MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14ffcbbfb305287ea15264df3363567f36a26917ae2018af0f40e2009b8a7184. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Latrodectus


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 14ffcbbfb305287ea15264df3363567f36a26917ae2018af0f40e2009b8a7184
SHA3-384 hash: 722bc87e85176d8af0b8f7ad9841e65113601b5fa999c9a8fe815e392e6be4ee394b937788984514b790984a93b4a04c
SHA1 hash: 852d7a9ea4db5ff4cd51a92447a8d5701cfb322b
MD5 hash: dd862590d9e4ea1791df147912ae4c8f
humanhash: magazine-delaware-stairway-floor
File name:sqx.dll
Download: download sample
Signature Latrodectus
Create hunting rule
File size:1'330'688 bytes
First seen:2024-11-19 20:24:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9a0edf641145d454a005af877887e965 (1 x Latrodectus)
ssdeep 24576:pQrDp6J8JM3IgVvF7EtPCo1Frk5fRJhqYEjTvpAbHT0HRZonw4by:pQpI8JM3IwEtPCo1F45fvhq/jTyb4HR+
Threatray 61 similar samples on MalwareBazaar
TLSH T1FB55BF46F3B900BCD857C2788A675607EBB274052364DBDB4690866A6F33FE11A7E334
TrID 72.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
13.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.5% (.EXE) OS/2 Executable (generic) (2029/13)
2.5% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter pr0xylife
Tags:BruteRatel dll exe Latrodectus

Intelligence

File Origin
# of uploads :
1
# of downloads :
561
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
merd.msi
Verdict:
No threats detected
Analysis date:
2024-11-19 20:26:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/40489b87-30ca-46bf-a054-cb42362a41f2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Clean
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673cf4b9cfd863d78e897a9b
Tags:
malware
Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
expand fingerprint lolbin masquerade microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/673cf421ef05ce04988ca932/reports/24d4aedb-c875-4017-a6ca-78f4a94ae1a9/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/14ffcbbfb305287ea15264df3363567f36a26917ae2018af0f40e2009b8a7184
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e7c6f2eb-f92f-4acc-bf9a-c6922d542ccc
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1558851
Signature
AI detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Potentially Suspicious Malware Callback Communication
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
Score:
91%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/14ffcbbfb305287ea15264df3363567f36a26917ae2018af0f40e2009b8a7184
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/14ffcbbfb305287ea15264df3363567f36a26917ae2018af0f40e2009b8a7184/
Threat name:
Win64.Backdoor.Brutel
Create hunting rule
Status:
Malicious
First seen:
2024-11-19 20:25:07 UTC
File Type:
PE+ (Dll)
Extracted files:
2
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ct74xp5tauuh5iksmtptgy2wp43ke2ixvyqbrlypidrabg4kogca._file
Verdict:
malicious
Label(s):
bruteratelc4
Create hunting rule
Similar samples:
14ffcbbfb305287ea15264df3363567f36a26917ae2018af0f40e2009b8a7184
Latrodectus
25e24385719aede7f4e0359b389a9597cc26df20e1b3a6367bbc04d5d4982fe6
Latrodectus
3ac8decd825d1ed7a86ed86d7789b44c0f0c467d4f482ab0863df1b7b1e3e8cc
Latrodectus
4586250dbf8cbe579662d3492dd33fe0b3493323d4a060a0d391f20ecb28abf1
Latrodectus
937d07239cbfee2d34b7f1fae762ac72b52fb2b710e87e02fa758f452aa62913
Latrodectus
9b7bdb4cb71e84c5cff0923928bf7777a41cb5e0691810ae948304c151c0c1c5
Latrodectus
a9a4640e3887e4ee71ae0e0624afa6b8fa6a22cdffd190f1d83234109dd8496d
Latrodectus
ea1792f689bfe5ad3597c7f877b66f9fcf80d732e5233293d52d374d50cab991
Latrodectus
ead5ebf464c313176174ff0fdc3360a3477f6361d0947221d31287eeb04691b3
Latrodectus
error
Latrodectus
f4cb6b684ea097f867d406a978b3422bbf2ecfea39236bf3ab99340996b825de
Latrodectus
+ 51 additional samples on MalwareBazaar
Result
Malware family:
bruteratel
Create hunting rule
Score:
  10/10
Tags:
family:bruteratel backdoor
Link:
https://tria.ge/reports/241119-y69xsasala/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Blocklisted process makes network request
Brute Ratel C4
Bruteratel family
Detect BruteRatel badger
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cd0513c7-1a2d-41b9-9546-a9e9cc35fdd7
Unpacked files
SH256 hash:
14ffcbbfb305287ea15264df3363567f36a26917ae2018af0f40e2009b8a7184
MD5 hash:
dd862590d9e4ea1791df147912ae4c8f
SHA1 hash:
852d7a9ea4db5ff4cd51a92447a8d5701cfb322b
Link:
https://www.unpac.me/results/50422c9a-bb74-438f-9584-9c9c647ba1ef/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/14ffcbbfb305287ea15264df3363567f36a26917ae2018af0f40e2009b8a7184

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::DeleteFileW

Comments