LatentBot (Malware Family)

LatentBot

VTCollection

FireEye describes this malware as a highly obfuscated bot that has been in the wild since mid-2013. It has managed to leave hardly any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless.

Using Dynamic Threat Intelligence, they have observed multiple campaigns targeting multiple industries in the United States, United Kingdom, South Korea, Brazil, United Arab Emirates, Singapore, Canada, Peru and Poland – primarily in the financial services and insurance sectors. Although the infection strategy is not new, the final payload dropped – which they named LATENTBOT – caught attention since it implements several layers of obfuscation, a unique exfiltration mechanism, and has been very successful at infecting multiple organizations.

References

2017-06-08 ⋅ Malwarebytes ⋅ Malwarebytes
LatentBot piece by piece
LatentBot

2017-04-25 ⋅ Malware Traffic Analysis ⋅ Brian Duncan
2017-04-25 - "GOOD MAN" CAMPAIGN RIG EK SENDS LATENTBOT
LatentBot

2016-05-12 ⋅ ⋅ CERT.PL ⋅ Kamil Frankowicz
LatentBot – modularny i silnie zaciemniony bot
LatentBot

2015-12-11 ⋅ FireEye ⋅ Daniel Regalado, Taha Karim
LATENTBOT: Trace Me If You Can
LatentBot

2015-11-02 ⋅ ⋅ CyS Centrum ⋅ CyS Centrum Incident Response Team
Modular trojan for hidden access to a computer
LatentBot

Yara Rules

[TLP:WHITE] win_latentbot_auto (20260504 | Detects win.latentbot.)

rule win_latentbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.latentbot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.latentbot"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { d1e8 894618 0f847d0a0000 83f803 0f846d0d0000 83f801 }
            // n = 6, score = 100
            //   d1e8                 | shr                 eax, 1
            //   894618               | mov                 dword ptr [esi + 0x18], eax
            //   0f847d0a0000         | je                  0xa83
            //   83f803               | cmp                 eax, 3
            //   0f846d0d0000         | je                  0xd73
            //   83f801               | cmp                 eax, 1

        $sequence_1 = { 83e007 ff454c 888431801b0000 e9???????? 8bf8 81e7ff030000 }
            // n = 6, score = 100
            //   83e007               | and                 eax, 7
            //   ff454c               | inc                 dword ptr [ebp + 0x4c]
            //   888431801b0000       | mov                 byte ptr [ecx + esi + 0x1b80], al
            //   e9????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   81e7ff030000         | and                 edi, 0x3ff

        $sequence_2 = { c21000 55 8bec 83ec2c 8365ec00 686a79fa99 }
            // n = 6, score = 100
            //   c21000               | ret                 0x10
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec2c               | sub                 esp, 0x2c
            //   8365ec00             | and                 dword ptr [ebp - 0x14], 0
            //   686a79fa99           | push                0x99fa796a

        $sequence_3 = { ff542460 8364244400 8d442428 89442438 8d442460 8bc8 }
            // n = 6, score = 100
            //   ff542460             | call                dword ptr [esp + 0x60]
            //   8364244400           | and                 dword ptr [esp + 0x44], 0
            //   8d442428             | lea                 eax, [esp + 0x28]
            //   89442438             | mov                 dword ptr [esp + 0x38], eax
            //   8d442460             | lea                 eax, [esp + 0x60]
            //   8bc8                 | mov                 ecx, eax

        $sequence_4 = { 59 59 33c0 c3 55 8bec 83ec38 }
            // n = 7, score = 100
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   33c0                 | xor                 eax, eax
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec38               | sub                 esp, 0x38

        $sequence_5 = { 8d4c2420 48 8d942430010000 8a01 48 ffc1 44 }
            // n = 7, score = 100
            //   8d4c2420             | lea                 ecx, [esp + 0x20]
            //   48                   | dec                 eax
            //   8d942430010000       | lea                 edx, [esp + 0x130]
            //   8a01                 | mov                 al, byte ptr [ecx]
            //   48                   | dec                 eax
            //   ffc1                 | inc                 ecx
            //   44                   | inc                 esp

        $sequence_6 = { 8d4598 50 ff7508 ff5620 8d4598 50 ff7608 }
            // n = 7, score = 100
            //   8d4598               | lea                 eax, [ebp - 0x68]
            //   50                   | push                eax
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff5620               | call                dword ptr [esi + 0x20]
            //   8d4598               | lea                 eax, [ebp - 0x68]
            //   50                   | push                eax
            //   ff7608               | push                dword ptr [esi + 8]

        $sequence_7 = { c70100000000 c7410400000000 897114 89791c c7411028000000 c7410800000000 8bd0 }
            // n = 7, score = 100
            //   c70100000000         | mov                 dword ptr [ecx], 0
            //   c7410400000000       | mov                 dword ptr [ecx + 4], 0
            //   897114               | mov                 dword ptr [ecx + 0x14], esi
            //   89791c               | mov                 dword ptr [ecx + 0x1c], edi
            //   c7411028000000       | mov                 dword ptr [ecx + 0x10], 0x28
            //   c7410800000000       | mov                 dword ptr [ecx + 8], 0
            //   8bd0                 | mov                 edx, eax

        $sequence_8 = { 8b4d18 8b4550 0fb60c0a c16d5003 836d5803 83e007 ff454c }
            // n = 7, score = 100
            //   8b4d18               | mov                 ecx, dword ptr [ebp + 0x18]
            //   8b4550               | mov                 eax, dword ptr [ebp + 0x50]
            //   0fb60c0a             | movzx               ecx, byte ptr [edx + ecx]
            //   c16d5003             | shr                 dword ptr [ebp + 0x50], 3
            //   836d5803             | sub                 dword ptr [ebp + 0x58], 3
            //   83e007               | and                 eax, 7
            //   ff454c               | inc                 dword ptr [ebp + 0x4c]

        $sequence_9 = { c7062a000000 e9???????? 83654800 c70622000000 e9???????? c70628000000 e9???????? }
            // n = 7, score = 100
            //   c7062a000000         | mov                 dword ptr [esi], 0x2a
            //   e9????????           |                     
            //   83654800             | and                 dword ptr [ebp + 0x48], 0
            //   c70622000000         | mov                 dword ptr [esi], 0x22
            //   e9????????           |                     
            //   c70628000000         | mov                 dword ptr [esi], 0x28
            //   e9????????           |                     

    condition:
        7 of them and filesize < 401408
}

Download all Yara Rules

LatentBot Propose Change

References

Yara Rules

LatentBot