MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71fb25cc4c05ce9dd94614ed781d85a50dccf69042521abc6782d48df85e6de9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Latrodectus


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 71fb25cc4c05ce9dd94614ed781d85a50dccf69042521abc6782d48df85e6de9
SHA3-384 hash: ad4d133930cc6debc16a8b4c115a40df61e479f3c69ddc77617e3caedcc8e506ad915af5fdff207ac64cdb101de50f86
SHA1 hash: f00b5a6bbd7f500c439bfa4e4dedc79850732597
MD5 hash: f9425561701935d358f4f5b7fc2e5502
humanhash: lima-cat-bakerloo-north
File name:cr2.dll
Download: download sample
Signature Latrodectus
Create hunting rule
File size:284'160 bytes
First seen:2024-03-22 16:13:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 47d4a091ebf17494135fa46c09daa2de (1 x Latrodectus)
ssdeep 6144:KM0zx6R28cDEFMn7a3Gd6RLKVd9ZylQy0AX0+K+UUMgTX1EWR:KMk6RBcD1n23GdfPP1w/LUUMgJ1
Threatray 34 similar samples on MalwareBazaar
TLSH T12054D149E3EA04AAEDB78570C8634749E672B41407309FAF0394A379EF2F7D05639B25
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter pr0xylife
Tags:exe Latrodectus

Intelligence

File Origin
# of uploads :
1
# of downloads :
489
Origin country :
RU RU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d83d5378f1bb37d1423207ad67f2f984f2d46ba9534194c344a051117c1e541f.msi
Verdict:
Malicious activity
Analysis date:
2024-03-22 16:12:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e091ec9a-3866-41e9-a069-5f817915c51e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Launching a process
Moving a file to the Program Files subdirectory
Replacing files
Sending an HTTP GET request
Forced system process termination
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/65fdae4a252b41fcbe867269/reports/3b3b135f-e2d1-44eb-bba1-c64f1161f2b9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/71fb25cc4c05ce9dd94614ed781d85a50dccf69042521abc6782d48df85e6de9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7c11db79-b08e-4afd-8c0f-3c3d19876916
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1414160
Signature
Deletes itself after installation
Machine Learning detection for dropped file
Machine Learning detection for sample
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1414160 Sample: cr2.dll.exe Startdate: 22/03/2024 Architecture: WINDOWS Score: 60 39 titnovacrion.top 2->39 43 Machine Learning detection for sample 2->43 45 Machine Learning detection for dropped file 2->45 9 loaddll64.exe 1 2->9         started        11 rundll32.exe 2->11         started        signatures3 process4 process5 13 rundll32.exe 2 9->13         started        17 cmd.exe 1 9->17         started        19 rundll32.exe 9->19         started        21 7 other processes 9->21 file6 37 C:\Users\user\AppData\...\Update_ae6071a5.dll, PE32+ 13->37 dropped 49 Deletes itself after installation 13->49 23 rundll32.exe 12 13->23         started        27 rundll32.exe 17->27         started        29 WerFault.exe 16 19->29         started        31 WerFault.exe 16 21->31         started        33 WerFault.exe 16 21->33         started        signatures7 process8 dnsIp9 41 titnovacrion.top 172.67.143.1, 443, 49752 CLOUDFLARENETUS United States 23->41 47 System process connects to network (likely due to code injection or exploit) 23->47 35 WerFault.exe 20 18 27->35         started        signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/71fb25cc4c05ce9dd94614ed781d85a50dccf69042521abc6782d48df85e6de9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/71fb25cc4c05ce9dd94614ed781d85a50dccf69042521abc6782d48df85e6de9/
Threat name:
Win64.Trojan.IcedID
Create hunting rule
Status:
Suspicious
First seen:
2024-03-22 16:12:07 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oh5sltcmaxhj3wkgctwxqhmfuug4z5uqijjbvpdhqlki36c6nxuq._file
Verdict:
malicious
Similar samples:
0d185ea3b0a49c2fa65bfd2757c9d0705657f0639fd36f196ac394fcd38c361d
Latrodectus
2374fd5d049c1b8f1b7fd3115f035e9f154b1f04e1cc276507930811fe349399
Latrodectus
31e6f3fa131b6591a420a8bf657c9a360287608974584db2892942aa2f53be89
Latrodectus
513e17579b0b155256d134940ea03d8ab7a0d1f71ebe188954e2450cdc6b7d99
Latrodectus
61925bfd71b4d2be670b0bd373b33645d6af062e5d41cb2b6f6c984acbd69de3
Latrodectus
71fb25cc4c05ce9dd94614ed781d85a50dccf69042521abc6782d48df85e6de9
Latrodectus
+ 24 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/240322-tpmnpsfh5v/
Behaviour
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
71fb25cc4c05ce9dd94614ed781d85a50dccf69042521abc6782d48df85e6de9
MD5 hash:
f9425561701935d358f4f5b7fc2e5502
SHA1 hash:
f00b5a6bbd7f500c439bfa4e4dedc79850732597
Link:
https://www.unpac.me/results/7002906b-2d6a-4c37-bcbb-29239addb2b7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/71fb25cc4c05ce9dd94614ed781d85a50dccf69042521abc6782d48df85e6de9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Latrodectus
Create hunting rule
Author:enzok
Description:Latrodectus Payload
Rule name:win_unidentified_111_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.unidentified_111.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::FindFirstFileA

Comments