SYMBOLCOMMON_NAMEaka. SYNONYMS
win.latentbot (Back to overview)

LatentBot


There is no description at this point.

References
2017-06-08MalwarebytesMalwarebytes
@online{malwarebytes:20170608:latentbot:9f46488, author = {Malwarebytes}, title = {{LatentBot piece by piece}}, date = {2017-06-08}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/}, language = {English}, urldate = {2019-11-16} } LatentBot piece by piece
LatentBot
2017-04-25Malware Traffic AnalysisBrian Duncan
@online{duncan:20170425:20170425:dfd0f09, author = {Brian Duncan}, title = {{2017-04-25 - "GOOD MAN" CAMPAIGN RIG EK SENDS LATENTBOT}}, date = {2017-04-25}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/04/25/index.html}, language = {English}, urldate = {2019-11-29} } 2017-04-25 - "GOOD MAN" CAMPAIGN RIG EK SENDS LATENTBOT
LatentBot
2016-05-12CERT.PLKamil Frankowicz
@online{frankowicz:20160512:latentbot:9506f35, author = {Kamil Frankowicz}, title = {{LatentBot – modularny i silnie zaciemniony bot}}, date = {2016-05-12}, organization = {CERT.PL}, url = {https://www.cert.pl/news/single/latentbot-modularny-i-silnie-zaciemniony-bot/}, language = {Polish}, urldate = {2019-12-18} } LatentBot – modularny i silnie zaciemniony bot
LatentBot
2015-12-11FireEyeDaniel Regalado, Taha Karim
@online{regalado:20151211:latentbot:76a6ff3, author = {Daniel Regalado and Taha Karim}, title = {{LATENTBOT: Trace Me If You Can}}, date = {2015-12-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html}, language = {English}, urldate = {2019-12-20} } LATENTBOT: Trace Me If You Can
LatentBot
2015-11-02CyS CentrumCyS Centrum Incident Response Team
@online{team:20151102:modular:7726996, author = {CyS Centrum Incident Response Team}, title = {{Modular trojan for hidden access to a computer}}, date = {2015-11-02}, organization = {CyS Centrum}, url = {https://cys-centrum.com/ru/news/module_trojan_for_unauthorized_access}, language = {Russian}, urldate = {2020-01-08} } Modular trojan for hidden access to a computer
LatentBot
Yara Rules
[TLP:WHITE] win_latentbot_auto (20220411 | Detects win.latentbot.)
rule win_latentbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.latentbot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.latentbot"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e9???????? 33c0 40 e9???????? 8b87f42a0000 3bc3 745f }
            // n = 7, score = 100
            //   e9????????           |                     
            //   33c0                 | xor                 eax, eax
            //   40                   | inc                 eax
            //   e9????????           |                     
            //   8b87f42a0000         | mov                 eax, dword ptr [edi + 0x2af4]
            //   3bc3                 | cmp                 eax, ebx
            //   745f                 | je                  0x61

        $sequence_1 = { 59 eb0d 6a64 e8???????? 59 3975f8 74f3 }
            // n = 7, score = 100
            //   59                   | pop                 ecx
            //   eb0d                 | jmp                 0xf
            //   6a64                 | push                0x64
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   3975f8               | cmp                 dword ptr [ebp - 8], esi
            //   74f3                 | je                  0xfffffff5

        $sequence_2 = { 682513471a 6aff 8945f4 e8???????? 8bd8 8d8520fdffff 50 }
            // n = 7, score = 100
            //   682513471a           | push                0x1a471325
            //   6aff                 | push                -1
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   8d8520fdffff         | lea                 eax, dword ptr [ebp - 0x2e0]
            //   50                   | push                eax

        $sequence_3 = { 686888e3a2 56 89453c e8???????? 68b4d26883 56 89452c }
            // n = 7, score = 100
            //   686888e3a2           | push                0xa2e38868
            //   56                   | push                esi
            //   89453c               | mov                 dword ptr [ebp + 0x3c], eax
            //   e8????????           |                     
            //   68b4d26883           | push                0x8368d2b4
            //   56                   | push                esi
            //   89452c               | mov                 dword ptr [ebp + 0x2c], eax

        $sequence_4 = { 52 6a40 51 6a01 56 51 }
            // n = 6, score = 100
            //   52                   | push                edx
            //   6a40                 | push                0x40
            //   51                   | push                ecx
            //   6a01                 | push                1
            //   56                   | push                esi
            //   51                   | push                ecx

        $sequence_5 = { 897c2438 6639142500000000 7408 ffc2 66393c12 75f8 }
            // n = 6, score = 100
            //   897c2438             | mov                 dword ptr [esp + 0x38], edi
            //   6639142500000000     | cmp                 word ptr [0], dx
            //   7408                 | je                  0xa
            //   ffc2                 | inc                 edx
            //   66393c12             | cmp                 word ptr [edx + edx], di
            //   75f8                 | jne                 0xfffffffa

        $sequence_6 = { 41 57 48 81ec40030000 41 }
            // n = 5, score = 100
            //   41                   | inc                 ecx
            //   57                   | push                edi
            //   48                   | dec                 eax
            //   81ec40030000         | sub                 esp, 0x340
            //   41                   | inc                 ecx

        $sequence_7 = { c7454802000000 c70609000000 e9???????? f6457c02 0f8421020000 c7454801000000 c70626000000 }
            // n = 7, score = 100
            //   c7454802000000       | mov                 dword ptr [ebp + 0x48], 2
            //   c70609000000         | mov                 dword ptr [esi], 9
            //   e9????????           |                     
            //   f6457c02             | test                byte ptr [ebp + 0x7c], 2
            //   0f8421020000         | je                  0x227
            //   c7454801000000       | mov                 dword ptr [ebp + 0x48], 1
            //   c70626000000         | mov                 dword ptr [esi], 0x26

        $sequence_8 = { 8945d0 c745e001000000 895de8 395f04 767c 8d87d8000000 }
            // n = 6, score = 100
            //   8945d0               | mov                 dword ptr [ebp - 0x30], eax
            //   c745e001000000       | mov                 dword ptr [ebp - 0x20], 1
            //   895de8               | mov                 dword ptr [ebp - 0x18], ebx
            //   395f04               | cmp                 dword ptr [edi + 4], ebx
            //   767c                 | jbe                 0x7e
            //   8d87d8000000         | lea                 eax, dword ptr [edi + 0xd8]

        $sequence_9 = { 3b4f04 72a7 eb18 6800800000 8d45fc }
            // n = 5, score = 100
            //   3b4f04               | cmp                 ecx, dword ptr [edi + 4]
            //   72a7                 | jb                  0xffffffa9
            //   eb18                 | jmp                 0x1a
            //   6800800000           | push                0x8000
            //   8d45fc               | lea                 eax, dword ptr [ebp - 4]

    condition:
        7 of them and filesize < 401408
}
Download all Yara Rules