe
3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe
3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe
3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe
3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe
3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95
PID 3556 wrote to memory of 3860	3556	1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe	95

C:\Users\Admin\AppData\Local\Temp\1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe
"C:\Users\Admin\AppData\Local\Temp\1de716ebb8058320596fec8dad043651f64f18cfb9b0a4defa67a7c93f30b999.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 380
  2⤵
  - Program crash
  PID:1108
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  - Drops file in System32 directory
  PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3556 -ip 3556
1⤵
PID:3480

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3556-0-0x0000000002290000-0x000000000230B000-memory.dmp

Filesize
492KB

Download
memory/3556-1-0x0000000077D62000-0x0000000077D63000-memory.dmp

Filesize
4KB

Download
memory/3556-11-0x0000000002290000-0x000000000230B000-memory.dmp

Filesize
492KB

Download
memory/3860-4-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3860-3-0x0000000077D62000-0x0000000077D63000-memory.dmp

Filesize
4KB

Download
memory/3860-5-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/3860-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3860-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3860-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3860-2-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3860-12-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3860-13-0x0000000077D62000-0x0000000077D63000-memory.dmp

Filesize
4KB

Download
memory/3860-14-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download