Overview

overview

10

Static

static

3

2025-01-26...ch.exe

windows7-x64

10

2025-01-26...ch.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-01-2025 01:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-26_221a88df8b81317b16c83c23a377fafc_frostygoop_luca-stealer_snatch.exe

  • Size

    5.3MB

  • MD5

    221a88df8b81317b16c83c23a377fafc

  • SHA1

    d8f87ff4459de5f6722efd374f10d9389fb4b1cf

  • SHA256

    4e67bb7a28b872d14749968f75cd954ca1506ceb91be8e8d8b4b930aa387134a

  • SHA512

    0a1f3f70e0bbadac921343dc72d1ac66494acbaf0e9cad5cc43a71f1c3406da6c0f36a4401dfde8383b6d010988dbfd42a4418155fff33be756d80dbf679993e

  • SSDEEP

    98304:a3qGL7+Z2+G7R5jHQ3h6uX8vKv4d94cS73Zz/Ocknja:aqC7+Z2+sYUAEF2V35/OcS

Score
10/10
latentbotcredential_accessdefense_evasiondiscoveryspywarestealertrojanupx

Malware Config

Extracted

Family

latentbot

C2

36123623672437247.zapto.org

Signatures

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot
  • Latentbot family
    latentbot
  • Enumerates VirtualBox DLL files 2 TTPs 10 IoCs
  • Looks for VirtualBox drivers on disk 2 TTPs 4 IoCs
    defense_evasion
  • Looks for VirtualBox executables on disk 2 TTPs 3 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-26_221a88df8b81317b16c83c23a377fafc_frostygoop_luca-stealer_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-26_221a88df8b81317b16c83c23a377fafc_frostygoop_luca-stealer_snatch.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Windows\system32\cmd.exe
      cmd.exe /C start /b C:\Users\Admin\AppData\Local\Temp\973d6eb4-0334-7589-203f-ba9fca281406.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Users\Admin\AppData\Local\Temp\973d6eb4-0334-7589-203f-ba9fca281406.exe
        C:\Users\Admin\AppData\Local\Temp\973d6eb4-0334-7589-203f-ba9fca281406.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious use of WriteProcessMemory
        PID:832
        • C:\Windows\svchost.exe
          "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\973d6eb4-0334-7589-203f-ba9fca281406.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1476
          • C:\Users\Admin\AppData\Local\Temp\973d6eb4-0334-7589-203f-ba9fca281406.exe
            "C:\Users\Admin\AppData\Local\Temp\973d6eb4-0334-7589-203f-ba9fca281406.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2156
            • C:\Users\Admin\AppData\Local\Microsoft\SgrmBroker.exe
              "C:\Users\Admin\AppData\Local\Microsoft\SgrmBroker.exe"
              6⤵
              • Enumerates VirtualBox DLL files
              • Looks for VirtualBox drivers on disk
              • Looks for VirtualBox executables on disk
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2680
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Microsoft\SgrmBroker.exe
                7⤵
                  PID:2292
              • C:\Users\Admin\AppData\Local\Microsoft\PasswordDecoder.exe
                "C:\Users\Admin\AppData\Local\Microsoft\PasswordDecoder.exe"
                6⤵
                • Executes dropped EXE
                PID:2808
    • C:\Windows\svchost.exe
      C:\Windows\svchost.exe
      1⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:2676

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\edgB55Beff1d.tmp
      Filesize

      74B

      MD5

      d105e96405c6ad6217f9b7035305eeb7

      SHA1

      d39f8e9b4d9dc82bd2287858cfa1be55144ba6e6

      SHA256

      9cf16cf49fcc827461ec6c94faedd37e61b34eaef073cf5bd1ac132a9310e0c1

      SHA512

      cf12974e5474c96aa796e432d2e6dd934fcbe17a6c03d6bd815d10c76714740fa5c680429ef14aa1772021f3eefb949e1ca37fcb1643e8dd781c4751f704da6b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\973d6eb4-0334-7589-203f-ba9fca281406.exe
      Filesize

      3.7MB

      MD5

      7c1dbeaf7261a5002acfcabb1cebbc03

      SHA1

      4af995c6114bf0031435c5314cfb26d4a68996ad

      SHA256

      628a3dc57e18f7f9d406eb5b90833dbc54654c8eccdb661be8a0a31b09d1e0cd

      SHA512

      b18130959299c8201bc26d905e6c702d0f6c8a137ec45b9001323699f4ef8331e437c47bd02abcc9d9179063b5221e8c2ed8af7e4b8dc2b91ac265433e29d46a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\973d6eb4-0334-7589-203f-ba9fca281406.exe
      Filesize

      3.6MB

      MD5

      dcdb85932e6e81c56c5d2d7517c8acf6

      SHA1

      cf6f6224224e1627a23eccbe8f843c1f9b1101ab

      SHA256

      68f2d440ccf6e893c39b60390412e2d1ae1a3f724b02c74498a61fae4f557068

      SHA512

      474d6caad198a2cc65476df2999532e6f65004ffd9bf8096def70393453b5e3dcaa3051e5616c09548c8a0f59e819b39dc040be82dceacfe85cab7fbd4e5279f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\973d6eb4-0334-7589-203f-ba9fca281406.exe
      Filesize

      3.6MB

      MD5

      602691bb886b7af853d18121031f8d3f

      SHA1

      9a427c9df07a1fd92892bb1d0aa7088e06950384

      SHA256

      d0e40c8a3586cf1d6ff51ab8e7b538f846119c6a0680671a798fd299b11fd040

      SHA512

      d03125a43802626f3b78f70204de6a0a389812e159906e44ac25de641cd563e129d471d88736cb53d47132848dd0d478ff59b7d1f95c37b2b85724d01f7004bc

      Download Submit

    • C:\Users\Admin\AppData\Roaming\7754076373.zip
      Filesize

      251KB

      MD5

      ff1ef1f7402dbe8c48c43c4bb227d6c9

      SHA1

      dab3da74ab196beedd3bfb1067050d09bbb94821

      SHA256

      36cb921414c0179bdaf6a36b4b1f7293a3e9c32a5a98108ea4531737d35355b6

      SHA512

      451f27e315c5cc23318e2d2e5faba0c70ac7c93760df39bcc415ee01a44af6d47d16324dca870dffa4f1b15bf577b262dc151e63c7c5ede00e2057c4b1932079

      Download Submit

    • C:\Users\Admin\AppData\Roaming\7754076373\a.txt
      Filesize

      79B

      MD5

      017fac5294daf5668189b4c27b434046

      SHA1

      b57f0db88938f233f41ac7071bce951f8448f8c7

      SHA256

      9acfec1326d4b9ec91f11e6c0add0ffb97604ec8df9daa567e2079a6fd4797cc

      SHA512

      a8c40c956585006d340a59347b5a232eb05402612f4ebc5311b7bd62163ef3743fb798c9446987e8c4936a6bb45f59139ca54db49238606a811cfcf23d5bd91b

      Download Submit

    • C:\Windows\svchost.exe
      Filesize

      35KB

      MD5

      9e3c13b6556d5636b745d3e466d47467

      SHA1

      2ac1c19e268c49bc508f83fe3d20f495deb3e538

      SHA256

      20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

      SHA512

      5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

      Download Submit

    • \Users\Admin\AppData\Local\Microsoft\PasswordDecoder.exe
      Filesize

      1.4MB

      MD5

      76d3246a3f8a02f193f979c5dd7ec752

      SHA1

      d7f4aab2a849cd2e1f18f9cf08ef43e450126f14

      SHA256

      068552717ffe55457cd20ebd723be3f471d04879a04c14b679eaa0a321ebbcc4

      SHA512

      285a3732459c588a251a0971c6cdf224a0f5b467f90d339d8b1c39c7c6daded1fdb9cfeef13872e3a893bfcf0f236f3355d5a8ef24057daaeb914a08a4719b52

      Download Submit

    • \Users\Admin\AppData\Local\Microsoft\SgrmBroker.exe
      Filesize

      3.3MB

      MD5

      83d058947260839070f365746d7ce1fc

      SHA1

      f9767615fbc6d316fc35ffaeb272910336291f5c

      SHA256

      502a7f750550d7b80296b7ebed254245646233f4acdcdb274902524f9fa43c6e

      SHA512

      04bfbb68450c28861724a8df895bd4e272f568559ff4e5d07e19db498f4c9e69d276fd78a4cd6269a4b67f5edaa2510a6ac5f020b615e2baadc0a96898363d14

      Download Submit

    • memory/832-8-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/1476-21-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2156-34-0x0000000002E50000-0x000000000350D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2676-75-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2676-288-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2680-77-0x0000000000360000-0x0000000000A1D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2680-226-0x0000000000360000-0x0000000000A1D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2680-110-0x0000000000360000-0x0000000000A1D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2680-127-0x0000000000360000-0x0000000000A1D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2680-144-0x0000000000360000-0x0000000000A1D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2680-161-0x0000000000360000-0x0000000000A1D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2680-173-0x0000000000360000-0x0000000000A1D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2680-195-0x0000000000360000-0x0000000000A1D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2680-209-0x0000000000360000-0x0000000000A1D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2680-93-0x0000000000360000-0x0000000000A1D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2680-243-0x0000000000360000-0x0000000000A1D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2680-255-0x0000000000360000-0x0000000000A1D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2680-277-0x0000000000360000-0x0000000000A1D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2680-76-0x0000000000360000-0x0000000000A1D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2680-289-0x0000000000360000-0x0000000000A1D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2680-61-0x0000000000360000-0x0000000000A1D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2680-305-0x0000000000360000-0x0000000000A1D000-memory.dmp

      Filesize

      6.7MB

      Download