latentbot | 5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7 | Triage

Submit
Reports

Overview

overview

Static

static

3

5f18826cd7...d7.exe

windows7-x64

5f18826cd7...d7.exe

windows10-2004-x64

Sharing

General

Target

5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7
Size

2.2MB
Sample

240630-1w7e1swhqc
MD5

06997ceb77cdac46e7aa0a2b3118d934
SHA1

0a2e22ca70689713ad5e8ff815961c3f0ff0ca10
SHA256

5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7
SHA512

856535375dc131b26abe76b208be28b3eeff228fa915a160fee66c87170a5acdb38105023f1b05763bded22080b9763085949abe05d6b072b7f35adca45801a1
SSDEEP

49152:ovLjxFr5Fqvwv9ptGBHHzWEIYhZDsxiWuoEVW0GTRCi:oXzFY4oVHJI6wxiWuonTb

Score

10^/10

latentbot xworm execution persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe

Resource

win7-20240419-en

latentbot xworm execution persistence rat trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7.exe

Resource

win10v2004-20240611-en

latentbot xworm execution persistence rat trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

knafamangobaron.zapto.org:7772

Mutex

WoIbp5XytzY0fGCF

Attributes

Install_directory
%AppData%
install_file
services.exe
telegram
https://api.telegram.org/bot5602298119:AAHsNAsC7Crzr-9zE1g6BP6nNtexJHWMyVM/sendMessage?chat_id=1154383031

aes.plain

Extracted

Family

latentbot

C2

knafamangobaron.zapto.org

Targets

- Target
  
  5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7
- Size
  
  2.2MB
- MD5
  
  06997ceb77cdac46e7aa0a2b3118d934
- SHA1
  
  0a2e22ca70689713ad5e8ff815961c3f0ff0ca10
- SHA256
  
  5f18826cd701320b56933d7e9d43186601a69416838331d60b20f12a262e5dd7
- SHA512
  
  856535375dc131b26abe76b208be28b3eeff228fa915a160fee66c87170a5acdb38105023f1b05763bded22080b9763085949abe05d6b072b7f35adca45801a1
- SSDEEP
  
  49152:ovLjxFr5Fqvwv9ptGBHHzWEIYhZDsxiWuoEVW0GTRCi:oXzFY4oVHJI6wxiWuonTb
Score

10^/10

latentbot xworm execution persistence rat trojan
- Detect Xworm Payload
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

latentbotxwormexecutionpersistencerattrojan

behavioral2

latentbotxwormexecutionpersistencerattrojan

© 2018-2024

Terms | Privacy