MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de29ff5d531e11ec17eaa1abfb75c3cdf7c2e3e37bfbae61711aee41f20118b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Latrodectus


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de29ff5d531e11ec17eaa1abfb75c3cdf7c2e3e37bfbae61711aee41f20118b0
SHA3-384 hash: b51075afeeaeb699dc9170f0dd8e27eacb6088e6845a11f1239d489bbff12d5772917e75dd0f9cb03327c93f4228041d
SHA1 hash: efa3704afcbd08977b2458e9cf5f05ae6da4fd9a
MD5 hash: aadb28cd58585f773265bd1e4fd584a6
humanhash: uncle-lemon-lion-november
File name:font.msi
Download: download sample
Signature Latrodectus
Create hunting rule
File size:1'859'584 bytes
First seen:2024-03-27 02:35:14 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:q6LvYpW8zBQSc0ZnSKeZKumZr7A0ybfpVENl14rrX:5YQ0ZncK/A0qfnEZ4P
Threatray 11 similar samples on MalwareBazaar
TLSH T1D185E1227386C537C96E01303A29D66B5579FCB74B3140D7A3C82D2EAE744C1A63AF97
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter 1ZRR4H
Tags:Latrodectus msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
CL CL
Vendor Threat Intelligence
Verdict:
No Threat
Threat level:
  2.5/10
Confidence:
100%
Tags:
CAB crypto fingerprint installer lolbin packed remote shell32
Link:
https://www.filescan.io/uploads/660386131c5277edcec159e0/reports/10c69f34-7dd0-47df-a687-f9c8d5dec3bb/overview
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/de29ff5d531e11ec17eaa1abfb75c3cdf7c2e3e37bfbae61711aee41f20118b0
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/de29ff5d531e11ec17eaa1abfb75c3cdf7c2e3e37bfbae61711aee41f20118b0
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1416171
Signature
Drops executables to the windows directory (C:\Windows) and starts them
Multi AV Scanner detection for domain / URL
Performs a network lookup / discovery via net view
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Uses ipconfig to lookup or modify the Windows network settings
Yara detected Bazar Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1416171 Sample: font.msi Startdate: 27/03/2024 Architecture: WINDOWS Score: 80 78 titnovacrion.top 2->78 80 ganstaeraop.shop 2->80 86 Multi AV Scanner detection for domain / URL 2->86 88 Yara detected Bazar Loader 2->88 10 rundll32.exe 2 2->10         started        13 msiexec.exe 15 38 2->13         started        16 msiexec.exe 9 2->16         started        18 rundll32.exe 2->18         started        signatures3 process4 file5 60 C:\Users\user\AppData\...\Update_66b0a62b.dll, PE32+ 10->60 dropped 62 :wtfbbq (copy), PE32+ 10->62 dropped 20 rundll32.exe 13 10->20         started        64 C:\Windows\Installer\MSI837B.tmp, PE32 13->64 dropped 66 C:\Windows\Installer\MSI8270.tmp, PE32 13->66 dropped 68 C:\Windows\Installer\MSI81D2.tmp, PE32 13->68 dropped 70 C:\Users\user\AppData\Local\QUAL\utile.dll, PE32+ 13->70 dropped 94 Drops executables to the windows directory (C:\Windows) and starts them 13->94 24 MSI837B.tmp 13->24         started        26 msiexec.exe 13->26         started        28 msiexec.exe 13->28         started        72 C:\Users\user\AppData\Local\...\MSI7F47.tmp, PE32 16->72 dropped 74 C:\Users\user\AppData\Local\...\MSI7EF8.tmp, PE32 16->74 dropped 76 4 other files (none is malicious) 16->76 dropped signatures6 process7 dnsIp8 82 titnovacrion.top 172.67.143.1, 443, 49724, 49726 CLOUDFLARENETUS United States 20->82 84 ganstaeraop.shop 172.67.187.163, 443, 49729, 49730 CLOUDFLARENETUS United States 20->84 90 System process connects to network (likely due to code injection or exploit) 20->90 30 cmd.exe 1 20->30         started        33 cmd.exe 1 20->33         started        35 cmd.exe 1 20->35         started        37 3 other processes 20->37 signatures9 process10 signatures11 96 Uses ipconfig to lookup or modify the Windows network settings 30->96 98 Performs a network lookup / discovery via net view 30->98 39 conhost.exe 30->39         started        41 ipconfig.exe 1 30->41         started        43 systeminfo.exe 2 1 33->43         started        46 conhost.exe 33->46         started        48 conhost.exe 35->48         started        50 net.exe 1 35->50         started        52 conhost.exe 37->52         started        54 conhost.exe 37->54         started        56 4 other processes 37->56 process12 signatures13 92 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 43->92 58 WmiPrvSE.exe 43->58         started        process14
Score:
29%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/de29ff5d531e11ec17eaa1abfb75c3cdf7c2e3e37bfbae61711aee41f20118b0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/de29ff5d531e11ec17eaa1abfb75c3cdf7c2e3e37bfbae61711aee41f20118b0/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3yu76xktdyi6yf7kugv7w5odzx34fy7dpp524ylrdlxed4qbdcya._file
Verdict:
malicious
Similar samples:
513e17579b0b155256d134940ea03d8ab7a0d1f71ebe188954e2450cdc6b7d99
Latrodectus
5becad2dcfad4b96563b2cc9da05eec3a6511cb5f6f0072c967144ce6459cb29
Latrodectus
93f7e95461c18aee7b56651069104710c76f9e3d6543a0b3248a21b236859d99
Latrodectus
94b8ab735d503884585fdb5a735b3ea3485b6b19c1899939a5b2c0a80616400a
Latrodectus
d83d5378f1bb37d1423207ad67f2f984f2d46ba9534194c344a051117c1e541f
Latrodectus
de29ff5d531e11ec17eaa1abfb75c3cdf7c2e3e37bfbae61711aee41f20118b0
Latrodectus
+ 1 additional samples on MalwareBazaar
Result
Malware family:
latrodectus
Create hunting rule
Score:
  10/10
Tags:
family:latrodectus loader
Link:
https://tria.ge/reports/240327-c3kmtsdg8y/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Enumerates connected drives
Detect larodectus Loader variant 2
Latrodectus loader
Malware Config
C2 Extraction:
https://titnovacrion.top/live/
https://skinnyjeanso.com/live/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/de29ff5d531e11ec17eaa1abfb75c3cdf7c2e3e37bfbae61711aee41f20118b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments