MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85f8ccf69bed672d92b40c45f9571378a7d00c80b86004a76018d9e120eeaa01. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Latrodectus

Vendor detections: 11

Intelligence 11 IOCs YARA 14 File information Comments

SHA256 hash:	85f8ccf69bed672d92b40c45f9571378a7d00c80b86004a76018d9e120eeaa01
SHA3-384 hash:	a912a4e2d66e83a10128a644a950667999e9590ab7e9dc984e0f691410f8f85e6ca0fccdcc630380ff036b8df9ae93c5
SHA1 hash:	7dc09a0716af7b39917ac0e772cf943888b8927b
MD5 hash:	330871792be237fb02d23114ae9be52e
humanhash:	lithium-oxygen-magnesium-charlie
File name:	330871792be237fb02d23114ae9be52e.exe
Download:	download sample
Signature	Latrodectus Create hunting rule
File size:	7'957'504 bytes
First seen:	2025-06-01 07:28:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9f4f6bebc128afddef95b3428263f352 (3 x Latrodectus)
ssdeep	98304:tQ5Nt5st7KZzD6NAWPIn2+z6/BiBDdAfoD+0AD:iNYt7KZD6NAmkTzeaDIoDiD
TLSH	T1D586AEAAA6BC00D9D46BC1BCC69A6217E775B41513B057CF1AA486FA1F23BD11F7E300
TrID	48.7% (.EXE) Win64 Executable (generic) (10522/11/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	abuse_ch
Tags:	exe Latrodectus

Intelligence

File Origin

# of uploads :

# of downloads :

501

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

330871792be237fb02d23114ae9be52e.exe

Verdict:

No threats detected

Analysis date:

2025-06-01 07:33:17 UTC

Tags:

discord evasion ip-check

Link:

https://app.any.run/tasks/94201ea2-029c-4245-aaf7-d64d82a0a765

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/6653/

Detection(s):

SecuriteInfo.com.Variant.Lazy.611824.20226.22903.UNOFFICIAL

ditekSHen.INDICATOR.Packed.TriumphLoader.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=683c02dfacf88f5815ea71d2

Tags:

packed virus

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context base64 crypto fingerprint microsoft_visual_cc

Link:

https://www.filescan.io/uploads/683c0139171e01f959329966/reports/9d68457a-0843-4d06-85fa-c101147ec3d2/overview

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/85f8ccf69bed672d92b40c45f9571378a7d00c80b86004a76018d9e120eeaa01

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/a3d5cf08-3892-438b-9cf7-1c9920d85fb6

Result

Threat name:

n/a

Detection:

malicious

Classification:

spyw.evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1703253

Signature

Infostealer behavior detected

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Potentially malicious time measurement code found

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/85f8ccf69bed672d92b40c45f9571378a7d00c80b86004a76018d9e120eeaa01

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/85f8ccf69bed672d92b40c45f9571378a7d00c80b86004a76018d9e120eeaa01/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2025-05-24 07:02:17 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

12 of 38 (31.58%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qx4mz5u35vts3evubrc7svytpct5adeaxbqajj3addm6cihoviaq._file

Result

Malware family:

latrodectus

Score:

10/10

Tags:

family:latrodectus

Link:

https://tria.ge/reports/250601-ja5wmavtft/

Behaviour

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Verdict:

Suspicious

Tags:

external_ip_lookup

YARA:

n/a

Link:

https://app.threat.zone/submission/7931ace0-f706-4fcd-bfc8-945b6d2000cc

Unpacked files

SH256 hash:

85f8ccf69bed672d92b40c45f9571378a7d00c80b86004a76018d9e120eeaa01

MD5 hash:

330871792be237fb02d23114ae9be52e

SHA1 hash:

7dc09a0716af7b39917ac0e772cf943888b8927b

Link:

https://www.unpac.me/results/1429300e-327e-4788-9990-5eb6e27acd91/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/85f8ccf69bed/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/85f8ccf69bed672d92b40c45f9571378a7d00c80b86004a76018d9e120eeaa01

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	dsc Create hunting rule
Author:	Aaron DeVera
Description:	Discord domains

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

Rule name:	WHIRLPOOL_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/6653/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample