MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b9e17bfbd292075956cc2006983f91e17aed94ebbb0fb370bf83d23b14289fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Latrodectus


Vendor detections: 10


Intelligence 10 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b9e17bfbd292075956cc2006983f91e17aed94ebbb0fb370bf83d23b14289fa
SHA3-384 hash: 513da51af382325edc68c1b52040fc0c19fba70b86cc98914913fc29d9c893bb88d0be4dadab507fcb90440ac30f512f
SHA1 hash: dc8ec40f846dd55be5661d43a80acb4d442f6cd3
MD5 hash: d75db138a6519ace7795ba35ea62a498
humanhash: vermont-early-utah-july
File name:DLPAgent.msi
Download: download sample
Signature Latrodectus
Create hunting rule
File size:2'165'248 bytes
First seen:2024-09-18 20:27:37 UTC
Last seen:2024-11-03 08:58:36 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:56s3YhW8zBQSc0ZnSKSZKumZr7AKMLQanYBQDpridgYaU:HYY0ZnQK/AvL8BpgPU
Threatray 189 similar samples on MalwareBazaar
TLSH T1CEA5F12273C6C537D96E01302A1AD66B557DFDB70B3140CBA3C8292EAE745C16639FA3
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter k3dg3___
Tags:BazaLoader BruteRatel Latrodectus LUNAR SPIDER msi

Intelligence

File Origin
# of uploads :
3
# of downloads :
509
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
Win.Trojan.Latrodectus-10031447-0
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66eb37d4f72de0d131bea28f
Tags:
Generic
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug fingerprint lolbin packed peloader remote shell32 wix
Link:
https://www.filescan.io/uploads/66eb37d3043c09361a305fbd/reports/948d4174-ee20-447a-beff-c3f903167c78/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/1b9e17bfbd292075956cc2006983f91e17aed94ebbb0fb370bf83d23b14289fa
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/1b9e17bfbd292075956cc2006983f91e17aed94ebbb0fb370bf83d23b14289fa
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Bazar Loader, BruteRatel, Latrodectus
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1513529
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sample uses string decryption to hide its real strings
Sets debug register (to hijack the execution of another thread)
Sigma detected: RunDLL32 Spawning Explorer
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Bazar Loader
Yara detected BruteRatel
Yara detected Latrodectus
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1513529 Sample: DLPAgent.msi Startdate: 18/09/2024 Architecture: WINDOWS Score: 100 34 tiguanin.com 2->34 36 isomicrotich.com 2->36 38 3 other IPs or domains 2->38 48 Suricata IDS alerts for network traffic 2->48 50 Found malware configuration 2->50 52 Antivirus detection for URL or domain 2->52 54 7 other signatures 2->54 7 rundll32.exe 8 12 2->7         started        11 msiexec.exe 14 40 2->11         started        14 msiexec.exe 2 2->14         started        signatures3 process4 dnsIp5 40 bazarunet.com 193.124.185.116, 49704, 49705, 49706 IHOR-ASRU Russian Federation 7->40 42 tiguanin.com 193.124.185.117, 49714, 49717, 49718 IHOR-ASRU Russian Federation 7->42 44 greshunka.com 92.118.112.130, 49708, 49720, 49726 GUDAEV-ASRU Russian Federation 7->44 56 System process connects to network (likely due to code injection or exploit) 7->56 58 Contains functionality to inject threads in other processes 7->58 60 Injects code into the Windows Explorer (explorer.exe) 7->60 64 6 other signatures 7->64 16 explorer.exe 88 1 7->16 injected 24 C:\Windows\Installer\MSI7ED9.tmp, PE32 11->24 dropped 26 C:\Users\user\AppData\...\x64_stealth.dll, PE32+ 11->26 dropped 28 C:\Windows\Installer\MSI7DCE.tmp, PE32 11->28 dropped 30 3 other files (none is malicious) 11->30 dropped 62 Drops executables to the windows directory (C:\Windows) and starts them 11->62 20 msiexec.exe 11->20         started        22 MSI7ED9.tmp 11->22         started        file6 signatures7 process8 dnsIp9 32 isomicrotich.com 188.114.97.3, 443, 49735, 49736 CLOUDFLARENETUS European Union 16->32 46 System process connects to network (likely due to code injection or exploit) 16->46 signatures10
Score:
26%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/1b9e17bfbd292075956cc2006983f91e17aed94ebbb0fb370bf83d23b14289fa
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b9e17bfbd292075956cc2006983f91e17aed94ebbb0fb370bf83d23b14289fa/
Threat name:
Win32.Backdoor.Brutel
Create hunting rule
Status:
Malicious
First seen:
2024-09-18 20:28:05 UTC
File Type:
Binary (Archive)
Extracted files:
37
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dopbpp55feqhlflmyiagta7zdyl25wkoxoypwnyl7a6shmkcrh5a._file
Verdict:
malicious
Label(s):
bruteratelc4
Create hunting rule
Similar samples:
1b9e17bfbd292075956cc2006983f91e17aed94ebbb0fb370bf83d23b14289fa
Latrodectus
4586250dbf8cbe579662d3492dd33fe0b3493323d4a060a0d391f20ecb28abf1
Latrodectus
5b18441926e832038099acbe4a90c9e1907c9487ac14bdf4925ac170dddc24b6
Latrodectus
937d07239cbfee2d34b7f1fae762ac72b52fb2b710e87e02fa758f452aa62913
Latrodectus
ead5ebf464c313176174ff0fdc3360a3477f6361d0947221d31287eeb04691b3
Latrodectus
f60c7e2cd7078584e1fb2eacd6270c314f1e23f76a4cd78c5d13eec215f0e41c
Latrodectus
+ 179 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/240918-y8zvlasdqj/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Enumerates connected drives
Blocklisted process makes network request
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/76d652ec-b847-4183-8e21-50774a2440ab
Malware family:
Latrodectus
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1b9e17bfbd29/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_APT29_WINELOADER_Backdoor
Create hunting rule
Author:daniyyell
Description:Detects APT29's WINELOADER backdoor variant used in phishing campaigns, this rule also detect bad pdf,shtml,htm and vbs or maybe more depends
Reference:https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties
Rule name:Detect_LATAM_MSI_Banker
Create hunting rule
Rule name:Detect_Malicious_VBScript_Base64
Create hunting rule
Author:daniyyell
Description:Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

623c310f3cca7720e0c8c74aedd2fa968bac5aaf30787a00e8b21ab33d8e5aef

Latrodectus

Java Script (JS) js 811fdf8fd7d80ec9b53da88122e3884de7ce5fd4d7b41421e153927d8395ea28

Latrodectus

Microsoft Software Installer (MSI) msi 1b9e17bfbd292075956cc2006983f91e17aed94ebbb0fb370bf83d23b14289fa

(this sample)

  
Dropped by
SHA256 811fdf8fd7d80ec9b53da88122e3884de7ce5fd4d7b41421e153927d8395ea28
  
Delivery method
Distributed via e-mail attachment
  
URLhaus
https://urlhaus.abuse.ch/url/3180445/
  
Dropped by
MD5 03032d56a6846e0f1d3d80bc49aedaeb

Comments