MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 513e17579b0b155256d134940ea03d8ab7a0d1f71ebe188954e2450cdc6b7d99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Latrodectus


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 513e17579b0b155256d134940ea03d8ab7a0d1f71ebe188954e2450cdc6b7d99
SHA3-384 hash: 489e5d8a679250ce4255fd1575eb1c12801947f1d7652f5525d6139b20beff17bca52b2f6f5cafce6e790b2ee8659f96
SHA1 hash: c437c27f55f7b34dd7bd964ec48b0df6ffee985f
MD5 hash: 6ec4144a4adc7c5f6efae8fbfd46999e
humanhash: wisconsin-emma-ack-paris
File name:SecuriteInfo.com.Trojan-Banker.Win64.IcedID.er.29654.2537
Download: download sample
Signature Latrodectus
Create hunting rule
File size:2'127'872 bytes
First seen:2024-02-23 09:26:21 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:OGLvYpW8zBQSc0ZnSKeZKumZr7A7ySO3AqFXX+PFebm:lYQ0ZncK/AGSKFXX+de
Threatray 5 similar samples on MalwareBazaar
TLSH T1E9A5F1227386C537C96E01303A2AD76B5179FDB74B3140D7A3C8292EAE744C16639FA7
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter SecuriteInfoCom
Tags:Latrodectus msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/477479/
Detection(s):
SecuriteInfo.com.Trojan-Banker.Win64.IcedID.er.29654.2537.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
icedid lolbin masquerade remote shell32
Link:
https://www.filescan.io/uploads/65d864e8c5e1a083fbf5d40c/reports/f0ce9df8-6b3b-4699-a0ba-1d73e513a9ab/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/513e17579b0b155256d134940ea03d8ab7a0d1f71ebe188954e2450cdc6b7d99
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/513e17579b0b155256d134940ea03d8ab7a0d1f71ebe188954e2450cdc6b7d99
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1397539
Signature
Drops executables to the windows directory (C:\Windows) and starts them
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs a network lookup / discovery via net view
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Uses ipconfig to lookup or modify the Windows network settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1397539 Sample: SecuriteInfo.com.Trojan-Ban... Startdate: 23/02/2024 Architecture: WINDOWS Score: 88 78 saicetyapy.space 2->78 80 lastaflirtely.me 2->80 86 Multi AV Scanner detection for domain / URL 2->86 88 Multi AV Scanner detection for dropped file 2->88 90 Multi AV Scanner detection for submitted file 2->90 10 rundll32.exe 2 2->10         started        13 msiexec.exe 9 2->13         started        15 msiexec.exe 15 38 2->15         started        18 rundll32.exe 2->18         started        signatures3 process4 file5 60 C:\Users\user\AppData\...\Update_80110480.dll, PE32+ 10->60 dropped 62 :wtfbbq (copy), PE32+ 10->62 dropped 20 rundll32.exe 13 10->20         started        64 C:\Users\user\AppData\Local\...\MSIE223.tmp, PE32 13->64 dropped 66 C:\Users\user\AppData\Local\...\MSIE1F3.tmp, PE32 13->66 dropped 76 4 other malicious files 13->76 dropped 68 C:\Windows\Installer\MSIE5F9.tmp, PE32 15->68 dropped 70 C:\Windows\Installer\MSIE461.tmp, PE32 15->70 dropped 72 C:\Windows\Installer\MSIE395.tmp, PE32 15->72 dropped 74 C:\Users\user\AppData\Local\...\svcimport.dll, PE32+ 15->74 dropped 100 Drops executables to the windows directory (C:\Windows) and starts them 15->100 24 MSIE5F9.tmp 15->24         started        26 msiexec.exe 15->26         started        28 msiexec.exe 15->28         started        signatures6 process7 dnsIp8 82 saicetyapy.space 104.21.51.56, 443, 49737, 49738 CLOUDFLARENETUS United States 20->82 84 lastaflirtely.me 172.67.133.121, 443, 49739, 49740 CLOUDFLARENETUS United States 20->84 92 System process connects to network (likely due to code injection or exploit) 20->92 30 cmd.exe 1 20->30         started        33 cmd.exe 1 20->33         started        35 cmd.exe 1 20->35         started        37 3 other processes 20->37 signatures9 process10 signatures11 96 Uses ipconfig to lookup or modify the Windows network settings 30->96 98 Performs a network lookup / discovery via net view 30->98 39 conhost.exe 30->39         started        41 ipconfig.exe 1 30->41         started        43 systeminfo.exe 2 1 33->43         started        46 conhost.exe 33->46         started        48 conhost.exe 35->48         started        50 net.exe 1 35->50         started        52 conhost.exe 37->52         started        54 conhost.exe 37->54         started        56 4 other processes 37->56 process12 signatures13 94 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 43->94 58 WmiPrvSE.exe 43->58         started        process14
Score:
15%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/513e17579b0b155256d134940ea03d8ab7a0d1f71ebe188954e2450cdc6b7d99
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/513e17579b0b155256d134940ea03d8ab7a0d1f71ebe188954e2450cdc6b7d99/
Threat name:
Win64.Trojan.IcedID
Create hunting rule
Status:
Suspicious
First seen:
2024-02-22 18:21:01 UTC
File Type:
Binary (Archive)
Extracted files:
80
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ke7bov43bmkvevwrgska5ib5rk32bupxd27brcku4jcqzxdlpwmq._file
Verdict:
malicious
Similar samples:
513e17579b0b155256d134940ea03d8ab7a0d1f71ebe188954e2450cdc6b7d99
Latrodectus
5becad2dcfad4b96563b2cc9da05eec3a6511cb5f6f0072c967144ce6459cb29
Latrodectus
94b8ab735d503884585fdb5a735b3ea3485b6b19c1899939a5b2c0a80616400a
Latrodectus
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/240223-leq95seb4t/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Enumerates connected drives
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/513e17579b0b155256d134940ea03d8ab7a0d1f71ebe188954e2450cdc6b7d99

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Latrodectus

Microsoft Software Installer (MSI) msi 513e17579b0b155256d134940ea03d8ab7a0d1f71ebe188954e2450cdc6b7d99

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2768340/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/477479/

Comments