MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f948bcd8c16b6e2c20fec3e9126a730b835888a4f071391c7847b00a27d8dd8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Latrodectus


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f948bcd8c16b6e2c20fec3e9126a730b835888a4f071391c7847b00a27d8dd8
SHA3-384 hash: d520fc3833c43a84d897095816d7e0c99291710594426bb3c49e4deddc10c89f5e7857ae167eb9b8622ec29a59e754f2
SHA1 hash: 7fb5cf0c74dfe53a87dd66a96699a245b69bff62
MD5 hash: 6cd9c64a0529b03d105ed83dc7ac9a37
humanhash: cat-enemy-finch-potato
File name:Document-v05-53-20.js
Download: download sample
Signature Latrodectus
Create hunting rule
File size:321'282 bytes
First seen:2024-11-13 06:15:06 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 6144:23L5OgSHWLjOBeJz2FQhpqan7tJmWeCLj/yZSmK/my4HoYQ1vU8VoEOrG:sZF2Iqis2/5p4HQfoC
Threatray 241 similar samples on MalwareBazaar
TLSH T1B2645CA0EA4002261F936B9F9E5219D2AD2CC51187122A18F5AF039D1FC79D8E37DF7D
Magika txt
Reporter k3dg3___
Tags:BruteRatel BruteRatelC4 js Latrodectus TA578

Intelligence

File Origin
# of uploads :
1
# of downloads :
3'634
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.22236.28839.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Score:
50.0%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6735182d34b6906b348281ce
Tags:
java html
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/67344423d64ed6dcf6de5bbb/reports/79cc488b-f134-421f-8ada-165b338fec60/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/3f948bcd8c16b6e2c20fec3e9126a730b835888a4f071391c7847b00a27d8dd8
Result
Threat name:
BruteRatel, Latrodectus
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1554896
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Query firmware table information (likely to detect VMs)
Sample has a suspicious name (potential lure to open the executable)
Sample uses string decryption to hide its real strings
Sets debug register (to hijack the execution of another thread)
Sigma detected: RunDLL32 Spawning Explorer
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected BruteRatel
Yara detected Latrodectus
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1554896 Sample: Document-v05-53-20.js Startdate: 13/11/2024 Architecture: WINDOWS Score: 100 44 xomamox.com 2->44 46 waffaffa.com 2->46 48 3 other IPs or domains 2->48 58 Suricata IDS alerts for network traffic 2->58 60 Found malware configuration 2->60 62 Antivirus detection for URL or domain 2->62 64 7 other signatures 2->64 11 msiexec.exe 14 38 2->11         started        16 explorer.exe 4 93 2->16         started        18 wscript.exe 1 2->18         started        signatures3 process4 dnsIp5 54 easyprinter.live 188.114.96.3, 443, 49730 CLOUDFLARENETUS European Union 11->54 36 C:\Windows\Installer\MSID4A8.tmp, PE32 11->36 dropped 38 C:\Users\user\AppData\Roaming\apptext.dll, PE32+ 11->38 dropped 40 C:\Windows\Installer\MSID3DA.tmp, PE32 11->40 dropped 42 3 other files (none is malicious) 11->42 dropped 74 Drops executables to the windows directory (C:\Windows) and starts them 11->74 20 MSID4A8.tmp 1 11->20         started        22 msiexec.exe 11->22         started        76 Query firmware table information (likely to detect VMs) 16->76 78 Windows Scripting host queries suspicious COM object (likely to drop second stage) 18->78 file6 signatures7 process8 process9 24 rundll32.exe 20->24         started        process10 26 rundll32.exe 12 24->26         started        dnsIp11 50 xomamox.com 80.66.76.106, 60911, 8877 VAD-SRL-AS1MD Russian Federation 26->50 52 waffaffa.com 45.143.166.83, 60918, 61107, 8877 ITTITT-ASRU Russian Federation 26->52 66 System process connects to network (likely due to code injection or exploit) 26->66 68 Contains functionality to inject threads in other processes 26->68 70 Injects code into the Windows Explorer (explorer.exe) 26->70 72 5 other signatures 26->72 30 explorer.exe 26 1 26->30 injected signatures12 process13 dnsIp14 56 rolefenik.com 104.21.92.105, 443, 61186, 61187 CLOUDFLARENETUS United States 30->56 80 System process connects to network (likely due to code injection or exploit) 30->80 34 WerFault.exe 21 30->34         started        signatures15 process16
Score:
7%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/3f948bcd8c16b6e2c20fec3e9126a730b835888a4f071391c7847b00a27d8dd8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f948bcd8c16b6e2c20fec3e9126a730b835888a4f071391c7847b00a27d8dd8/
Threat name:
Win32.Dropper.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-11-13 06:16:05 UTC
File Type:
Text (AutoIt)
AV detection:
1 of 38 (2.63%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h6kixtmmc23ofqqp5q7jcjvhgc4dlcekj4drheohqr5qbit5rxma._file
Verdict:
malicious
Label(s):
bruteratelc4
Create hunting rule
latrodectus
Create hunting rule
Similar samples:
07282b92613d88cdeb02dc30835216268c7ec378bb0ff7a08bb280775a8f82c3
Latrodectus
1822636a57752d06999da566e21c16b1f0dc465e225af2c2afba6ffb1cde0512
Latrodectus
3f948bcd8c16b6e2c20fec3e9126a730b835888a4f071391c7847b00a27d8dd8
Latrodectus
620deee533806435220710d4ac4bd7810e04cb8d21fd80293785cd6b9235ca75
Latrodectus
error
Latrodectus
f02ba578e0f962f6be46187b288e22a4dbe972878893ecb81ff5f33944aef4b4
Latrodectus
fd4b6e419691647b9ae0ca60e5b383c5d9fe1d5fcfc8dec887bb188c4d39d36e
Latrodectus
+ 231 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/241113-g1fy3swmgs/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.48
Link:
https://yomi.yoroi.company/submissions/3f948bcd8c16b6e2c20fec3e9126a730b835888a4f071391c7847b00a27d8dd8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Latrodectus

Java Script (JS) js 3f948bcd8c16b6e2c20fec3e9126a730b835888a4f071391c7847b00a27d8dd8

(this sample)

Latrodectus

Executable exe f8e3eef1fda5969a7aabcc8fb5cc9f5fe245bbf6cc8e480459977b8e91eab9bd

  
Link
https://tria.ge/241113-gpk4naznaq/behavioral2
  
Dropping
SHA256 f8e3eef1fda5969a7aabcc8fb5cc9f5fe245bbf6cc8e480459977b8e91eab9bd
  
Delivery method
Distributed via e-mail link
  
Dropping
MD5 86b57c9deafed093d4b47b03823b4d14

Comments