latentbot | 5d72ad5b0fb0ed3f9ecea2ab0ef372261950fdbd499dc299195858bdf8f22075 | Triage

Sharing

General

Target

5d72ad5b0fb0ed3f9ecea2ab0ef372261950fdbd499dc299195858bdf8f22075
Size

168KB
Sample

240410-nb82wsgg61
MD5

c57f16bd980eec7340d1e541877f0098
SHA1

1095f812da48ba7aa1dd384fc100681764ccc60f
SHA256

5d72ad5b0fb0ed3f9ecea2ab0ef372261950fdbd499dc299195858bdf8f22075
SHA512

b6c714223780b3a538d1d1fb88a890cafb55fdc0a7041f2c1d339910c125dadb7d742ae8ba91978d6787fba8494a88422f6ae321562899980ba3e71a1f8d39e4
SSDEEP

3072:2DDMqqDLy/7+XIPnGMU4V4KfZnpUs17/WpjVe1XEIoC7KeNQ74mqpLW:1qqDLu7fPGMT/XN/WpQ1UtC7PQYpLW

Score

10^/10

latentbot netwire botnet persistence rat stealer trojan

Malware Config

Extracted

Family

netwire

C2

knudandersen.zapto.org:10665

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
LD_18.02.17
install_path
%AppData%\Appconfig\megaphone.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Wq5ZU7dq43vQG8c
registry_autorun
true
startup_name
Megaphonesone
use_mutex
false

Extracted

Family

latentbot

C2

knudandersen.zapto.org

Targets

- Target
  
  5d72ad5b0fb0ed3f9ecea2ab0ef372261950fdbd499dc299195858bdf8f22075
- Size
  
  168KB
- MD5
  
  c57f16bd980eec7340d1e541877f0098
- SHA1
  
  1095f812da48ba7aa1dd384fc100681764ccc60f
- SHA256
  
  5d72ad5b0fb0ed3f9ecea2ab0ef372261950fdbd499dc299195858bdf8f22075
- SHA512
  
  b6c714223780b3a538d1d1fb88a890cafb55fdc0a7041f2c1d339910c125dadb7d742ae8ba91978d6787fba8494a88422f6ae321562899980ba3e71a1f8d39e4
- SSDEEP
  
  3072:2DDMqqDLy/7+XIPnGMU4V4KfZnpUs17/WpjVe1XEIoC7KeNQ74mqpLW:1qqDLu7fPGMT/XN/WpQ1UtC7PQYpLW
Score

10^/10

latentbot netwire botnet persistence rat stealer trojan
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

latentbotnetwirebotnetpersistenceratstealertrojan

behavioral2

latentbotnetwirebotnetpersistenceratstealertrojan