MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71a429fdbaa04f8eee80c05b123ba00635569801ca041fdc7c6ac41de8aa72d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Latrodectus


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 71a429fdbaa04f8eee80c05b123ba00635569801ca041fdc7c6ac41de8aa72d3
SHA3-384 hash: 5866d459c0b24e94fee06fb2b39642c7e073cbc767dab0df32cc5f81d49cbc7c9e52e6df65103a4338fd794a12ebf9c3
SHA1 hash: 00303f1b540e92a79488fd9b603c5e987cee3734
MD5 hash: b5c04c9ce0a3da2e16e97632e13b5e28
humanhash: ten-lion-winter-connecticut
File name:Document_a51_19i793302-14b09981a5569-3684u8.js
Download: download sample
Signature Latrodectus
Create hunting rule
File size:477'833 bytes
First seen:2024-04-26 21:12:54 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 6144:ertlgAdYLGKbxpEZE87yi6GtyAjI1p7ZJpO4S+gh0fNUNGndjIz5dYYku+JTiFye:ElCaExOSFky6+gO1/ne5dY/W6ItoepF
TLSH T1D2A46C60EE4101661E83679F9C6226D2FD3CC15183021268E99E93AD1F875DCD37DBAF
Reporter pr0xylife
Tags:js Latrodectus

Intelligence

File Origin
# of uploads :
1
# of downloads :
331
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
evasive lolbin remote shell32
Link:
https://www.filescan.io/uploads/662c18dfc5dabc22b2091db3/reports/e8f0f208-3995-4a3b-9c3d-4dfe89f68477/overview
Verdict:
Malicious
Labled as:
Trojan.Cryxos.JS
Link:
https://www.hybrid-analysis.com/sample/71a429fdbaa04f8eee80c05b123ba00635569801ca041fdc7c6ac41de8aa72d3
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
Latrodectus
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1432364
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs a network lookup / discovery via net view
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample has a suspicious name (potential lure to open the executable)
Sample uses string decryption to hide its real strings
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Uses net.exe to modify the status of services
Yara detected Latrodectus
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1432364 Sample: Document_a51_19i793302-14b0... Startdate: 26/04/2024 Architecture: WINDOWS Score: 100 89 pewwhranet.com 2->89 91 jarinamaers.shop 2->91 93 grizmotras.com 2->93 111 Found malware configuration 2->111 113 Multi AV Scanner detection for dropped file 2->113 115 Multi AV Scanner detection for submitted file 2->115 117 5 other signatures 2->117 13 msiexec.exe 15 39 2->13         started        18 chrome.exe 1 2->18         started        20 chrome.exe 2->20         started        22 2 other processes 2->22 signatures3 process4 dnsIp5 103 146.19.106.236, 49732, 80 FITC-ASUS France 13->103 81 C:\Windows\Installer\MSIFFD6.tmp, PE32 13->81 dropped 83 C:\Windows\Installer\MSIC4.tmp, PE32 13->83 dropped 85 C:\Windows\Installer\MSIA3.tmp, PE32 13->85 dropped 87 3 other malicious files 13->87 dropped 137 Drops executables to the windows directory (C:\Windows) and starts them 13->137 24 MSI181.tmp 1 13->24         started        26 msiexec.exe 13->26         started        105 192.168.2.13 unknown unknown 18->105 107 192.168.2.14 unknown unknown 18->107 109 4 other IPs or domains 18->109 28 chrome.exe 18->28         started        31 chrome.exe 20->31         started        file6 signatures7 process8 dnsIp9 33 rundll32.exe 24->33         started        101 www.google.com 142.250.217.228, 443, 49736, 49737 GOOGLEUS United States 28->101 process10 process11 35 rundll32.exe 2 33->35         started        file12 77 C:\Users\user\AppData\...\Update_cd47bedf.dll, PE32+ 35->77 dropped 79 :wtfbbq (copy), PE32+ 35->79 dropped 119 Contains functionality to compare user and computer (likely to detect sandboxes) 35->119 121 Contains functionality to detect sleep reduction / modifications 35->121 39 rundll32.exe 21 35->39         started        signatures13 process14 dnsIp15 95 jarinamaers.shop 104.21.46.75, 443, 49760, 49761 CLOUDFLARENETUS United States 39->95 97 pewwhranet.com 172.67.197.34, 443, 49800, 49803 CLOUDFLARENETUS United States 39->97 99 grizmotras.com 172.67.219.28, 443, 49765, 49767 CLOUDFLARENETUS United States 39->99 123 System process connects to network (likely due to code injection or exploit) 39->123 125 Tries to steal Mail credentials (via file / registry access) 39->125 127 Tries to harvest and steal browser information (history, passwords, etc) 39->127 43 cmd.exe 1 39->43         started        46 cmd.exe 1 39->46         started        48 cmd.exe 39->48         started        50 8 other processes 39->50 signatures16 process17 signatures18 131 Uses net.exe to modify the status of services 43->131 133 Uses ipconfig to lookup or modify the Windows network settings 43->133 135 Performs a network lookup / discovery via net view 43->135 52 conhost.exe 43->52         started        54 ipconfig.exe 1 43->54         started        56 systeminfo.exe 46->56         started        59 conhost.exe 46->59         started        67 2 other processes 48->67 61 net.exe 50->61         started        63 net.exe 50->63         started        65 conhost.exe 50->65         started        69 11 other processes 50->69 process19 signatures20 129 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 56->129 71 WmiPrvSE.exe 56->71         started        73 net1.exe 61->73         started        75 net1.exe 63->75         started        process21
Score:
41%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/71a429fdbaa04f8eee80c05b123ba00635569801ca041fdc7c6ac41de8aa72d3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/71a429fdbaa04f8eee80c05b123ba00635569801ca041fdc7c6ac41de8aa72d3/
Threat name:
Script-JS.Trojan.Cryxos
Create hunting rule
Status:
Malicious
First seen:
2024-04-26 21:13:05 UTC
File Type:
Text (Batch)
AV detection:
7 of 38 (18.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ogsct7n2ubhy53uaybnreo5aay2vngabzicb7xd4nlcb32fkoljq._file
Result
Malware family:
latrodectus
Create hunting rule
Score:
  10/10
Tags:
family:latrodectus loader
Link:
https://tria.ge/reports/240426-z2qh1sdb6x/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Drops file in Windows directory
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Detect larodectus Loader variant 2
Latrodectus loader
Malware Config
C2 Extraction:
https://jarinamaers.shop/live/
https://startmast.shop/live/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/71a429fdbaa04f8eee80c05b123ba00635569801ca041fdc7c6ac41de8aa72d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Latrodectus
Create hunting rule
Author:enzok
Description:Latrodectus Payload
Rule name:unknown_dropper
Create hunting rule
Author:#evilcel3ri
Description:Detects an unknown dropper
Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings
Rule name:win_unidentified_111_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.unidentified_111.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments