MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8041a15e27c785f2adcce9e8c643f5cc619b52e50cd36ff043d13c4089ce1cad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Latrodectus


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8041a15e27c785f2adcce9e8c643f5cc619b52e50cd36ff043d13c4089ce1cad
SHA3-384 hash: cb7aebfd7e8f1c2cf6de60067b5389562c721f764728b491549ff13ac1e29eed4c3b4f4018639e10a25f6f59ab4640b8
SHA1 hash: 35462114e096f4d307607d713136bfe38479870d
MD5 hash: 666151c11b7899a0c764abe711d3f9b3
humanhash: oven-tennis-august-blue
File name:ad.msi
Download: download sample
Signature Latrodectus
Create hunting rule
File size:1'619'456 bytes
First seen:2024-04-25 20:41:43 UTC
Last seen:2024-04-25 21:26:03 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:QZH3YuW8zBQSc0ZnSKmZKumZr7A2BQTBG:+Y90Zn0K/A2OF
TLSH T1CB75D0227386C537C96E01303A29D66B5579FDB74B3140CBA3C82D2E9EB45C16639FA3
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter pr0xylife
Tags:Latrodectus msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
111
Origin country :
CA CA
Vendor Threat Intelligence
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug CAB crypto fingerprint installer lolbin packed remote shell32
Link:
https://www.filescan.io/uploads/662ac01cd2fc149e411e2f78/reports/ef41cac9-9278-4298-9f78-f26af8180ac7/overview
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/8041a15e27c785f2adcce9e8c643f5cc619b52e50cd36ff043d13c4089ce1cad
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/8041a15e27c785f2adcce9e8c643f5cc619b52e50cd36ff043d13c4089ce1cad
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Latrodectus
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1431884
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
PE file contains section with special chars
Sample uses string decryption to hide its real strings
System process connects to network (likely due to code injection or exploit)
Yara detected Latrodectus
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1431884 Sample: ad.msi Startdate: 25/04/2024 Architecture: WINDOWS Score: 88 47 jarinamaers.shop 2->47 51 Found malware configuration 2->51 53 Yara detected Latrodectus 2->53 55 Sample uses string decryption to hide its real strings 2->55 57 2 other signatures 2->57 7 rundll32.exe 2 2->7         started        11 msiexec.exe 15 38 2->11         started        13 msiexec.exe 9 2->13         started        15 rundll32.exe 2->15         started        signatures3 process4 file5 27 C:\Users\user\AppData\...\Update_71a2ec86.dll, PE32+ 7->27 dropped 29 :wtfbbq (copy), PE32+ 7->29 dropped 59 Contains functionality to compare user and computer (likely to detect sandboxes) 7->59 61 Contains functionality to detect sleep reduction / modifications 7->61 17 rundll32.exe 12 7->17         started        31 C:\Windows\Installer\MSIB6D3.tmp, PE32 11->31 dropped 33 C:\Windows\Installer\MSIB5A8.tmp, PE32 11->33 dropped 35 C:\Windows\Installer\MSIB539.tmp, PE32 11->35 dropped 37 C:\Users\user\AppData\Local\...\360total.dll, PE32+ 11->37 dropped 63 Drops executables to the windows directory (C:\Windows) and starts them 11->63 21 MSIB6D3.tmp 11->21         started        23 msiexec.exe 11->23         started        25 msiexec.exe 11->25         started        39 C:\Users\user\AppData\Local\...\MSIB29F.tmp, PE32 13->39 dropped 41 C:\Users\user\AppData\Local\...\MSIB25F.tmp, PE32 13->41 dropped 43 4 other files (none is malicious) 13->43 dropped signatures6 process7 dnsIp8 45 jarinamaers.shop 104.21.46.75, 443, 49723, 49724 CLOUDFLARENETUS United States 17->45 49 System process connects to network (likely due to code injection or exploit) 17->49 signatures9
Score:
3%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/8041a15e27c785f2adcce9e8c643f5cc619b52e50cd36ff043d13c4089ce1cad
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8041a15e27c785f2adcce9e8c643f5cc619b52e50cd36ff043d13c4089ce1cad/
Threat name:
Win64.Trojan.Latrodectus
Create hunting rule
Status:
Malicious
First seen:
2024-04-25 19:54:34 UTC
File Type:
Binary (Archive)
Extracted files:
38
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qba2cxrhy6c7flom5hummq7vzrqzwuxfbtjw74cd2e6ebcoodswq._file
Verdict:
malicious
Result
Malware family:
latrodectus
Create hunting rule
Score:
  10/10
Tags:
family:latrodectus loader
Link:
https://tria.ge/reports/240425-zgz7qaee68/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Enumerates connected drives
Detect larodectus Loader variant 2
Latrodectus loader
Malware Config
C2 Extraction:
https://jarinamaers.shop/live/
https://wrankaget.site/live/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8041a15e27c785f2adcce9e8c643f5cc619b52e50cd36ff043d13c4089ce1cad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Latrodectus

Microsoft Software Installer (MSI) msi 8041a15e27c785f2adcce9e8c643f5cc619b52e50cd36ff043d13c4089ce1cad

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2827165/
  
Delivery method
Distributed via web download

Comments