latentbot | 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686

Analysis

max time kernel
143s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe
Size

232KB
MD5

e6714e3bd83b4a349ab48cc203b91813
SHA1

5f691a8f917a30129dfba99513648b884521caba
SHA256

6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686
SHA512

903bb279293d8d9f99dd1fd5eb1c98d1e0379c06677d97e3f7dbab3790f2fa90c582c55a73b32117c627ded1c6dfd8fb6e7502757d8725882b6c1bbab5de96e3
SSDEEP

6144:fqqDLuH5Qq1BpPrWCFb26J7XUsf32v8ysFsi:CqnuZxfFb9Oncsi

Score

10^/10

latentbot netwire botnet rat stealer trojan

Malware Config

Extracted

Family

netwire

atlaswebportal.zapto.org:4000

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
R5_04.08.16_02
keylogger_dir
C:\NVIDIA\profile\
lock_executable
false
offline_keylogger
true
password
Micr0s0ft4456877
registry_autorun
false
use_mutex
false

Extracted

Family

latentbot

atlaswebportal.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

NetWire RAT payload 5 IoCs

rat

resource	yara_rule
behavioral2/memory/404-4-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral2/memory/404-6-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral2/memory/404-10-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral2/memory/404-13-0x0000000076E40000-0x0000000076F30000-memory.dmp	netwire
behavioral2/memory/404-15-0x0000000000400000-0x000000000041F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioWizard.lnk	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe
3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe
3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe
3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe
3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe
3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe
3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe
3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94
PID 3344 wrote to memory of 404	3344	6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe	94

C:\Users\Admin\AppData\Local\Temp\6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe
"C:\Users\Admin\AppData\Local\Temp\6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/404-10-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/404-14-0x0000000077EC2000-0x0000000077EC3000-memory.dmp

Filesize
4KB

Download
memory/404-16-0x0000000076E40000-0x0000000076F30000-memory.dmp

Filesize
960KB

Download
memory/404-4-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/404-5-0x0000000077EC2000-0x0000000077EC3000-memory.dmp

Filesize
4KB

Download
memory/404-6-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/404-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/404-7-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/404-13-0x0000000076E40000-0x0000000076F30000-memory.dmp

Filesize
960KB

Download
memory/404-12-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/3344-0-0x0000000002230000-0x00000000022AB000-memory.dmp

Filesize
492KB

Download
memory/3344-11-0x0000000002230000-0x00000000022AB000-memory.dmp

Filesize
492KB

Download
memory/3344-1-0x0000000077EC2000-0x0000000077EC3000-memory.dmp

Filesize
4KB

Download
memory/3344-2-0x0000000002230000-0x00000000022AB000-memory.dmp

Filesize
492KB

Download