latentbot | 8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82

Analysis

max time kernel
151s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe
Size

236KB
MD5

28094131dfc2c92d57a665c7fbc4fc0e
SHA1

f4de5565f937af148e30a8539cbd7e5b468b81ea
SHA256

8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82
SHA512

ca97660047668b0a7682c604b19312a2e4769970dd982f9f722a5fb1f43009a3930e868ac6eb900b5d56aad608440a41b78d2266d29b5dd3f4abe2e5259e2fbc
SSDEEP

3072:2WTMqqDLy/Kd1Ndfy3uEJHl/XpK5HyhUm2KxY4QutuBI3259XdMCnNroRx9lc:OqqDLuCJouCFgJ/J46Im51e+NoG

Score

10^/10

latentbot netwire botnet rat stealer trojan

Malware Config

Extracted

Family

netwire

atlaswebportal.zapto.org:4000

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
R4_01.08.16
keylogger_dir
C:\NVIDIA\profile\
lock_executable
false
offline_keylogger
true
password
Micr0s0ft4456877
registry_autorun
false
use_mutex
false

Extracted

Family

latentbot

atlaswebportal.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

NetWire RAT payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/4004-4-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/4004-6-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/4004-10-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/4004-15-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Parrells.lnk	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe
4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe
4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe
4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe
4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe
4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe
4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe
4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102
PID 4232 wrote to memory of 4004	4232	8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe	102

C:\Users\Admin\AppData\Local\Temp\8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe
"C:\Users\Admin\AppData\Local\Temp\8a9a1eb215e94bd1dc4ef0218d4a4d750dc2e76a700e9c5712494e21972f6e82.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  PID:4004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4004-9-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/4004-11-0x0000000077590000-0x0000000077680000-memory.dmp

Filesize
960KB

Download
memory/4004-16-0x0000000077590000-0x0000000077680000-memory.dmp

Filesize
960KB

Download
memory/4004-4-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4004-5-0x00000000779E2000-0x00000000779E3000-memory.dmp

Filesize
4KB

Download
memory/4004-6-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4004-15-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4004-14-0x00000000779E2000-0x00000000779E3000-memory.dmp

Filesize
4KB

Download
memory/4004-10-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4004-12-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/4232-13-0x0000000002260000-0x00000000022DB000-memory.dmp

Filesize
492KB

Download
memory/4232-0-0x0000000002260000-0x00000000022DB000-memory.dmp

Filesize
492KB

Download
memory/4232-1-0x00000000779E2000-0x00000000779E3000-memory.dmp

Filesize
4KB

Download
memory/4232-2-0x0000000002260000-0x00000000022DB000-memory.dmp

Filesize
492KB

Download