MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2170f7dc2f97434ef4514ed4272dc8792177038a085f248ba33f9259720afda. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Latrodectus


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2170f7dc2f97434ef4514ed4272dc8792177038a085f248ba33f9259720afda
SHA3-384 hash: 56b7d553553deace44b2b0eefddf159629c8c38289141645e55203fa130fc02099b748e84c1e38a0198eb8c1a75cd44a
SHA1 hash: 13b14fb516fa726cc5fa9af17a2f93ff49449830
MD5 hash: 50bd4ff60c931861e46c801a60f9e916
humanhash: vermont-east-gee-nebraska
File name:wait.dll
Download: download sample
Signature Latrodectus
Create hunting rule
File size:2'151'936 bytes
First seen:2024-12-02 17:41:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 151a05f8c4e108b7847025bc50b7e6b7 (1 x Latrodectus)
ssdeep 24576:JgWryG1z2cMbUhtEx+GRy1tWfxFDIHS4KGwt6nbmBdve1/JznfTWj+bXD:So0lolWfxeHlBwt6n+d21V7Wj+DD
Threatray 3 similar samples on MalwareBazaar
TLSH T1E8A58D297A9885B4D1FAC238C5678A4BF7B278168B31E3CF1256058E1F37BE1453F621
TrID 72.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
13.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.5% (.EXE) OS/2 Executable (generic) (2029/13)
2.5% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter k3dg3___
Tags:exe Latrodectus TA578

Intelligence

File Origin
# of uploads :
1
# of downloads :
430
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
zdi.txt
Verdict:
No threats detected
Analysis date:
2024-12-02 17:40:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/03467127-e6c4-47de-b762-9bbc447524ea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=674df2ece64d1c722d7b7ec6
Tags:
ransomware shellcode dropper
Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug crypto fingerprint hacktool lolbin masquerade microsoft_visual_cc packed packed packer_detected remote rundll32
Link:
https://www.filescan.io/uploads/674df1712ed0555438f22fe1/reports/a63016e2-0dc3-404d-9e00-421aef64be9b/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/f2170f7dc2f97434ef4514ed4272dc8792177038a085f248ba33f9259720afda
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/55516abd-985f-4645-a343-5d90bd166e20
Result
Threat name:
BruteRatel, Latrodectus
Create hunting rule
Detection:
malicious
Classification:
spre.bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1566852
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks if browser processes are running
Contains functionality to inject threads in other processes
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Found malware configuration
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Performs a network lookup / discovery via net view
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sets debug register (to hijack the execution of another thread)
Sigma detected: RunDLL32 Spawning Explorer
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ipconfig to lookup or modify the Windows network settings
Uses net.exe to modify the status of services
Uses whoami command line tool to query computer and username
Writes to foreign memory regions
Yara detected BruteRatel
Yara detected Latrodectus
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1566852 Sample: wait.dll.exe Startdate: 02/12/2024 Architecture: WINDOWS Score: 100 63 vutarf.com 2->63 65 reateberam.com 2->65 67 3 other IPs or domains 2->67 77 Suricata IDS alerts for network traffic 2->77 79 Found malware configuration 2->79 81 Antivirus detection for URL or domain 2->81 83 6 other signatures 2->83 11 loaddll64.exe 1 2->11         started        signatures3 process4 process5 13 rundll32.exe 12 11->13         started        17 cmd.exe 1 11->17         started        19 rundll32.exe 12 11->19         started        21 conhost.exe 11->21         started        dnsIp6 75 vutarf.com 94.232.43.224, 49713, 49740, 49761 WELLWEBNL Russian Federation 13->75 103 Contains functionality to inject threads in other processes 13->103 105 Injects code into the Windows Explorer (explorer.exe) 13->105 107 Sets debug register (to hijack the execution of another thread) 13->107 123 3 other signatures 13->123 23 explorer.exe 98 10 13->23 injected 109 Uses net.exe to modify the status of services 17->109 111 Uses ipconfig to lookup or modify the Windows network settings 17->111 113 Uses whoami command line tool to query computer and username 17->113 115 Performs a network lookup / discovery via net view 17->115 27 rundll32.exe 12 17->27         started        117 System process connects to network (likely due to code injection or exploit) 19->117 119 Writes to foreign memory regions 19->119 121 Allocates memory in foreign processes 19->121 signatures7 process8 dnsIp9 69 dogirafer.com 104.21.68.89, 443, 49972, 49980 CLOUDFLARENETUS United States 23->69 71 reateberam.com 172.67.217.190, 443, 49907, 49916 CLOUDFLARENETUS United States 23->71 87 System process connects to network (likely due to code injection or exploit) 23->87 89 Checks if browser processes are running 23->89 91 Contains functionality to steal Internet Explorer form passwords 23->91 93 Tries to harvest and steal browser information (history, passwords, etc) 23->93 29 cmd.exe 1 23->29         started        31 cmd.exe 23->31         started        34 cmd.exe 23->34         started        36 8 other processes 23->36 73 huanvn.com 103.57.249.207, 49704, 49705, 49706 SITINETWORS-IN-APSITINETWORKSLIMITEDIN India 27->73 95 Injects code into the Windows Explorer (explorer.exe) 27->95 97 Writes to foreign memory regions 27->97 99 Allocates memory in foreign processes 27->99 101 3 other signatures 27->101 signatures10 process11 signatures12 38 systeminfo.exe 2 1 29->38         started        41 conhost.exe 29->41         started        125 Performs a network lookup / discovery via net view 31->125 43 conhost.exe 31->43         started        45 net.exe 31->45         started        53 2 other processes 34->53 127 Uses whoami command line tool to query computer and username 36->127 47 net.exe 36->47         started        49 net.exe 36->49         started        51 conhost.exe 36->51         started        55 13 other processes 36->55 process13 signatures14 85 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 38->85 57 WmiPrvSE.exe 38->57         started        59 net1.exe 47->59         started        61 net1.exe 49->61         started        process15
Score:
73%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f2170f7dc2f97434ef4514ed4272dc8792177038a085f248ba33f9259720afda
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f2170f7dc2f97434ef4514ed4272dc8792177038a085f248ba33f9259720afda/
Threat name:
Win64.Backdoor.Brutel
Create hunting rule
Status:
Malicious
First seen:
2024-12-02 17:38:05 UTC
File Type:
PE+ (Dll)
Extracted files:
4
AV detection:
17 of 38 (44.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ilq67oc7f2dj32fctwue4w4q6jbo4byucc7esf2gp4slfzav7na._file
Verdict:
malicious
Label(s):
bruteratelc4
Create hunting rule
Similar samples:
61365e29247428b26c8a6ca0d6326bbd04c2c798d7abad1660338ce3c11c68c4
Latrodectus
error
Latrodectus
f2170f7dc2f97434ef4514ed4272dc8792177038a085f248ba33f9259720afda
Latrodectus
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/241202-v9zpfavkht/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Blocklisted process makes network request
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fb9225ee-12f6-4256-9092-f5f673b1cc2e
Unpacked files
SH256 hash:
f2170f7dc2f97434ef4514ed4272dc8792177038a085f248ba33f9259720afda
MD5 hash:
50bd4ff60c931861e46c801a60f9e916
SHA1 hash:
13b14fb516fa726cc5fa9af17a2f93ff49449830
Link:
https://www.unpac.me/results/976a85fb-89d8-4f4c-b9d4-fa2b2109e0ab/
Malware family:
Latrodectus
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f2170f7dc2f9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f2170f7dc2f97434ef4514ed4272dc8792177038a085f248ba33f9259720afda

