MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4cf2b612939359977df51a32d2f63e2cb0c6c601e114b8e4812bd548d1db85fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Latrodectus


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4cf2b612939359977df51a32d2f63e2cb0c6c601e114b8e4812bd548d1db85fe
SHA3-384 hash: a3bb2d592a257904b91b946ba2e482c85496566a641bea129d5a8416f007ee972a9da29617929f7d1e7dd56eb99b5fdb
SHA1 hash: 55110a221f20a4ceec34c58d0179fa31f8c102e9
MD5 hash: bd3a3714ee9a071ebeb59ac91d9ebb5a
humanhash: steak-music-blue-fish
File name:360total.dll
Download: download sample
Signature Latrodectus
Create hunting rule
File size:906'752 bytes
First seen:2024-04-26 21:13:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 908746745c485828202e3664dddf55a1 (2 x Latrodectus)
ssdeep 12288:WfPSAAUHV4fZUv/TrguVTax7hNRu18VAyJFoxMk/wYeDKDMyPDi:MPSAAUHV4fZUvfgmaxpu1FyJ6xMYHMke
Threatray 7 similar samples on MalwareBazaar
TLSH T184156B497FA88265C0A7C13AD5938A9AF3F274411F31D78F4161576E3F3B6B24B29322
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.6% (.EXE) Win64 Executable (generic) (10523/12/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter proxylife
Tags:exe Latrodectus

Intelligence

File Origin
# of uploads :
1
# of downloads :
540
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4e7ac0bdb516e983b3cab7f79850d8102d2bf4117bb343b68d0da73780cceb1a.msi
Verdict:
Malicious activity
Analysis date:
2024-04-26 21:13:47 UTC
Tags:
latrodectus
Link:
https://app.any.run/tasks/845b6837-b5d8-4a84-8382-1fa5d7381111

