latentbot

General

Target

inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe
Size

537KB
Sample

250114-q737ma1req
MD5

25eec63edf7c0eb8628a89712b5cb363
SHA1

4e8d586a950492c30147b7d56bcfad49cd577966
SHA256

e075807417590255de4d395fa3dfbc336e88c96bbab8afca1d5e5d5abbac0237
SHA512

086feb119e2a02f2fd7afc45c422f9b472f049eb2e79f83769f25254d88a84086275d2cff1e891d360ea57978292cd0caf958e4000cd659ac532165e1f881dfb
SSDEEP

6144:UnPdudwDCVOCg2G4A+uxXCpzna3MSzy99s5sbro5kd+B4hJ1QQsSGuhkrpzOUlec:UnPdMg2H8SpzaThHy7mzOUlvnVMs3e+

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

Manifest

C2

linktreewealth.zapto.org:3980

linktreewealth.zapto.org:3981

linktreewealthy.zapto.org:3980

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-0B1XIG
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

latentbot

C2

linktreewealth.zapto.org

Targets

- Target
  
  inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe
- Size
  
  537KB
- MD5
  
  25eec63edf7c0eb8628a89712b5cb363
- SHA1
  
  4e8d586a950492c30147b7d56bcfad49cd577966
- SHA256
  
  e075807417590255de4d395fa3dfbc336e88c96bbab8afca1d5e5d5abbac0237
- SHA512
  
  086feb119e2a02f2fd7afc45c422f9b472f049eb2e79f83769f25254d88a84086275d2cff1e891d360ea57978292cd0caf958e4000cd659ac532165e1f881dfb
- SSDEEP
  
  6144:UnPdudwDCVOCg2G4A+uxXCpzna3MSzy99s5sbro5kd+B4hJ1QQsSGuhkrpzOUlec:UnPdMg2H8SpzaThHy7mzOUlvnVMs3e+
Score

10^/10

latentbot remcos manifest collection discovery persistence rat spyware stealer trojan
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Latentbot family
  latentbot
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  4add245d4ba34b04f213409bfe504c07
- SHA1
  
  ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
- SHA256
  
  9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
- SHA512
  
  1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d
- SSDEEP
  
  192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr
Score

3^/10

discovery
behavioral3 behavioral4