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Latrodectus

Java Script (JS) js ad94dbf54fd1708a0ebcf2742a3acfdb42a889870e1a7d715e534e13d58873f2

Latrodectus

Microsoft Software Installer (MSI) msi 61365e29247428b26c8a6ca0d6326bbd04c2c798d7abad1660338ce3c11c68c4

Latrodectus

Executable exe f2170f7dc2f97434ef4514ed4272dc8792177038a085f248ba33f9259720afda

(this sample)

  
Link
https://tria.ge/241202-v6gz8avje1/behavioral2
  
Dropped by
SHA256 61365e29247428b26c8a6ca0d6326bbd04c2c798d7abad1660338ce3c11c68c4
  
Delivery method
Distributed via e-mail link
  
Dropped by
MD5 71f04fe0afc51fee5e68e33431a7fb51

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
ADVAPI32.dll::InitializeSecurityDescriptor
COM_BASE_APICan Download & Execute componentsole32.dll::CoAddRefServerProcess
ole32.dll::CoCreateInstanceEx
ole32.dll::CoCreateInstance
ole32.dll::CoInitializeSecurity
RPC_APICan Execute Remote ProceduresRPCRT4.dll::RpcImpersonateClient
RPCRT4.dll::RpcRevertToSelfEx
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::SetSecurityDescriptorDacl
SS_APIUses SS APIbcrypt.dll::BCryptVerifySignature
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::CreateProcessAsUserW
ADVAPI32.dll::OpenThreadToken
KERNEL32.dll::VirtualAllocExNuma
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
WIN_BCRYPT_APICan Encrypt Filesbcrypt.dll::BCryptCreateHash
bcrypt.dll::BCryptDecrypt
bcrypt.dll::BCryptDestroyHash
bcrypt.dll::BCryptDestroyKey
bcrypt.dll::BCryptEncrypt
bcrypt.dll::BCryptExportKey
WIN_CRYPT_APIUses Windows Crypt APICRYPT32.dll::CryptDecodeObjectEx
bcrypt.dll::BCryptGenRandom
bcrypt.dll::BCryptHashData
bcrypt.dll::BCryptImportKeyPair
CRYPT32.dll::CryptImportPublicKeyInfoEx2
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegNotifyChangeKeyValue
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryInfoKeyW
ADVAPI32.dll::RegQueryValueExW
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::freeaddrinfo
WS2_32.dll::getaddrinfo
WS2_32.dll::WSAPoll

Comments