{
	"id": "88659952-f95c-42e0-9483-676329938396",
	"created_at": "2026-04-06T00:10:59.638963Z",
	"updated_at": "2026-04-10T13:11:57.68971Z",
	"deleted_at": null,
	"sha1_hash": "d6908be45e6bbe8d05932c61967195416538f61d",
	"title": "LatentBot piece by piece | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 826116,
	"plain_text": "LatentBot piece by piece | Malwarebytes Labs\r\nBy Malwarebytes Labs\r\nPublished: 2017-06-07 · Archived: 2026-04-05 18:59:36 UTC\r\nLatentBot is a multi-modular Trojan written in Delphi and known to have been around since 2013. Recently, we\r\ncaptured and dissected a sample distributed by RIG Exploit Kit.\r\nThe main executable is a persistent botnet agent which downloads additional modules and reports about the\r\nperformed activities to its Command and Control server. Depending on the modules that have been installed,\r\nLatentBot has various capabilities, including:\r\nAct as a keylogger and form grabber\r\nSteal cookies\r\nRun a Socks Proxy from the victim system\r\nGive remote access to the attacker (VNC / Remote Desktop)\r\nIn this post we will describe those modules by taking apart several layers of obfuscation and encryption in order\r\nto reveal their true nature.\r\nAnalyzed samples\r\n011077a7960fa1a7906323dbdc7e3807 – original sample, distributed in the campaign\r\n85dcf88487ea412fe4960494713eed6b – unpacked (loader)\r\n60c3232b90c773ed9c4990da7cc3bbdb – injected into svchost\r\ne105d87cb79ed668c8b62297259a4dbb – injected into iexplore\r\nDownloaded modules, injected into svchost:\r\ne3fb224201592c02b6250532e99416f0 – main module\r\nfcf8479361a24618c3e4aa552dccfc33 – module #1\r\n2268f50ac4bbd7002f6601568448e1d3 – module #2\r\nf461c9a2e1010aae1ad6ade8cf9396e5 – module #3\r\n5cb8d981574da528b5f65aa9b2163eb3 – module #4\r\n5803cab0bec92f21d3c3d22f7920eca0 – module #5\r\n5fd5b8ae1ae41a620a32f4ce96638ab9 – module #6\r\nBehavioral analysis\r\nAfter being deployed. the original sample installs itself and deletes the sample from the original location. It injects\r\ninto svchost the initial module (60c3232b90c773ed9c4990da7cc3bbdb). That module performs another injection\r\n(of module: b622a0b443f36d99d5595acd0f95ea0e)  – into Internet Explorer (iexplore.exe):\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/\r\nPage 1 of 19\n\nThe module injected in the iexplore.exe process is responsible for establishing connection with the CnC and\r\ndownloading submodules.\r\nAt this stage, LatentBot creates two groups of registry keys:\r\n...SoftwareGoogleUpdatenetworksecure\r\nIn the key named “0” the initial PE file is stored:\r\nAnother, encrypted key is added under:\r\n...SoftwareAdobeAdobe Acrobat\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/\r\nPage 2 of 19\n\nThe data under the key “in” is encrypted by a custom algorithm, typical for the LatentBot, that will be described\r\nfurther (it can be decoded by a dedicated application). After decoding, it gives the path where the malware\r\ninstalled itself, i.e.:\r\nC:UserstesterAppDataLocalMicrosoftWindowsshfdnoh.exe\r\nIf the CnC is active and the bot managed to download sub-modules, they are run injected into new instances of\r\nsvchost:\r\nThe main module is deployed with a parameter: -l MxN4ViazcD\r\nThis parameter specifies a group id where the bot belongs (also encrypted by Latent Bot’s custom crypto).\r\nMxN4ViazcD -\u003e Group 1\r\nAlso, the registry keys related to the new modules are added under:\r\n...SoftwareGoogleUpdatenetworksecure\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/\r\nPage 3 of 19\n\nDecrypted names of the modules are very descriptive:\r\nFtUFJu5xP3C -\u003e formgrab hdtWD3zyxMpSQB -\u003e Bot_Engine l551X+rNDh3B4A -\u003e Found_Core QdG8eO0qHI8/Y1G -\u003e\r\nSome of the modules are collecting data on the victim machine, and saving them in the %TEMP% directory in\r\nencrypted form:\r\nFurther, they are being uploaded to the CnC.\r\nPersistence\r\nThe basic persistence of Latent Bot is simple. The initial sample is copied into:\r\nC[current user]AppDataLocalMicrosoftWindows.exe\r\nIt is executed on each system startup thanks to a simple Run key:\r\nOnce the main module is run, it is responsible for decrypting all the submodules from the registry and loading\r\nthem.