MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53e65d071870f127bc6bf6c8e8ddfd131558153513976744ee7460eeb766d081. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Latrodectus


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 53e65d071870f127bc6bf6c8e8ddfd131558153513976744ee7460eeb766d081
SHA3-384 hash: 5fa882858a7f4e2fc8b9edd3fffbfe1c4a7e6d8deb5a8d7808430f8ad181608d1f606141edca739c8de6d6686275d91c
SHA1 hash: 3aa5e70111c290c45daac06984281dfb5439115b
MD5 hash: a1c84c14a82f2cbb7e9a5f253d721159
humanhash: fruit-delta-skylark-mountain
File name:beta.dll
Download: download sample
Signature Latrodectus
Create hunting rule
File size:372'736 bytes
First seen:2024-04-29 18:18:25 UTC
Last seen:2024-04-29 19:20:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 12a655c0dc6057266cd8d7f72e465acd (1 x Latrodectus)
ssdeep 6144:0CiMS1vKT70/Fl7GV547PYf4nZOniN0VEeQopwhTdCl:sT1ST78h+5KP3nj0VOopwhRCl
Threatray 81 similar samples on MalwareBazaar
TLSH T1178418577A11ACAEC833813986434A45EA6AFE344B25C3CB6354775A6E373C39939333
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 70f0b2f0f0b2d469 (1 x Latrodectus)
Reporter proxylife
Tags:exe Latrodectus

Intelligence

File Origin
# of uploads :
2
# of downloads :
355
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bb9203ca1305e47a2ec1443a640efcd5e2c7d11223184639729673579e12967e.js
Verdict:
Malicious activity
Analysis date:
2024-04-29 18:20:13 UTC
Tags:
loader latrodectus
Link:
https://app.any.run/tasks/5bece8e2-1cd0-4684-ad75-f76ccff8f753

