SYMBOLCOMMON_NAMEaka. SYNONYMS
win.latentbot (Back to overview)

LatentBot

FireEye describes this malware as a highly obfuscated bot that has been in the wild since mid-2013. It has managed to leave hardly any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless.

Using Dynamic Threat Intelligence, they have observed multiple campaigns targeting multiple industries in the United States, United Kingdom, South Korea, Brazil, United Arab Emirates, Singapore, Canada, Peru and Poland – primarily in the financial services and insurance sectors. Although the infection strategy is not new, the final payload dropped – which they named LATENTBOT – caught attention since it implements several layers of obfuscation, a unique exfiltration mechanism, and has been very successful at infecting multiple organizations.

References
2017-06-08MalwarebytesMalwarebytes
@online{malwarebytes:20170608:latentbot:9f46488, author = {Malwarebytes}, title = {{LatentBot piece by piece}}, date = {2017-06-08}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/}, language = {English}, urldate = {2019-11-16} } LatentBot piece by piece
LatentBot
2017-04-25Malware Traffic AnalysisBrian Duncan
@online{duncan:20170425:20170425:dfd0f09, author = {Brian Duncan}, title = {{2017-04-25 - "GOOD MAN" CAMPAIGN RIG EK SENDS LATENTBOT}}, date = {2017-04-25}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/04/25/index.html}, language = {English}, urldate = {2019-11-29} } 2017-04-25 - "GOOD MAN" CAMPAIGN RIG EK SENDS LATENTBOT
LatentBot
2016-05-12CERT.PLKamil Frankowicz
@online{frankowicz:20160512:latentbot:9506f35, author = {Kamil Frankowicz}, title = {{LatentBot – modularny i silnie zaciemniony bot}}, date = {2016-05-12}, organization = {CERT.PL}, url = {https://www.cert.pl/news/single/latentbot-modularny-i-silnie-zaciemniony-bot/}, language = {Polish}, urldate = {2019-12-18} } LatentBot – modularny i silnie zaciemniony bot
LatentBot
2015-12-11FireEyeDaniel Regalado, Taha Karim
@online{regalado:20151211:latentbot:76a6ff3, author = {Daniel Regalado and Taha Karim}, title = {{LATENTBOT: Trace Me If You Can}}, date = {2015-12-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html}, language = {English}, urldate = {2019-12-20} } LATENTBOT: Trace Me If You Can
LatentBot
2015-11-02CyS CentrumCyS Centrum Incident Response Team
@online{team:20151102:modular:7726996, author = {CyS Centrum Incident Response Team}, title = {{Modular trojan for hidden access to a computer}}, date = {2015-11-02}, organization = {CyS Centrum}, url = {https://cys-centrum.com/ru/news/module_trojan_for_unauthorized_access}, language = {Russian}, urldate = {2020-01-08} } Modular trojan for hidden access to a computer
LatentBot
Yara Rules
[TLP:WHITE] win_latentbot_auto (20230407 | Detects win.latentbot.)
rule win_latentbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.latentbot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.latentbot"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 e8???????? 03f0 81fe00100000 72e8 }
            // n = 5, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   03f0                 | add                 esi, eax
            //   81fe00100000         | cmp                 esi, 0x1000
            //   72e8                 | jb                  0xffffffea

        $sequence_1 = { 33d2 3955f0 59 8b4e10 0f8c67feffff 837df001 }
            // n = 6, score = 100
            //   33d2                 | xor                 edx, edx
            //   3955f0               | cmp                 dword ptr [ebp - 0x10], edx
            //   59                   | pop                 ecx
            //   8b4e10               | mov                 ecx, dword ptr [esi + 0x10]
            //   0f8c67feffff         | jl                  0xfffffe6d
            //   837df001             | cmp                 dword ptr [ebp - 0x10], 1

        $sequence_2 = { 51 ff75dc ff75fc ffd0 85c0 0f8c4affffff 837d1801 }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   ff75dc               | push                dword ptr [ebp - 0x24]
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ffd0                 | call                eax
            //   85c0                 | test                eax, eax
            //   0f8c4affffff         | jl                  0xffffff50
            //   837d1801             | cmp                 dword ptr [ebp + 0x18], 1

        $sequence_3 = { 8945fc 8b87f02a0000 b900800000 2bc8 894df8 8d4df8 51 }
            // n = 7, score = 100
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b87f02a0000         | mov                 eax, dword ptr [edi + 0x2af0]
            //   b900800000           | mov                 ecx, 0x8000
            //   2bc8                 | sub                 ecx, eax
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   8d4df8               | lea                 ecx, [ebp - 8]
            //   51                   | push                ecx

        $sequence_4 = { 0fb608 48 8d04ce 48 0300 ffd0 c3 }
            // n = 7, score = 100
            //   0fb608               | movzx               ecx, byte ptr [eax]
            //   48                   | dec                 eax
            //   8d04ce               | lea                 eax, [esi + ecx*8]
            //   48                   | dec                 eax
            //   0300                 | add                 eax, dword ptr [eax]
            //   ffd0                 | call                eax
            //   c3                   | ret                 

        $sequence_5 = { 44 8bc8 48 894c2450 4d 8b5a60 }
            // n = 6, score = 100
            //   44                   | inc                 esp
            //   8bc8                 | mov                 ecx, eax
            //   48                   | dec                 eax
            //   894c2450             | mov                 dword ptr [esp + 0x50], ecx
            //   4d                   | dec                 ebp
            //   8b5a60               | mov                 ebx, dword ptr [edx + 0x60]

        $sequence_6 = { e8???????? 685e26e0c7 56 89454c e8???????? 685c71e7cf 56 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   685e26e0c7           | push                0xc7e0265e
            //   56                   | push                esi
            //   89454c               | mov                 dword ptr [ebp + 0x4c], eax
            //   e8????????           |                     
            //   685c71e7cf           | push                0xcfe7715c
            //   56                   | push                esi

        $sequence_7 = { 7c0c 8a0419 880411 48 }
            // n = 4, score = 100
            //   7c0c                 | jl                  0xe
            //   8a0419               | mov                 al, byte ptr [ecx + ebx]
            //   880411               | mov                 byte ptr [ecx + edx], al
            //   48                   | dec                 eax

        $sequence_8 = { 8b4d44 8b4554 2bc8 83f902 7d7f 8b4550 }
            // n = 6, score = 100
            //   8b4d44               | mov                 ecx, dword ptr [ebp + 0x44]
            //   8b4554               | mov                 eax, dword ptr [ebp + 0x54]
            //   2bc8                 | sub                 ecx, eax
            //   83f902               | cmp                 ecx, 2
            //   7d7f                 | jge                 0x81
            //   8b4550               | mov                 eax, dword ptr [ebp + 0x50]

        $sequence_9 = { 83e101 2bd9 b98f040000 2bcb 8d0c4a 0fb719 6685db }
            // n = 7, score = 100
            //   83e101               | and                 ecx, 1
            //   2bd9                 | sub                 ebx, ecx
            //   b98f040000           | mov                 ecx, 0x48f
            //   2bcb                 | sub                 ecx, ebx
            //   8d0c4a               | lea                 ecx, [edx + ecx*2]
            //   0fb719               | movzx               ebx, word ptr [ecx]
            //   6685db               | test                bx, bx

    condition:
        7 of them and filesize < 401408
}
Download all Yara Rules