Overview

overview

10

Static

static

3

2025-01-26...ch.exe

windows7-x64

10

2025-01-26...ch.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-01-2025 01:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-26_221a88df8b81317b16c83c23a377fafc_frostygoop_luca-stealer_snatch.exe

  • Size

    5.3MB

  • MD5

    221a88df8b81317b16c83c23a377fafc

  • SHA1

    d8f87ff4459de5f6722efd374f10d9389fb4b1cf

  • SHA256

    4e67bb7a28b872d14749968f75cd954ca1506ceb91be8e8d8b4b930aa387134a

  • SHA512

    0a1f3f70e0bbadac921343dc72d1ac66494acbaf0e9cad5cc43a71f1c3406da6c0f36a4401dfde8383b6d010988dbfd42a4418155fff33be756d80dbf679993e

  • SSDEEP

    98304:a3qGL7+Z2+G7R5jHQ3h6uX8vKv4d94cS73Zz/Ocknja:aqC7+Z2+sYUAEF2V35/OcS

Score
10/10
latentbotcredential_accessdefense_evasiondiscoveryspywarestealertrojanupx

Malware Config

Extracted

Family

latentbot

C2

36123623672437247.zapto.org

Signatures

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot
  • Latentbot family
    latentbot
  • Enumerates VirtualBox DLL files 2 TTPs 10 IoCs
  • Looks for VirtualBox drivers on disk 2 TTPs 4 IoCs
    defense_evasion
  • Looks for VirtualBox executables on disk 2 TTPs 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-26_221a88df8b81317b16c83c23a377fafc_frostygoop_luca-stealer_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-26_221a88df8b81317b16c83c23a377fafc_frostygoop_luca-stealer_snatch.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\system32\cmd.exe
      cmd.exe /C start /b C:\Users\Admin\AppData\Local\Temp\a2f824af-08df-ba07-c7e2-fae07c6ad8c6.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4568
      • C:\Users\Admin\AppData\Local\Temp\a2f824af-08df-ba07-c7e2-fae07c6ad8c6.exe
        C:\Users\Admin\AppData\Local\Temp\a2f824af-08df-ba07-c7e2-fae07c6ad8c6.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4868
        • C:\Windows\svchost.exe
          "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\a2f824af-08df-ba07-c7e2-fae07c6ad8c6.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4740
          • C:\Users\Admin\AppData\Local\Temp\a2f824af-08df-ba07-c7e2-fae07c6ad8c6.exe
            "C:\Users\Admin\AppData\Local\Temp\a2f824af-08df-ba07-c7e2-fae07c6ad8c6.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3468
            • C:\Users\Admin\AppData\Local\Microsoft\SgrmBroker.exe
              "C:\Users\Admin\AppData\Local\Microsoft\SgrmBroker.exe"
              6⤵
              • Enumerates VirtualBox DLL files
              • Looks for VirtualBox drivers on disk
              • Looks for VirtualBox executables on disk
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:1596
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Microsoft\SgrmBroker.exe
                7⤵
                  PID:3792
              • C:\Users\Admin\AppData\Local\Microsoft\PasswordDecoder.exe
                "C:\Users\Admin\AppData\Local\Microsoft\PasswordDecoder.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:4712
    • C:\Windows\svchost.exe
      C:\Windows\svchost.exe
      1⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:3620

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\PasswordDecoder.exe
      Filesize

      1.4MB

      MD5

      76d3246a3f8a02f193f979c5dd7ec752

      SHA1

      d7f4aab2a849cd2e1f18f9cf08ef43e450126f14

      SHA256

      068552717ffe55457cd20ebd723be3f471d04879a04c14b679eaa0a321ebbcc4

      SHA512

      285a3732459c588a251a0971c6cdf224a0f5b467f90d339d8b1c39c7c6daded1fdb9cfeef13872e3a893bfcf0f236f3355d5a8ef24057daaeb914a08a4719b52

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\SgrmBroker.exe
      Filesize

      3.3MB

      MD5

      83d058947260839070f365746d7ce1fc

      SHA1

      f9767615fbc6d316fc35ffaeb272910336291f5c

      SHA256

      502a7f750550d7b80296b7ebed254245646233f4acdcdb274902524f9fa43c6e

      SHA512

      04bfbb68450c28861724a8df895bd4e272f568559ff4e5d07e19db498f4c9e69d276fd78a4cd6269a4b67f5edaa2510a6ac5f020b615e2baadc0a96898363d14

