MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d185ea3b0a49c2fa65bfd2757c9d0705657f0639fd36f196ac394fcd38c361d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Latrodectus


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d185ea3b0a49c2fa65bfd2757c9d0705657f0639fd36f196ac394fcd38c361d
SHA3-384 hash: 36a80047cf659b35c43d3c289cb8d4b5b5d0fe1121f44839a0436862414219d9a9c7d0761cc9da879fd863e76c3f9a0f
SHA1 hash: 30df07e83063822bfff5038cb2fdb250cd18e5cc
MD5 hash: adce4873aa5a54f4c3eaf02b9a9b2ca2
humanhash: freddie-bluebird-oscar-quebec
File name:down.dll
Download: download sample
Signature Latrodectus
Create hunting rule
File size:609'792 bytes
First seen:2024-02-16 17:21:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ff1950b83ebbc71a2475e6c8c8cb0707 (1 x Latrodectus)
ssdeep 12288:uTjTe9Yd3lrqQLo3iDBnXyH5+P0orR6AZURudpBL:uTvB3lPcKnXE5m0pupL
Threatray 24 similar samples on MalwareBazaar
TLSH T1D5D47C5FF5D507BAD4B6907CE513AE46F2357896072046DB03D086A62F2F7E0AE7A320
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter Anonymous
Tags:exe Latrodectus

Intelligence

File Origin
# of uploads :
1
# of downloads :
375
Origin country :
GB GB
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/476509/
Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint masquerade packed
Link:
https://www.filescan.io/uploads/65cf99c20003ad375ce6ff83/reports/1a22a5a8-29ab-4006-9e32-b1975198572c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/0d185ea3b0a49c2fa65bfd2757c9d0705657f0639fd36f196ac394fcd38c361d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/34203717-0bc4-44de-8797-2b8947dea526
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1393608
Signature
Deletes itself after installation
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1393608 Sample: down.dll.exe Startdate: 16/02/2024 Architecture: WINDOWS Score: 52 31 saicetyapy.space 2->31 33 antyparkov.site 2->33 7 loaddll64.exe 1 2->7         started        9 rundll32.exe 2->9         started        process3 process4 11 rundll32.exe 2 7->11         started        15 rundll32.exe 7->15         started        17 cmd.exe 1 7->17         started        19 2 other processes 7->19 file5 29 C:\Users\user\AppData\...\Update_209ae0c3.dll, PE32+ 11->29 dropped 41 Deletes itself after installation 11->41 21 rundll32.exe 12 11->21         started        25 WerFault.exe 20 16 15->25         started        27 rundll32.exe 17->27         started        signatures6 process7 dnsIp8 35 antyparkov.site 104.21.44.122, 443, 49743, 49745 CLOUDFLARENETUS United States 21->35 37 saicetyapy.space 172.67.221.168, 443, 49742, 49744 CLOUDFLARENETUS United States 21->37 39 System process connects to network (likely due to code injection or exploit) 21->39 signatures9
Score:
27%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/0d185ea3b0a49c2fa65bfd2757c9d0705657f0639fd36f196ac394fcd38c361d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0d185ea3b0a49c2fa65bfd2757c9d0705657f0639fd36f196ac394fcd38c361d/
Threat name:
Win64.Spyware.Latrodectus
Create hunting rule
Status:
Suspicious
First seen:
2024-02-16 17:22:05 UTC
File Type:
PE+ (Dll)
Extracted files:
2
AV detection:
8 of 23 (34.78%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bumf5i5qusoc7js37utvpsoqoblfp4ddt7jw6glkyokpzu4mgyoq._file
Verdict:
malicious
Similar samples:
0d185ea3b0a49c2fa65bfd2757c9d0705657f0639fd36f196ac394fcd38c361d
Latrodectus
2374fd5d049c1b8f1b7fd3115f035e9f154b1f04e1cc276507930811fe349399
Latrodectus
31e6f3fa131b6591a420a8bf657c9a360287608974584db2892942aa2f53be89
Latrodectus
47d66c576393a4256d94f5ed1e77adc28426dea027f7a23e2dbf41b93b87bd78
Latrodectus
94b8ab735d503884585fdb5a735b3ea3485b6b19c1899939a5b2c0a80616400a
Latrodectus
d51d38f49f7b810bccd6a41159e8e5142aceff1d6be775a34c2c7c54eda192d9
Latrodectus
+ 14 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/240216-vxjsfseb46/
Unpacked files
SH256 hash:
fc4932314471c91434fde050e85967de31701e0b391440c1c5f9aa5d6fde615d
MD5 hash:
aa627696e764eb0b36dc778dc3501aff
SHA1 hash:
903c4a61c55e766312a180319fb0fedaf1c1554f
Detections:
win_unidentified_111_auto
Create hunting rule
Link:
https://www.unpac.me/results/11d42846-895a-4596-9877-59175373ef51/
SH256 hash:
0d185ea3b0a49c2fa65bfd2757c9d0705657f0639fd36f196ac394fcd38c361d
MD5 hash:
adce4873aa5a54f4c3eaf02b9a9b2ca2
SHA1 hash:
30df07e83063822bfff5038cb2fdb250cd18e5cc
Link:
https://www.unpac.me/results/11d42846-895a-4596-9877-59175373ef51/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0d185ea3b0a49c2fa65bfd2757c9d0705657f0639fd36f196ac394fcd38c361d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:win_unidentified_111_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.unidentified_111.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/476509/

Comments