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug crypto explorer fingerprint lolbin masquerade packed shell32
Link:
https://www.filescan.io/uploads/662c191c14ba3ce8289b347c/reports/3b13d3fb-909b-4c8b-be32-0450186f354a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/4cf2b612939359977df51a32d2f63e2cb0c6c601e114b8e4812bd548d1db85fe
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/dc675c66-8f07-4444-ae85-36b0e573c4ce
Result
Threat name:
Latrodectus
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1432373
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Deletes itself after installation
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs a network lookup / discovery via net view
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Uses net.exe to modify the status of services
Yara detected Latrodectus
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1432373 Sample: 360total.dll.exe Startdate: 26/04/2024 Architecture: WINDOWS Score: 100 77 pewwhranet.com 2->77 79 jarinamaers.shop 2->79 81 grizmotras.com 2->81 109 Found malware configuration 2->109 111 Multi AV Scanner detection for dropped file 2->111 113 Multi AV Scanner detection for submitted file 2->113 115 3 other signatures 2->115 12 loaddll64.exe 1 2->12         started        14 chrome.exe 9 2->14         started        signatures3 process4 dnsIp5 17 cmd.exe 1 12->17         started        20 rundll32.exe 12->20         started        22 conhost.exe 12->22         started        27 2 other processes 12->27 91 192.168.2.4 unknown unknown 14->91 93 192.168.2.5, 137, 138, 443 unknown unknown 14->93 95 239.255.255.250 unknown Reserved 14->95 24 chrome.exe 14->24         started        process6 dnsIp7 97 Uses net.exe to modify the status of services 17->97 99 Uses ipconfig to lookup or modify the Windows network settings 17->99 101 Performs a network lookup / discovery via net view 17->101 29 rundll32.exe 2 17->29         started        103 Contains functionality to compare user and computer (likely to detect sandboxes) 20->103 105 Contains functionality to detect sleep reduction / modifications 20->105 33 WerFault.exe 20 16 20->33         started        35 WerFault.exe 4 16 20->35         started        89 www.google.com 142.250.217.228, 443, 49712, 49713 GOOGLEUS United States 24->89 signatures8 process9 file10 75 C:\Users\user\AppData\...\Update_27361bf8.dll, PE32+ 29->75 dropped 125 Deletes itself after installation 29->125 37 rundll32.exe 22 29->37         started        signatures11 process12 dnsIp13 83 jarinamaers.shop 104.21.46.75, 443, 49745, 49746 CLOUDFLARENETUS United States 37->83 85 pewwhranet.com 104.21.84.207, 443, 49781, 49784 CLOUDFLARENETUS United States 37->85 87 grizmotras.com 172.67.219.28, 443, 49750, 49751 CLOUDFLARENETUS United States 37->87 117 System process connects to network (likely due to code injection or exploit) 37->117 119 Tries to steal Mail credentials (via file / registry access) 37->119 121 Tries to harvest and steal browser information (history, passwords, etc) 37->121 41 cmd.exe 1 37->41         started        43 cmd.exe 37->43         started        46 cmd.exe 37->46         started        48 8 other processes 37->48 signatures14 process15 signatures16 50 systeminfo.exe 2 1 41->50         started        53 conhost.exe 41->53         started        123 Performs a network lookup / discovery via net view 43->123 55 conhost.exe 43->55         started        57 net.exe 43->57         started        65 2 other processes 46->65 59 net.exe 48->59         started        61 net.exe 48->61         started        63 conhost.exe 48->63         started        67 12 other processes 48->67 process17 signatures18 107 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 50->107 69 WmiPrvSE.exe 50->69         started        71 net1.exe 59->71         started        73 net1.exe 61->73         started        process19
Score:
84%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4cf2b612939359977df51a32d2f63e2cb0c6c601e114b8e4812bd548d1db85fe
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4cf2b612939359977df51a32d2f63e2cb0c6c601e114b8e4812bd548d1db85fe/
Threat name:
Win64.Trojan.Latrodectus
Create hunting rule
Status:
Malicious
First seen:
2024-04-26 20:29:50 UTC
File Type:
PE+ (Dll)
Extracted files:
2
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jtzlmeutsnmzo7pvdiznf5r6fsymnrqb4eklrzebfpkuruo3qx7a._file
Verdict:
malicious
Similar samples:
156c0afc01a5e346b95ebdb60cea9b7046ad7a61199cd63d6ad0f4ae32a576ac
Latrodectus
1625ac230aa5ca950573f3ba0b1a7bd4c7fbd3e3686f9ecd4a40f1504bf33a11
Latrodectus
4cf2b612939359977df51a32d2f63e2cb0c6c601e114b8e4812bd548d1db85fe
Latrodectus
8041a15e27c785f2adcce9e8c643f5cc619b52e50cd36ff043d13c4089ce1cad
Latrodectus
Result
Malware family:
latrodectus
Create hunting rule
Score:
  10/10
Tags:
family:latrodectus loader
Link:
https://tria.ge/reports/240426-z3a5qadb7t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Deletes itself
Loads dropped DLL
Detect larodectus Loader variant 2
Latrodectus loader
Malware Config
C2 Extraction:
https://jarinamaers.shop/live/
https://startmast.shop/live/
Unpacked files
SH256 hash:
4cf2b612939359977df51a32d2f63e2cb0c6c601e114b8e4812bd548d1db85fe
MD5 hash:
bd3a3714ee9a071ebeb59ac91d9ebb5a
SHA1 hash:
55110a221f20a4ceec34c58d0179fa31f8c102e9
Link:
https://www.unpac.me/results/13cd9595-0cc0-4f23-9f2f-c469171e4c9a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4cf2b612939359977df51a32d2f63e2cb0c6c601e114b8e4812bd548d1db85fe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Latrodectus
Create hunting rule
Author:enzok
Description:Latrodectus Payload
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:win_unidentified_111_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.unidentified_111.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (NX_COMPAT)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
ADVAPI32.dll::FreeSid
ADVAPI32.dll::GetLengthSid
ADVAPI32.dll::GetSidSubAuthority
ADVAPI32.dll::GetSidSubAuthorityCount
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CreateRestrictedToken
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::SetSecurityDescriptorDacl
ADVAPI32.dll::SetTokenInformation
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::CreateProcessAsUserW
KERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileMappingW
KERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileExW
SHLWAPI.dll::PathRemoveFileSpecW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupAccountSidW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_CRYPT_APIUses Windows Crypt APIADVAPI32.dll::CryptAcquireContextW
ADVAPI32.dll::CryptGenRandom
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyW
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryInfoKeyW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegQueryValueExA
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::ChangeServiceConfigW
ADVAPI32.dll::OpenSCManagerW
ADVAPI32.dll::OpenServiceW
ADVAPI32.dll::QueryServiceStatus
ADVAPI32.dll::StartServiceW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::FindWindowW

Comments