latentbot | ae6f59d14ce7584e9dccf8e88f540fac601d92d35c6e6b0013f4e6682d08e7e5

General

Target

ORDER DRAWING AND PHOTOS.exe
Size

2.0MB
MD5

395bb950d2979e4c3911d90852c06345
SHA1

2a693150907af200bbf8582a69e663d23249c7d0
SHA256

1adbc19898a40ae7f2c6fd9a6d1c502c7152ba6b04d4584e2c7476606f9b24ff
SHA512

d95b46177b0820f286e99f647ff398788d24502885fc2b63fe19dfb1a58d7ae15cabd2749ab00b709b37a3fb75b9ccf28628ad2f686a507fc1142486a8f32b61
SSDEEP

12288:xkNH+OOlsur4fwML7K6yD210eS+Fl1DkjGKUuU6Sn:mH+D+Hb3K6yD22eTl1oj1UYq

Score

10^/10

latentbot stormkitty xworm discovery rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

weidmachane.zapto.org:7000

Mutex

Y3sPpIW4xQztdVfl

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

latentbot

C2

weidmachane.zapto.org

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/memory/2412-13-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2412-11-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2412-9-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2412-7-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2412-6-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Latentbot family
latentbot
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/2412-19-0x0000000005D20000-0x0000000005E40000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1832 set thread context of 2412	1832	ORDER DRAWING AND PHOTOS.exe	31

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2412	CasPol.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	CasPol.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 2412	1832	ORDER DRAWING AND PHOTOS.exe	31
PID 1832 wrote to memory of 2412	1832	ORDER DRAWING AND PHOTOS.exe	31
PID 1832 wrote to memory of 2412	1832	ORDER DRAWING AND PHOTOS.exe	31
PID 1832 wrote to memory of 2412	1832	ORDER DRAWING AND PHOTOS.exe	31
PID 1832 wrote to memory of 2412	1832	ORDER DRAWING AND PHOTOS.exe	31
PID 1832 wrote to memory of 2412	1832	ORDER DRAWING AND PHOTOS.exe	31
PID 1832 wrote to memory of 2412	1832	ORDER DRAWING AND PHOTOS.exe	31
PID 1832 wrote to memory of 2412	1832	ORDER DRAWING AND PHOTOS.exe	31
PID 1832 wrote to memory of 2412	1832	ORDER DRAWING AND PHOTOS.exe	31
PID 1832 wrote to memory of 852	1832	ORDER DRAWING AND PHOTOS.exe	32
PID 1832 wrote to memory of 852	1832	ORDER DRAWING AND PHOTOS.exe	32
PID 1832 wrote to memory of 852	1832	ORDER DRAWING AND PHOTOS.exe	32

C:\Users\Admin\AppData\Local\Temp\ORDER DRAWING AND PHOTOS.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER DRAWING AND PHOTOS.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1832 -s 616
  2⤵
  PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

1

T1217

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1832-3-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

Filesize
9.9MB

Download
memory/1832-15-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

Filesize
9.9MB

Download
memory/1832-0-0x000007FEF6523000-0x000007FEF6524000-memory.dmp

Filesize
4KB

Download
memory/1832-1-0x0000000001150000-0x0000000001156000-memory.dmp

Filesize
24KB

Download
memory/1832-2-0x0000000000680000-0x00000000006E2000-memory.dmp

Filesize
392KB

Download
memory/2412-7-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2412-11-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2412-5-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2412-4-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2412-14-0x0000000074C0E000-0x0000000074C0F000-memory.dmp

Filesize
4KB

Download
memory/2412-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2412-9-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2412-6-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2412-13-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2412-16-0x0000000074C00000-0x00000000752EE000-memory.dmp

Filesize
6.9MB

Download
memory/2412-17-0x0000000074C0E000-0x0000000074C0F000-memory.dmp

Filesize
4KB

Download
memory/2412-18-0x0000000074C00000-0x00000000752EE000-memory.dmp

Filesize
6.9MB

Download
memory/2412-19-0x0000000005D20000-0x0000000005E40000-memory.dmp

Filesize
1.1MB

Download
memory/2412-43-0x0000000004FE0000-0x0000000004FEE000-memory.dmp

Filesize
56KB

Download
memory/2412-44-0x00000000080A0000-0x00000000083F0000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads