latentbot | 018c8953f0aa9d8583264f426a30303871cc76407f2e435e3065e6088c201bee

Analysis

max time kernel
47s
max time network
38s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Server.exe
Size

38KB
MD5

ac91fef4ff392661cc06c326cabcac14
SHA1

2db2f2c6e6e15885729f92326f2990f7856133a4
SHA256

018c8953f0aa9d8583264f426a30303871cc76407f2e435e3065e6088c201bee
SHA512

eb3bff15478ce10f37e9fafc5cb4acd7b20b794b2d5c63d284348134e669d0c27340812f9217355c8c4dda398511ba744e9ea78dd263050812666fd3db5a75b2
SSDEEP

768:rIJSfjBLO67C+ugprhmoGPr2Uu4TQpBryb0A4T/1E4OA:QSfj5O+23u7fryAT

Score

10^/10

latentbot evasion persistence trojan

Malware Config

Extracted

Family

latentbot

hhhhhhhhhhh.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3036 netsh.exe

pid	process
3036	netsh.exe

Drops startup file 2 IoCs

Processes:

Server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\babe8364d0b44de2ea6e4bcccd70281e.exe	Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\babe8364d0b44de2ea6e4bcccd70281e.exe	Server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\babe8364d0b44de2ea6e4bcccd70281e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .."	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\babe8364d0b44de2ea6e4bcccd70281e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .."	Server.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Server.exe

pid process

2936 Server.exe
2936 Server.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Server.exe

description pid process

Token: SeDebugPrivilege 2936 Server.exe

pid	process
2936	Server.exe
2936	Server.exe

description	pid	process
Token: SeDebugPrivilege	2936	Server.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Server.exe

description	pid	process	target process
PID 2936 wrote to memory of 3036	2936	Server.exe	netsh.exe
PID 2936 wrote to memory of 3036	2936	Server.exe	netsh.exe
PID 2936 wrote to memory of 3036	2936	Server.exe	netsh.exe
PID 2936 wrote to memory of 3036	2936	Server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:3036

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\! My Picutre.SCR
Filesize
38KB

MD5
ac91fef4ff392661cc06c326cabcac14

SHA1
2db2f2c6e6e15885729f92326f2990f7856133a4

SHA256
018c8953f0aa9d8583264f426a30303871cc76407f2e435e3065e6088c201bee

SHA512
eb3bff15478ce10f37e9fafc5cb4acd7b20b794b2d5c63d284348134e669d0c27340812f9217355c8c4dda398511ba744e9ea78dd263050812666fd3db5a75b2

Download Submit
memory/2936-0-0x0000000074400000-0x00000000749AB000-memory.dmp

Filesize
5.7MB

Download
memory/2936-1-0x0000000074400000-0x00000000749AB000-memory.dmp

Filesize
5.7MB

Download
memory/2936-2-0x0000000001ED0000-0x0000000001F10000-memory.dmp

Filesize
256KB

Download
memory/2936-5-0x0000000074400000-0x00000000749AB000-memory.dmp

Filesize
5.7MB

Download
memory/2936-7-0x0000000001ED0000-0x0000000001F10000-memory.dmp

Filesize
256KB

Download