latentbot | 48db9d908b5db4c809f5175c99d0a8e9957a559d976568e8b0f8db853eb3d766

General

Target

48db9d908b5db4c809f5175c99d0a8e9957a559d976568e8b0f8db853eb3d766N.exe
Size

758KB
MD5

226b5c545640bb6033225c40bc758850
SHA1

fda9652f4e51bf9c593962aaf47cffbaea216f86
SHA256

48db9d908b5db4c809f5175c99d0a8e9957a559d976568e8b0f8db853eb3d766
SHA512

ea51a59beb4a1e5f9ee4f18f9070b07076284ee7181a0f24a579347fc89cd424d3de5ab65ca904eefc2321e00313514fb58a52240c9aeb0350d659a956035266
SSDEEP

12288:xyveQB/fTHIGaPkKEYzURNAwbAgB2X+t4qsEfFEZjAHuKDAS7vM5nP1ZSz:xuDXTIGaPhEYzUzA0/0qsEfFmvqLMxHY

Score

10^/10

latentbot discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

latentbot

C2

zxceblan228sexpenis.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2800	netsh.exe

Executes dropped EXE 4 IoCs

pid	Process
2468	11111.exe
1224	Process not Found
3064	SERVER~1.EXE
2804	server.exe

Loads dropped DLL 2 IoCs

pid	Process
1984	48db9d908b5db4c809f5175c99d0a8e9957a559d976568e8b0f8db853eb3d766N.exe
2468	11111.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	11111.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	server.exe
Token: 33	2804	server.exe
Token: SeIncBasePriorityPrivilege	2804	server.exe
Token: 33	2804	server.exe
Token: SeIncBasePriorityPrivilege	2804	server.exe
Token: 33	2804	server.exe
Token: SeIncBasePriorityPrivilege	2804	server.exe
Token: 33	2804	server.exe
Token: SeIncBasePriorityPrivilege	2804	server.exe
Token: 33	2804	server.exe
Token: SeIncBasePriorityPrivilege	2804	server.exe
Token: 33	2804	server.exe
Token: SeIncBasePriorityPrivilege	2804	server.exe
Token: 33	2804	server.exe
Token: SeIncBasePriorityPrivilege	2804	server.exe
Token: 33	2804	server.exe
Token: SeIncBasePriorityPrivilege	2804	server.exe
Token: 33	2804	server.exe
Token: SeIncBasePriorityPrivilege	2804	server.exe
Token: 33	2804	server.exe
Token: SeIncBasePriorityPrivilege	2804	server.exe
Token: 33	2804	server.exe
Token: SeIncBasePriorityPrivilege	2804	server.exe
Token: 33	2804	server.exe
Token: SeIncBasePriorityPrivilege	2804	server.exe
Token: 33	2804	server.exe
Token: SeIncBasePriorityPrivilege	2804	server.exe
Token: 33	2804	server.exe
Token: SeIncBasePriorityPrivilege	2804	server.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2468	1984	48db9d908b5db4c809f5175c99d0a8e9957a559d976568e8b0f8db853eb3d766N.exe	31
PID 1984 wrote to memory of 2468	1984	48db9d908b5db4c809f5175c99d0a8e9957a559d976568e8b0f8db853eb3d766N.exe	31
PID 1984 wrote to memory of 2468	1984	48db9d908b5db4c809f5175c99d0a8e9957a559d976568e8b0f8db853eb3d766N.exe	31
PID 2468 wrote to memory of 3064	2468	11111.exe	32
PID 2468 wrote to memory of 3064	2468	11111.exe	32
PID 2468 wrote to memory of 3064	2468	11111.exe	32
PID 3064 wrote to memory of 2804	3064	SERVER~1.EXE	33
PID 3064 wrote to memory of 2804	3064	SERVER~1.EXE	33
PID 3064 wrote to memory of 2804	3064	SERVER~1.EXE	33
PID 3064 wrote to memory of 2804	3064	SERVER~1.EXE	33
PID 2804 wrote to memory of 2800	2804	server.exe	34
PID 2804 wrote to memory of 2800	2804	server.exe	34
PID 2804 wrote to memory of 2800	2804	server.exe	34
PID 2804 wrote to memory of 2800	2804	server.exe	34

C:\Users\Admin\AppData\Local\Temp\48db9d908b5db4c809f5175c99d0a8e9957a559d976568e8b0f8db853eb3d766N.exe
"C:\Users\Admin\AppData\Local\Temp\48db9d908b5db4c809f5175c99d0a8e9957a559d976568e8b0f8db853eb3d766N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\11111.exe
  "C:\Users\Admin\AppData\Local\Temp\11111.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe" "server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE

Filesize
453KB

MD5
49eacc3b29a6c91501e2e084dddc1e33

SHA1
acf4585f11e0a72946d0e4a31b0151b31a82776a

SHA256
677110fa532a0751b174ef841ea0aec5f76af2a0545ce64e6df7d047b936114a

SHA512
6b6d1060858a21cbb76faabd3596d64880941cbccbcfd420cf44ad80372d3b9aba9a78781b1711b2a2d1af04916a6517eb87afb1332271e651a7f3f1c1138836

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe

Filesize
37KB

MD5
3c15da341bbd762a44d84b8325709b10

SHA1
927388d7c7e80f9a2b0d4b500cf040c1c17b1133

SHA256
e340d343d38eb7b22bf2cbbc7001e2e174de1abcc37c81a8d624c9281bbf9123

SHA512
8f53976d2c63849b4b58945167d81ee6296c8c74dcaf6da22b537a07eed4b9c2ccce1c1d6c84f9ab9f8d6ad0facbf2e50d5d014ba0c070bf10c7686df997cfaf

Download Submit
\Users\Admin\AppData\Local\Temp\11111.EXE

Filesize
374KB

MD5
1e4f8f81465a3b3824b027f7f7e16286

SHA1
1a050c903b80ed73f66e7e7c97c652ea4ade7cf4

SHA256
42506f70287a39356a976330894d88e16dd80c894ddee382d23ff32d3c771164

SHA512
a7992ddd8da8f17be1b88b575a892374771e37d84f29ddd410cf63e58c509c41945e867381d199777bca28b6c761a2d34ec668fcc104a83c7bd2e66bcd734ec2

Download Submit
memory/2804-25-0x00000000747D1000-0x00000000747D2000-memory.dmp

Filesize
4KB

Download
memory/2804-26-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2804-27-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2804-28-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2804-29-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads