MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93f7e95461c18aee7b56651069104710c76f9e3d6543a0b3248a21b236859d99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Latrodectus


Vendor detections: 5


Intelligence 5 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93f7e95461c18aee7b56651069104710c76f9e3d6543a0b3248a21b236859d99
SHA3-384 hash: 49df9a1689f13041154cddcc86f3d9f14c7a7baf071b2ee62660750dd12639b0e66f4ca0c08b586798050b819063ac8f
SHA1 hash: 9b1826525c063fbb7bf942fb8d7c9eeb12363e1c
MD5 hash: b6c851921b9805be8c8b9fd3b100035e
humanhash: butter-lamp-emma-mike
File name:Letter_q50_63b944998-11n0283407179-6803z4.js
Download: download sample
Signature Latrodectus
Create hunting rule
File size:864'467 bytes
First seen:2024-03-22 16:11:36 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 12288:FoCHz5t/b1PhODnPd/Zq5OrmzvdGJUEfu9SVxpipqPJn:Fp5fMDnP9ocrmzVsUYudwPJn
TLSH T1E7055A60EB4501271E83579FAC6266D2FD3CC25193022228E99E439D1F875ECD3BDB6E
Reporter pr0xylife
Tags:js Latrodectus

Intelligence

File Origin
# of uploads :
1
# of downloads :
402
Origin country :
RU RU
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm evasive net
Link:
https://www.filescan.io/uploads/65fdadd3d3f7c89305f890d6/reports/3177d4c3-172f-49c5-8492-6513e55c0e10/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/93f7e95461c18aee7b56651069104710c76f9e3d6543a0b3248a21b236859d99
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1414159
Signature
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Opens network shares
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1414159 Sample: Letter_q50_63b944998-11n028... Startdate: 22/03/2024 Architecture: WINDOWS Score: 76 47 titnovacrion.top 2->47 49 sokingscrosshotel.com 2->49 57 Machine Learning detection for dropped file 2->57 59 Sigma detected: WScript or CScript Dropper 2->59 61 Sigma detected: Script Initiated Connection to Non-Local Network 2->61 10 msiexec.exe 15 41 2->10         started        14 wscript.exe 1 6 2->14         started        17 rundll32.exe 2->17         started        signatures3 process4 dnsIp5 35 C:\Windows\Installer\MSI4A5E.tmp, PE32 10->35 dropped 37 C:\Windows\Installer\MSI4934.tmp, PE32 10->37 dropped 39 C:\Windows\Installer\MSI4913.tmp, PE32 10->39 dropped 41 3 other malicious files 10->41 dropped 65 Drops executables to the windows directory (C:\Windows) and starts them 10->65 67 Opens network shares 10->67 19 MSI4A5E.tmp 1 10->19         started        21 msiexec.exe 10->21         started        51 sokingscrosshotel.com 193.106.174.218, 49705, 49706, 49707 IQHOSTRU Russian Federation 14->51 69 System process connects to network (likely due to code injection or exploit) 14->69 71 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->71 73 Creates processes via WMI 14->73 23 msiexec.exe 14->23         started        file6 signatures7 process8 signatures9 26 rundll32.exe 19->26         started        63 Opens network shares 23->63 process10 process11 28 rundll32.exe 2 26->28         started        file12 43 C:\Users\user\AppData\...\Update_3feb3cd0.dll, PE32+ 28->43 dropped 45 :wtfbbq (copy), PE32+ 28->45 dropped 31 rundll32.exe 8 12 28->31         started        process13 dnsIp14 53 titnovacrion.top 104.21.95.46, 443, 49726 CLOUDFLARENETUS United States 31->53 55 System process connects to network (likely due to code injection or exploit) 31->55 signatures15
Score:
3%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/93f7e95461c18aee7b56651069104710c76f9e3d6543a0b3248a21b236859d99
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/93f7e95461c18aee7b56651069104710c76f9e3d6543a0b3248a21b236859d99/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sp36svdbygfo462wmuigsechcddw7hr5mvb2bmzeriq3enuftwmq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/240322-tng2tsfh4t/
Behaviour
Runs net.exe
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.19
Link:
https://yomi.yoroi.company/submissions/93f7e95461c18aee7b56651069104710c76f9e3d6543a0b3248a21b236859d99

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ClamAV_Emotet_String_Aggregate
Create hunting rule
Rule name:Latrodectus
Create hunting rule
Author:enzok
Description:Latrodectus Payload
Rule name:unknown_dropper
Create hunting rule
Author:#evilcel3ri
Description:Detects an unknown dropper
Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings
Rule name:win_unidentified_111_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.unidentified_111.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments