MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f23855e56eb6ec760717be43280eeeeaec1aeef939f9ae6a41daf1b8e3bd306. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Latrodectus


Vendor detections: 14


Intelligence 14 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f23855e56eb6ec760717be43280eeeeaec1aeef939f9ae6a41daf1b8e3bd306
SHA3-384 hash: 2d4479a1942981a9b10293e24bfc63192807e696df95ef0f3d45e9f64996ec26e0820a07d2085e4f48549fb30bede50c
SHA1 hash: 1601622dc7caef28ce413e1d73b4d4596aabfc50
MD5 hash: 4f4a164b5f9ef20be601531a727179a2
humanhash: twenty-eighteen-hot-july
File name:tab.dll
Download: download sample
Signature Latrodectus
Create hunting rule
File size:1'692'160 bytes
First seen:2024-11-13 17:18:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c6afd9d09caec6adb6d76c79bb54e219 (1 x Latrodectus)
ssdeep 24576:87u7nB/DBD9accSqVO9y/QaD74F3Zux5UDJpbD52hCvrHbvLz:8y/DBD9MVO9yos0F345UTbDukHvL
Threatray 11 similar samples on MalwareBazaar
TLSH T17B759F25E5A800A8D0F9C175CA5B4D66FB723C060B319ADB06A0DE6A2F37FD05E3DB15
TrID 72.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
13.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.5% (.EXE) OS/2 Executable (generic) (2029/13)
2.5% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter pr0xylife
Tags:BruteRatel exe Latrodectus

Intelligence

File Origin
# of uploads :
1
# of downloads :
3'706
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
tab.dll
Verdict:
Malicious activity
Analysis date:
2024-11-13 17:19:50 UTC
Tags:
latrodectus
Link:
https://app.any.run/tasks/98754b01-7b5c-4bec-a974-693c26babae9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen30.2783.11992.7601.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67351b0134b6906b34829766
Tags:
ransomware overt virus
Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug evasive fingerprint hook keylogger masquerade microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/6734df8af4d218848649a541/reports/cd8100f6-9dfe-4f3a-9ff2-d5fc068a137a/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/0f23855e56eb6ec760717be43280eeeeaec1aeef939f9ae6a41daf1b8e3bd306
Malware family:
BruteRatelC4
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c7e0d4f5-f30f-4d4f-bf10-8e81378d10cc
Result
Threat name:
BruteRatel, Latrodectus
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1555318
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Found malware configuration
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sample uses string decryption to hide its real strings
Sets debug register (to hijack the execution of another thread)
Sigma detected: RunDLL32 Spawning Explorer
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected BruteRatel
Yara detected Latrodectus
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1555318 Sample: tab.dll.exe Startdate: 13/11/2024 Architecture: WINDOWS Score: 100 27 samomol.com 2->27 29 ergiholim.com 2->29 31 2 other IPs or domains 2->31 43 Suricata IDS alerts for network traffic 2->43 45 Found malware configuration 2->45 47 Antivirus detection for URL or domain 2->47 49 6 other signatures 2->49 9 loaddll64.exe 1 2->9         started        signatures3 process4 process5 11 cmd.exe 1 9->11         started        13 rundll32.exe 12 9->13         started        17 rundll32.exe 12 9->17         started        19 4 other processes 9->19 dnsIp6 21 rundll32.exe 12 11->21         started        39 samomol.com 87.120.37.120, 49933, 49978, 49979 NETERRA-ASBG Bulgaria 13->39 59 System process connects to network (likely due to code injection or exploit) 13->59 61 Injects code into the Windows Explorer (explorer.exe) 13->61 63 Writes to foreign memory regions 13->63 65 Injects a PE file into a foreign processes 13->65 41 burjog.com 45.143.166.230, 49704, 49705, 49706 ITTITT-ASRU Russian Federation 17->41 67 Allocates memory in foreign processes 17->67 69 Modifies the context of a thread in another process (thread injection) 17->69 71 Creates a thread in another existing process (thread injection) 17->71 signatures7 process8 signatures9 51 Contains functionality to inject threads in other processes 21->51 53 Injects code into the Windows Explorer (explorer.exe) 21->53 55 Sets debug register (to hijack the execution of another thread) 21->55 57 4 other signatures 21->57 24 explorer.exe 93 1 21->24 injected process10 dnsIp11 33 ergiholim.com 104.21.15.162, 443, 49985, 49987 CLOUDFLARENETUS United States 24->33 35 104.21.92.105, 443, 50051, 50053 CLOUDFLARENETUS United States 24->35 37 rolefenik.com 172.67.191.232, 443, 49984, 49986 CLOUDFLARENETUS United States 24->37
Score:
91%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0f23855e56eb6ec760717be43280eeeeaec1aeef939f9ae6a41daf1b8e3bd306
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f23855e56eb6ec760717be43280eeeeaec1aeef939f9ae6a41daf1b8e3bd306/
Threat name:
Win64.Backdoor.Brutel
Create hunting rule
Status:
Malicious
First seen:
2024-11-13 17:19:10 UTC
File Type:
PE+ (Dll)
Extracted files:
57
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b4rykxsw5nxmoydrppsdfaho52xmdlxpsopzvzvedwxrxdr32mda._file
Verdict:
malicious
Label(s):
bruteratelc4
Create hunting rule
latrodectus
Create hunting rule
Similar samples:
025abbec1724b9180b369fe116da9d90ae47a4996f6a4e28e8a947bac1e0c741
Latrodectus
06a9283d0374be0ba13f645b13cca80601595d7d608aa18c9a4c9ce323af03db
Latrodectus
0f23855e56eb6ec760717be43280eeeeaec1aeef939f9ae6a41daf1b8e3bd306
Latrodectus
3f948bcd8c16b6e2c20fec3e9126a730b835888a4f071391c7847b00a27d8dd8
Latrodectus
dfff1a07429ff9585f3dab9c78b501174e7c326e1fb95c5234368071b5426768
Latrodectus
error
Latrodectus
f8e3eef1fda5969a7aabcc8fb5cc9f5fe245bbf6cc8e480459977b8e91eab9bd
Latrodectus
+ 1 additional samples on MalwareBazaar
Result
Malware family:
latrodectus
Create hunting rule
Score:
  10/10
Tags:
family:bruteratel family:latrodectus backdoor loader
Link:
https://tria.ge/reports/241113-vvt6eawdnc/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Brute Ratel C4
Bruteratel family
Detect BruteRatel badger
Detects Latrodectus
Latrodectus family
Latrodectus loader
Malware Config
C2 Extraction:
https://rolefenik.com/test/
https://ergiholim.com/test/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/22a27f17-2902-436d-8345-3fb8fe873939
Unpacked files
SH256 hash:
0f23855e56eb6ec760717be43280eeeeaec1aeef939f9ae6a41daf1b8e3bd306
MD5 hash:
4f4a164b5f9ef20be601531a727179a2
SHA1 hash:
1601622dc7caef28ce413e1d73b4d4596aabfc50
Link:
https://www.unpac.me/results/926fdee4-c86b-456f-9d0b-45e4b9601ad2/
Malware family:
Latrodectus
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0f23855e56eb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0f23855e56eb6ec760717be43280eeeeaec1aeef939f9ae6a41daf1b8e3bd306

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::GetSidSubAuthority
ADVAPI32.dll::GetSidSubAuthorityCount
ADVAPI32.dll::IsValidSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetSidIdentifierAuthority
ADVAPI32.dll::GetTokenInformation
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
ADVAPI32.dll::SetThreadToken
KERNEL32.dll::VirtualAllocExNuma
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::FindFirstFileW
KERNEL32.dll::GetTempFileNameW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegQueryInfoKeyW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::FindWindowExW
USER32.dll::PeekMessageW

Comments