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint keylogger lolbin masquerade packed shell32
Link:
https://www.filescan.io/uploads/662fe49ad2fc149e4127e92d/reports/737b646a-9bb9-41f8-9a66-e42279beb8b9/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/53e65d071870f127bc6bf6c8e8ddfd131558153513976744ee7460eeb766d081
Malware family:
IcedID
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/295de73b-6c0c-499e-bdce-1ce3c9a1a84c
Result
Threat name:
Latrodectus
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1433592
Signature
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Found malware configuration
PE file contains section with special chars
Performs a network lookup / discovery via net view
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Uses net.exe to modify the status of services
Yara detected Latrodectus
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1433592 Sample: beta.dll.exe Startdate: 29/04/2024 Architecture: WINDOWS Score: 100 79 kokcheez.website 2->79 81 jarinamaers.shop 2->81 83 grizmotras.com 2->83 97 Found malware configuration 2->97 99 Yara detected Latrodectus 2->99 101 Sample uses string decryption to hide its real strings 2->101 103 2 other signatures 2->103 11 loaddll64.exe 1 2->11         started        13 chrome.exe 1 2->13         started        16 chrome.exe 2->16         started        18 2 other processes 2->18 signatures3 process4 dnsIp5 20 rundll32.exe 2 11->20         started        24 cmd.exe 1 11->24         started        26 rundll32.exe 11->26         started        33 3 other processes 11->33 93 192.168.2.4, 137, 138, 443 unknown unknown 13->93 95 239.255.255.250 unknown Reserved 13->95 28 chrome.exe 13->28         started        31 chrome.exe 16->31         started        process6 dnsIp7 77 C:\Users\user\AppData\...\Update_9d550164.dll, PE32+ 20->77 dropped 113 Deletes itself after installation 20->113 35 rundll32.exe 22 20->35         started        115 Uses net.exe to modify the status of services 24->115 117 Uses ipconfig to lookup or modify the Windows network settings 24->117 119 Performs a network lookup / discovery via net view 24->119 39 rundll32.exe 24->39         started        41 WerFault.exe 20 16 26->41         started        91 www.google.com 142.250.190.132, 443, 49736, 49737 GOOGLEUS United States 28->91 file8 signatures9 process10 dnsIp11 85 kokcheez.website 104.21.37.175, 443, 49797, 49799 CLOUDFLARENETUS United States 35->85 87 jarinamaers.shop 104.21.46.75, 443, 49764, 49765 CLOUDFLARENETUS United States 35->87 89 grizmotras.com 104.21.59.82, 443, 49770, 49771 CLOUDFLARENETUS United States 35->89 105 System process connects to network (likely due to code injection or exploit) 35->105 107 Tries to steal Mail credentials (via file / registry access) 35->107 109 Tries to harvest and steal browser information (history, passwords, etc) 35->109 43 cmd.exe 1 35->43         started        45 cmd.exe 35->45         started        48 cmd.exe 35->48         started        50 8 other processes 35->50 signatures12 process13 signatures14 52 systeminfo.exe 2 1 43->52         started        55 conhost.exe 43->55         started        121 Performs a network lookup / discovery via net view 45->121 57 conhost.exe 45->57         started        59 net.exe 45->59         started        67 2 other processes 48->67 61 net.exe 50->61         started        63 net.exe 50->63         started        65 conhost.exe 50->65         started        69 12 other processes 50->69 process15 signatures16 111 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 52->111 71 WmiPrvSE.exe 52->71         started        73 net1.exe 61->73         started        75 net1.exe 63->75         started        process17
Score:
2%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/53e65d071870f127bc6bf6c8e8ddfd131558153513976744ee7460eeb766d081
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/53e65d071870f127bc6bf6c8e8ddfd131558153513976744ee7460eeb766d081/
Threat name:
Win64.Trojan.Latrodectus
Create hunting rule
Status:
Malicious
First seen:
2024-04-29 18:19:11 UTC
File Type:
PE+ (Dll)
Extracted files:
50
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kptf2byyodysppdl63eorxp5cmkvqfjvcolworhoorqo5n3g2caq._file
Verdict:
malicious
Similar samples:
156c0afc01a5e346b95ebdb60cea9b7046ad7a61199cd63d6ad0f4ae32a576ac
Latrodectus
1625ac230aa5ca950573f3ba0b1a7bd4c7fbd3e3686f9ecd4a40f1504bf33a11
Latrodectus
4cf2b612939359977df51a32d2f63e2cb0c6c601e114b8e4812bd548d1db85fe
Latrodectus
4e7ac0bdb516e983b3cab7f79850d8102d2bf4117bb343b68d0da73780cceb1a
Latrodectus
53e65d071870f127bc6bf6c8e8ddfd131558153513976744ee7460eeb766d081
Latrodectus
71a429fdbaa04f8eee80c05b123ba00635569801ca041fdc7c6ac41de8aa72d3
Latrodectus
8041a15e27c785f2adcce9e8c643f5cc619b52e50cd36ff043d13c4089ce1cad
Latrodectus
+ 71 additional samples on MalwareBazaar
Result
Malware family:
latrodectus
Create hunting rule
Score:
  10/10
Tags:
family:latrodectus loader
Link:
https://tria.ge/reports/240429-wx6gwshe8s/
Behaviour
Detect larodectus Loader variant 2
Latrodectus loader
Malware Config
C2 Extraction:
https://jarinamaers.shop/live/
https://startmast.shop/live/
Unpacked files
SH256 hash:
53e65d071870f127bc6bf6c8e8ddfd131558153513976744ee7460eeb766d081
MD5 hash:
a1c84c14a82f2cbb7e9a5f253d721159
SHA1 hash:
3aa5e70111c290c45daac06984281dfb5439115b
Link:
https://www.unpac.me/results/92a78c83-60dc-4baf-8962-eda25019cb79/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/53e65d071870f127bc6bf6c8e8ddfd131558153513976744ee7460eeb766d081

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Latrodectus
Create hunting rule
Author:enzok
Description:Latrodectus Payload
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:win_unidentified_111_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.unidentified_111.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
SHLWAPI.dll::PathRemoveFileSpecA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::OpenSCManagerA
ADVAPI32.dll::OpenServiceA
ADVAPI32.dll::QueryServiceConfigA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments