latentbot

General

Target

a0afd97f96d8f8eae7f077296301e102a8e85a06daf09920c92e7b203c5e3236
Size

2.1MB
Sample

250128-m5xehszkbn
MD5

4539a5d184def6cb13472c306ecc9288
SHA1

db4895027c9c37ce712f4c6f74aa1499034a25e0
SHA256

a0afd97f96d8f8eae7f077296301e102a8e85a06daf09920c92e7b203c5e3236
SHA512

59abd68e8ea3bde6607d0a5bf7a6a2c0d9860a20bc9c869cea158c75a8e86e2a8ed53599c48ee65b26fbc1d38dea84ab28ddbdf48c416b7311184cbccacf9c06
SSDEEP

49152:B+V+zg3tk0spQsyXJEvYb9eO5Ragd+LMu8XRTU/casY:W3tSp4Jrl4qr16zsY

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Noah

C2

creditagricole.zapto.org:4444

Mutex

35b7f2fc-d3c2-4c55-949a-438b2c403cbf

Attributes

encryption_key
482EAF21E4E65641294432E5F419F7A5A916811B
install_name
CACert.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Credit Agricole Cert
subdirectory
SubDir

Extracted

Family

latentbot

C2

creditagricole.zapto.org

Targets

- Target
  
  CACert/CACert.exe
- Size
  
  3.1MB
- MD5
  
  66c0c400c027e476edc8452c4355150c
- SHA1
  
  2212e14ea0ec4393046217f837b107d20274c618
- SHA256
  
  d4422da00365e99fb49c83f31d2ea50f1a041d7fdda218c6823ee26491221924
- SHA512
  
  10908a0bf8f29a5690e6d6626421516af61070bb5b12568f255318c066956dd9f36f98802a91e9ef03466f045873711c7d6e368221b7d67e36b7827559652a53
- SSDEEP
  
  49152:KvyI22SsaNYfdPBldt698dBcjHpND6kCWZLoGUqnTHHB72eh2NT:Kvf22SsaNYfdPBldt6+dBcjHpNDTp
Score

10^/10

latentbot quasar noah discovery spyware trojan
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Latentbot family
  latentbot
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral1 behavioral2
- Target
  
  CACert/Credit Agricole Certification.exe
- Size
  
  968KB
- MD5
  
  6e1592f76cea09a8e35cb57f8f54c20f
- SHA1
  
  8af95927365234e401b235061c2b5c6d92dfbaf0
- SHA256
  
  7d492b7adaea0d7f7ce37d659b7fed9433338cd2acacba701f998350b06a5641
- SHA512
  
  a9fee5ab6645bc2b669240e0ad8ee6a023b266042042bb79799a13db7b8d523aaed18ba23a224d3779843205927208b3d8887eeb3774f5b146a46e235496e80e
- SSDEEP
  
  12288:DiacNrbNoAo5tv3PXxORQe01era+KfjCxiGC7tmImqNXpili3udAx0Eg5Wt7:maKrudv/hO9mtjII7XmMo0sEg5Y
Score

10^/10

latentbot quasar noah discovery execution spyware trojan
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Latentbot family
  latentbot
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral3 behavioral4