MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 658b8c47d7193c7c31a2540b2f54fcdfb9298d8346a4ad3be7e684ef946f57a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Latrodectus


Vendor detections: 8


Intelligence 8 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 658b8c47d7193c7c31a2540b2f54fcdfb9298d8346a4ad3be7e684ef946f57a5
SHA3-384 hash: 1bf7b0551651b040f362020e0398a37f57136f9caa425ecf570928fb72004a3be82db1124177af44df187c3d71b25cfe
SHA1 hash: 490453e5eeaaf89071a29c68548314d1e9b21592
MD5 hash: 371fe9184f46204250bcb30fe62f3a08
humanhash: papa-mountain-vegan-india
File name:fes.msi
Download: download sample
Signature Latrodectus
Create hunting rule
File size:2'200'576 bytes
First seen:2024-12-03 16:42:03 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:pXE3YQW8zBQSc0ZnSKBZKumZr7AaIGQ5rr0Go:UYH0Zn3K/AafII
Threatray 273 similar samples on MalwareBazaar
TLSH T1B6A5F12273C6C537C96E01302A29D66B557DFCB74B3140D7A3C8291EAE744C1A63AFA7
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter k3dg3___
Tags:BruteRatel BruteRatelC4 Latrodectus msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
US US
Vendor Threat Intelligence
Verdict:
Clean
Score:
82.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=674f35fc12e85e185e75646c
Tags:
shellcode
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
cmd fingerprint lolbin remote
Link:
https://www.filescan.io/uploads/674f351b266b360b01e4a64b/reports/bde96aaa-6f91-4e98-98f0-0a71ae6d6b5a/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/658b8c47d7193c7c31a2540b2f54fcdfb9298d8346a4ad3be7e684ef946f57a5
Result
Threat name:
BruteRatel, Latrodectus
Create hunting rule
Detection:
malicious
Classification:
spre.bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1567646
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks if browser processes are running
Contains functionality to inject threads in other processes
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Performs a network lookup / discovery via net view
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sets debug register (to hijack the execution of another thread)
Sigma detected: RunDLL32 Spawning Explorer
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ipconfig to lookup or modify the Windows network settings
Uses net.exe to modify the status of services
Uses whoami command line tool to query computer and username
Writes to foreign memory regions
Yara detected BruteRatel
Yara detected Latrodectus
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1567646 Sample: fes.msi Startdate: 03/12/2024 Architecture: WINDOWS Score: 100 73 vutarf.com 2->73 75 reateberam.com 2->75 77 3 other IPs or domains 2->77 85 Suricata IDS alerts for network traffic 2->85 87 Found malware configuration 2->87 89 Antivirus detection for URL or domain 2->89 91 6 other signatures 2->91 11 rundll32.exe 2->11         started        13 msiexec.exe 14 40 2->13         started        17 msiexec.exe 2 2->17         started        signatures3 process4 file5 19 rundll32.exe 8 14 11->19         started        65 C:\Windows\Installer\MSI17D3.tmp, PE32 13->65 dropped 67 C:\Users\user\AppData\Roaming\avutil.dll, PE32+ 13->67 dropped 69 C:\Windows\Installer\MSI16A8.tmp, PE32 13->69 dropped 71 3 other files (none is malicious) 13->71 dropped 113 Drops executables to the windows directory (C:\Windows) and starts them 13->113 23 msiexec.exe 13->23         started        25 MSI17D3.tmp 13->25         started        signatures6 process7 dnsIp8 79 vutarf.com 94.232.43.224, 49732, 6542 WELLWEBNL Russian Federation 19->79 81 huanvn.com 103.57.249.207, 49730, 6542 SITINETWORS-IN-APSITINETWORKSLIMITEDIN India 19->81 93 System process connects to network (likely due to code injection or exploit) 19->93 95 Contains functionality to inject threads in other processes 19->95 97 Injects code into the