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\edgB55Beff1d.tmp
      Filesize

      74B

      MD5

      2cb14b14b92fb3e59788c3ada81c0e82

      SHA1

      fd6e460b7bb95b6f2f46572357d37bf5a2392f8a

      SHA256

      957b8e60865dd7c77e20b1a38209946daba89764bb86d0d287f126b51af74f47

      SHA512

      6e942703aaa20af8e0068ed45b39251474f6e34bdb1417b969613023a2da386419b01797d770a420470f074e5af666193b7978574f485146f816fac5c81b6447

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\a2f824af-08df-ba07-c7e2-fae07c6ad8c6.exe
      Filesize

      3.6MB

      MD5

      dcdb85932e6e81c56c5d2d7517c8acf6

      SHA1

      cf6f6224224e1627a23eccbe8f843c1f9b1101ab

      SHA256

      68f2d440ccf6e893c39b60390412e2d1ae1a3f724b02c74498a61fae4f557068

      SHA512

      474d6caad198a2cc65476df2999532e6f65004ffd9bf8096def70393453b5e3dcaa3051e5616c09548c8a0f59e819b39dc040be82dceacfe85cab7fbd4e5279f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\a2f824af-08df-ba07-c7e2-fae07c6ad8c6.exe
      Filesize

      3.6MB

      MD5

      602691bb886b7af853d18121031f8d3f

      SHA1

      9a427c9df07a1fd92892bb1d0aa7088e06950384

      SHA256

      d0e40c8a3586cf1d6ff51ab8e7b538f846119c6a0680671a798fd299b11fd040

      SHA512

      d03125a43802626f3b78f70204de6a0a389812e159906e44ac25de641cd563e129d471d88736cb53d47132848dd0d478ff59b7d1f95c37b2b85724d01f7004bc

      Download Submit

    • C:\Users\Admin\AppData\Roaming\413441142.zip
      Filesize

      94KB

      MD5

      ec4b560221fd3bf375882318c6f82769

      SHA1

      ba6010fa67ff68cf65eb38a2b48ea99fac03e2c1

      SHA256

      c08855356a964da9abddb09ef0f75445d137cb9e38539af05736db90ddb89382

      SHA512

      dfd71d0671b85300199eb666acff5e351f85ece0734e96c9db4466e055ed6bc9d3c7fabb4decf1107e4a844702d6356b8c2877e73fa4469599e5647cc8e3351b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\413441142\a.txt
      Filesize

      38B

      MD5

      4e9025c584b6503261b8c317aa835513

      SHA1

      0a99174343f9ce1cece0b8e0e202c5118d244827

      SHA256

      68a6be99e5b5c39b57fe0ff82c9e6e8b638487b725bb80cfda678df0b39e55f0

      SHA512

      b65cb9d0d5b6908080bc0b8a9c62f8bedcabbdda0582d2c34b9520f229d5368d59af4734592de6275b04210e814267e949c5ddd1211f95f782cddf529c6b6825

      Download Submit

    • C:\Windows\svchost.exe
      Filesize

      35KB

      MD5

      9e3c13b6556d5636b745d3e466d47467

      SHA1

      2ac1c19e268c49bc508f83fe3d20f495deb3e538

      SHA256

      20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

      SHA512

      5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

      Download Submit

    • memory/1596-93-0x0000000000460000-0x0000000000B1D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1596-105-0x0000000000460000-0x0000000000B1D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1596-239-0x0000000000460000-0x0000000000B1D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1596-69-0x0000000000460000-0x0000000000B1D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1596-233-0x0000000000460000-0x0000000000B1D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1596-81-0x0000000000460000-0x0000000000B1D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1596-221-0x0000000000460000-0x0000000000B1D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1596-33-0x0000000000460000-0x0000000000B1D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1596-122-0x0000000000460000-0x0000000000B1D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1596-209-0x0000000000460000-0x0000000000B1D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1596-134-0x0000000000460000-0x0000000000B1D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1596-146-0x0000000000460000-0x0000000000B1D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1596-160-0x0000000000460000-0x0000000000B1D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1596-173-0x0000000000460000-0x0000000000B1D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1596-185-0x0000000000460000-0x0000000000B1D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1596-197-0x0000000000460000-0x0000000000B1D000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/3620-208-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/3620-129-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/3620-80-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/3620-68-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/4740-14-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/4868-8-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

      Download