General

  • Target

    mal.vbs

  • Size

    23KB

  • Sample

    240809-pqs5navbjc

  • MD5

    c697283f6d4effbc73365f1e6ce56754

  • SHA1

    35f538451885c8d0ab49431df3e6d78deadb4bbe

  • SHA256

    c5eaf4973b45ebcb1e10afc0f49d5b84c4d4214103c4b77a0263a6510f2d9ac0

  • SHA512

    c5699a35e1c1b9a28dcc96088e8ff07e625436d0a6bcb0a869f13dff998fb4fcef02f15d275c8f1064a4d2685cd349ff80f506d7db69bcd72049e209922fac79

  • SSDEEP

    384:oAuL8pGgtbsDFC70X0kNMthfiFQS/Lo/GY0XkUoJbG3gYgd1YQ+gNIINVS0AgAxw:LuL8pbsZCiMthqFQOLo/GY0L4p2O5d4Q

Malware Config

Extracted

Family

latentbot

C2

j46y565i34wru.zapto.org

Targets

    • Target

      mal.vbs

    • Size

      23KB

    • MD5

      c697283f6d4effbc73365f1e6ce56754

    • SHA1

      35f538451885c8d0ab49431df3e6d78deadb4bbe

    • SHA256

      c5eaf4973b45ebcb1e10afc0f49d5b84c4d4214103c4b77a0263a6510f2d9ac0

    • SHA512

      c5699a35e1c1b9a28dcc96088e8ff07e625436d0a6bcb0a869f13dff998fb4fcef02f15d275c8f1064a4d2685cd349ff80f506d7db69bcd72049e209922fac79

    • SSDEEP

      384:oAuL8pGgtbsDFC70X0kNMthfiFQS/Lo/GY0XkUoJbG3gYgd1YQ+gNIINVS0AgAxw:LuL8pbsZCiMthqFQOLo/GY0L4p2O5d4Q

    • LatentBot

      Modular trojan written in Delphi which has been in-the-wild since 2013.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook accounts

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks