General

  • Target

    archivo3.vbs

  • Size

    26KB

  • Sample

    241206-y2al5avpht

  • MD5

    77eb1c375c533e113eda1ec49482306d

  • SHA1

    2ad13bce885c0564563f38e9bf89300de2ff9c37

  • SHA256

    d777e35f6d9f6738e7971edc703456bbaf4d103802c829bba6fdf34efeb6b09f

  • SHA512

    adfe60f03bff6ca4272183a7c37f5394a68f774b1ed29faa2f56b6c00ec80e63ae47f53629fbf8130673ea3e97d9165a42bb985407a121d1bb0cfd668c53cdb7

  • SSDEEP

    384:VmK2JJzEYbBb11111VzNMth9Y7hp7h4UO/KtvviXV0rgvlFR:QK2JJzbBFMthK73Y/KtvvkV0kvlX

Malware Config

Extracted

Family

latentbot

C2

the11industrious.zapto.org

Targets

    • Target

      archivo3.vbs

    • Size

      26KB

    • MD5

      77eb1c375c533e113eda1ec49482306d

    • SHA1

      2ad13bce885c0564563f38e9bf89300de2ff9c37

    • SHA256

      d777e35f6d9f6738e7971edc703456bbaf4d103802c829bba6fdf34efeb6b09f

    • SHA512

      adfe60f03bff6ca4272183a7c37f5394a68f774b1ed29faa2f56b6c00ec80e63ae47f53629fbf8130673ea3e97d9165a42bb985407a121d1bb0cfd668c53cdb7

    • SSDEEP

      384:VmK2JJzEYbBb11111VzNMth9Y7hp7h4UO/KtvviXV0rgvlFR:QK2JJzbBFMthK73Y/KtvvkV0kvlX

    • LatentBot

      Modular trojan written in Delphi which has been in-the-wild since 2013.

    • Latentbot family

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Blocklisted process makes network request

    • A potential corporate email address has been identified in the URL: vlibras-portal@dev

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook accounts

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks