latentbot | cac8fe9363cd9e2a31aeb383fe2df3800a4ca35edbe9c697093a13f1067f0292 | Triage

Sharing

General

Target

0a3769db6a54f333863175a07dd9087f_JaffaCakes118
Size

120KB
Sample

241002-mj1vtavfqh
MD5

0a3769db6a54f333863175a07dd9087f
SHA1

f7ec8045756e4ba3af748fef35590aa41766454c
SHA256

cac8fe9363cd9e2a31aeb383fe2df3800a4ca35edbe9c697093a13f1067f0292
SHA512

9315eb828d82ddecf54e2675ee495d481dcfe88e515dd41ccd8da1a0914b7cfad529027503700b05787fdb230fd5e646e82f3d43342723bd08cb5241de3ec572
SSDEEP

1536:m5Tzro/5XkgEUs6MB0nUQP9TswNnZ7UgIoDlklyEYwuoVMG5W7QZg7II/CwDPTxU:AO5Xk7Us6NnVACZpNklyBG5iWItD92v

Score

10^/10

latentbot netwire botnet discovery persistence rat stealer trojan

Malware Config

Extracted

Family

netwire

C2

ghjghjjhgjhgjhjhgjh.zapto.org:20000

Attributes

activex_autorun
true
activex_key
{5D03ES3I-Y34Q-83S6-0YJQ-4M3410JYQ88K}
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
NetWire
use_mutex
false

Extracted

Family

latentbot

C2

ghjghjjhgjhgjhjhgjh.zapto.org

Targets

- Target
  
  0a3769db6a54f333863175a07dd9087f_JaffaCakes118
- Size
  
  120KB
- MD5
  
  0a3769db6a54f333863175a07dd9087f
- SHA1
  
  f7ec8045756e4ba3af748fef35590aa41766454c
- SHA256
  
  cac8fe9363cd9e2a31aeb383fe2df3800a4ca35edbe9c697093a13f1067f0292
- SHA512
  
  9315eb828d82ddecf54e2675ee495d481dcfe88e515dd41ccd8da1a0914b7cfad529027503700b05787fdb230fd5e646e82f3d43342723bd08cb5241de3ec572
- SSDEEP
  
  1536:m5Tzro/5XkgEUs6MB0nUQP9TswNnZ7UgIoDlklyEYwuoVMG5W7QZg7II/CwDPTxU:AO5Xk7Us6NnVACZpNklyBG5iWItD92v
Score

10^/10

latentbot netwire botnet discovery persistence rat stealer trojan
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

latentbotnetwirebotnetdiscoverypersistenceratstealertrojan

behavioral2

latentbotnetwirebotnetdiscoverypersistenceratstealertrojan