Windows Explorer (explorer.exe) 19->97 101 5 other signatures 19->101 27 explorer.exe 68 9 19->27 injected 99 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 23->99 signatures9 process10 dnsIp11 83 dogirafer.com 104.21.68.89, 443, 49851, 49861 CLOUDFLARENETUS United States 27->83 103 System process connects to network (likely due to code injection or exploit) 27->103 105 Checks if browser processes are running 27->105 107 Contains functionality to steal Internet Explorer form passwords 27->107 109 Tries to harvest and steal browser information (history, passwords, etc) 27->109 31 cmd.exe 1 27->31         started        34 cmd.exe 1 27->34         started        36 cmd.exe 1 27->36         started        38 8 other processes 27->38 signatures12 process13 signatures14 115 Uses net.exe to modify the status of services 31->115 117 Uses ipconfig to lookup or modify the Windows network settings 31->117 119 Uses whoami command line tool to query computer and username 31->119 40 conhost.exe 31->40         started        42 ipconfig.exe 1 31->42         started        44 systeminfo.exe 2 1 34->44         started        47 conhost.exe 34->47         started        121 Performs a network lookup / discovery via net view 36->121 55 2 other processes 36->55 49 net.exe 38->49         started        51 net.exe 38->51         started        53 conhost.exe 38->53         started        57 13 other processes 38->57 process15 signatures16 111 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 44->111 59 WmiPrvSE.exe 44->59         started        61 net1.exe 49->61         started        63 net1.exe 51->63         started        process17
Score:
91%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/658b8c47d7193c7c31a2540b2f54fcdfb9298d8346a4ad3be7e684ef946f57a5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/658b8c47d7193c7c31a2540b2f54fcdfb9298d8346a4ad3be7e684ef946f57a5/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mwfyyr6xde6hymnckqfs6vh4364stdmdi2sk2o7h42co7fdpk6sq._file
Verdict:
malicious
Label(s):
bruteratelc4
Create hunting rule
Similar samples:
06a9283d0374be0ba13f645b13cca80601595d7d608aa18c9a4c9ce323af03db
Latrodectus
3f948bcd8c16b6e2c20fec3e9126a730b835888a4f071391c7847b00a27d8dd8
Latrodectus
61365e29247428b26c8a6ca0d6326bbd04c2c798d7abad1660338ce3c11c68c4
Latrodectus
658b8c47d7193c7c31a2540b2f54fcdfb9298d8346a4ad3be7e684ef946f57a5
Latrodectus
c39abdca1a31b20fe06969a36102c784df7f63847ec930dfaf8c4bd97b4558bf
Latrodectus
c3f8ebc9cfb7ebe1ebbe3a4210753b271fecf73392fef98519b823a3e7c056c7
Latrodectus
error
Latrodectus
+ 263 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/241203-t78nwsyrej/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Enumerates connected drives
Blocklisted process makes network request
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c6f2c768-0d54-4971-b19d-4e70fb4bcc81
Malware family:
Latrodectus
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/658b8c47d719/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/658b8c47d7193c7c31a2540b2f54fcdfb9298d8346a4ad3be7e684ef946f57a5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_LATAM_MSI_Banker
Create hunting rule
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

209c3edfd32afe0e1e1e1c0f7014cc2b9085808ee846186f42145832c7a6b80b

Latrodectus

Microsoft Software Installer (MSI) msi 658b8c47d7193c7c31a2540b2f54fcdfb9298d8346a4ad3be7e684ef946f57a5

(this sample)

Latrodectus

Executable exe c3baf0446831b6968a30ea23647ac559ee62219f91daae5c1b0a9787f9c860b9

  
Link
https://tria.ge/241203-twvb5asrht/behavioral2
  
Dropped by
SHA256 209c3edfd32afe0e1e1e1c0f7014cc2b9085808ee846186f42145832c7a6b80b
  
Delivery method
Distributed via e-mail link
  
Dropping
SHA256 c3baf0446831b6968a30ea23647ac559ee62219f91daae5c1b0a9787f9c860b9
  
Dropping
MD5 2334a6aede2ad2a9004ecd96c872a910

Comments