\r\nNetwork communication\r\nThe bot starts communication with CnC by sending a beacon. If the beaconing went successfully, it starts to\r\ndownload additional modules in encrypted form. They are pretending to be .zip files:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/\r\nPage 4 of 19\n\nThe beacon is encoded by two algorithms: Latent’s custom encryption and then Base64:\r\nQWRsN2srdjlxUUdDYVp0aTBMUzl2cStzY0pOR3VkWlNtc3Q1VzduWlJ2SHZ6QjJhNEtuTFo3RUNobVlOKzJMbDE0TWxBUXR2NXdxe\r\nBase64 decoded:\r\nAdl7k+v9qQGCaZti0LS9vq+scJNGudZSmst5W7nZRvHvzB2a4KnLZ7EChmYN+2Ll14MlAQtv5wqzPmJMZx3Z5TeiWstUadnH+BppJ\r\nLatent custom decoded:\r\nforum?datael=US-70-789548274695\u0026ver=5015\u0026os=5\u0026acs=1\u0026x64=0\u0026gr=Group 1\u0026random=mxmgkuusrfqdotm\r\nAs we can see, it contains data about the infected machine, as well as the group name and a random token.\r\nHowever, not all the communication is encrypted. Some of the further requests are very verbose. Name of each\r\naction is identified by a string, in capital letters. Examples:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/\r\nPage 5 of 19\n\nClient beacons to the server by a HELLO command. In return, the CnC gives it a cookie that is further used as an\r\nID. The content posted between the client and the server is encrypted:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/\r\nPage 6 of 19\n\nAnalyzing the traffic, we can find that the bot sends to the CnC some stolen data, packed as Cabinet format. The\r\ncontent inside is encrypted by a custom encryption algorithm, typical  to LatentBot, that will be described later.\r\nThe file is uploaded using HTTP PUT method:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/\r\nPage 7 of 19\n\nInside\r\nThe original sample of Latent Bot, that is distributes in campaigns, comes packed with a crypter. After removing\r\nthis first layer, we get a loader with the following structure of sections:\r\nAll the used strings are obfuscated – particular chunks of the string are being moved to consecutive variables:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/\r\nPage 8 of 19\n\nThe basic role of the main element is to to make injection into svchost.exe. In the memory of svchost.exe, another\r\nPE file is unpacked and loaded:\r\nIf we dump this file, we find another stage. Starting from this element, all further pieces of Latent Bot have some\r\ncommon patterns. They are written in Delphi, and their strings are obfuscated by the same set of functions.\r\nExample:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/\r\nPage 9 of 19\n\nIn order to defeat this obfuscation I prepared a dedicated IDA script (latent_dec.py). Not much of the other\r\nobfuscation techniques has been used, so after applying it, the code looks much more understandable:\r\nAnother thing, typical for LatentBot’s pieces are the resources following similar schema. The current sample\r\ncomes with 2 resources: CFG and R. Both of them are encrypted:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/\r\nPage 10 of 19\n\nThis element unpacks another module (b622a0b443f36d99d5595acd0f95ea0e), that is injected this time into\r\niexplore. The new module has resources with a structure similar to the previous one. It’s CFG file contains strings\r\nencrypted by an algorithm typical for this bot:\r\nThe configuration of this element contains the bot group ID and the CnC address:\r\nMxN4ViazcD -\u003e Group 1 j5kmNVnZPcAt18wWBH3kfMOzGQ6ENA -\u003e http://104.232.32.101/\r\nModules\r\nThe main element of the LatentBot  is an engine downloading and managing the modules. Each module of\r\nLatentBot have some different task to do. Overall, it has capabilities of a typical RAT and stealer. Downloaded\r\nsubmodules are various for various samples. In the analyzed one, elements with the following names has been\r\nfetched:\r\nformgrab-128521-2\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/\r\nPage 11 of 19\n\nBot_Engine-641712-8\r\nFound_Core-147200-2\r\nsend_report-325310-77\r\nsecurity-945874-2\r\nremote_desktop_service-828255-2\r\nvnc_hide_desktop-590642-47\r\nSocks-400578-2\r\nLet’s have a look inside some of them…\r\nBot_Engine Module\r\nAs the name states, this is the main module of the bot. It is responsible for the communication with the C\u0026C and\r\nloading the plugins.\r\nIt fingerprints the environment and send the collected data in the beacon to the CnC.\r\n'tkNFKRA' -\u003e '\u0026ver=' 'tA8OqC' -\u003e '\u0026os=' 't4M5zB' -\u003e '\u0026av=\"' 't4c85aF' -\u003e '\u0026acs=' 'tct4rwD' -\u003e '\u0026x64=\r\nExample – checking installed AV products:\r\nThe dedicated function contains a long list of the directories that are checked,i.e.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/\r\nPage 12 of 19\n\nThis module gives to the attacker remote control on the victim’s environment by executing various commands,\r\nsuch as:\r\n'/tKvXgFBlB' -\u003e 'testapi' 'slx6nfFi' -\u003e 'get_id' '5J5eN0Wp9A' -\u003e 'restart' '4FEa7FfTRCI' -\u003e 'shutdown\r\nExample – fragment of the function stealing and clearing the cookies:\r\nAfter completing a task, it also sends a report about the operation status:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/\r\nPage 13 of 19\n\nSecurity Module\r\nThis module performs extended environment check against various security products. Looking at the resources,\r\nwe can find three elements: DFX, VBL, FDL containing lists of strings encrypted in the typical way:\r\nDecrypting them gives an extensive list of the checked paths: DFX , VBL, and modules (exe, dll, sys): FLD\r\nFormgrab Module\r\nIn comparison to other modules, this one does not contain string or API obfuscation.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/\r\nPage 14 of 19\n\nWe can find it grabbing the content of fields of the windows:\r\n…and tapping the typed keys:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/\r\nPage 15 of 19\n\nFoud_Core Module\r\nThis is the only module that has been written in C++ instead of Delphi. It comes with a default icon added to\r\nWindows projects by Visual Studio.\r\nIt’s original name is installer.exe and it exports various functions, that can be used to make injections into 64 bit\r\napplications:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/\r\nPage 16 of 19\n\nIt has various features that are different from other modules, i.e. lack of string obfuscation. Performed actions are\r\nreported by debug strings, that are stored inside the binary as open text, i.e.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/\r\nPage 17 of 19\n\nThe compilation timestamp of this executable points at the February of 2017: 2017:02:28 18:21:01+01:00. This\r\nelement was not observed in previous years, so probably indeed it is added this year, to expand injection\r\ncapabilities of the LatentBot to 64 bit processes.\r\nConclusion\r\nLatentBot has been around for several years, however, looking at the modules we can find out that it is still being\r\nactively maintained. The distributed package is a mixture of old and new modules.\r\nThe authors of this bot are not very advanced in malware development. They program in Delphi and use some\r\nready-made templates. Also, the obfuscation they use can be easily defeated. However, they delivered a bot that is\r\nvery rich in features and easily expandable, thus, it still poses a serious threat.\r\nAppendix\r\nhttps://www.cert.pl/news/single/latentbot-modularny-i-silnie-zaciemniony-bot/ – Polish CERT on LatentBot\r\n(December 2016)\r\nhttps://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html – FireEye on LatentBot (2015)\r\nhttps://cys-centrum.com/ru/news/module_trojan_for_unauthorized_access – CyS Centrum report (2015)\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/\r\nPage 18 of 19\n\nThis was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest\r\nin InfoSec. She loves going in details about malware and sharing threat information with the community. Check\r\nher out on Twitter @hasherezade and her personal blog: https://hshrzd.wordpress.com.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/"
	],
	"report_names": [
		"latentbot"
	],
	"threat_actors": [],
	"ts_created_at": 1775434259,
	"ts_updated_at": 1775826717,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d6908be45e6bbe8d05932c61967195416538f61d.pdf",
		"text": "https://archive.orkl.eu/d6908be45e6bbe8d05932c61967195416538f61d.txt",
		"img": "https://archive.orkl.eu/d6908be45e6bbe8d05932c61967195416538f61d.jpg"
	}
}