MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f60c7e2cd7078584e1fb2eacd6270c314f1e23f76a4cd78c5d13eec215f0e41c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Latrodectus


Vendor detections: 10


Intelligence 10 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f60c7e2cd7078584e1fb2eacd6270c314f1e23f76a4cd78c5d13eec215f0e41c
SHA3-384 hash: e19b8b5f75b15059036282c04546a784689288e8c23841779e2b35ee6a7a460a8a5fe5f1f40d2428ea12aa73f4c8e8e3
SHA1 hash: 4d66580dade368ea823c2afc602ad3686c20d4d1
MD5 hash: c017277279dada1b9653bc6838019952
humanhash: lima-glucose-wisconsin-magazine
File name:vfs.msi
Download: download sample
Signature Latrodectus
Create hunting rule
File size:1'960'448 bytes
First seen:2024-09-12 19:45:57 UTC
Last seen:2024-09-17 14:54:29 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:QGN3YhW8zBQSc0ZnSKBZKumZr7ANpTdzZfVSlaMBOno:3YY0Zn3K/ANPzbSlaBno
Threatray 95 similar samples on MalwareBazaar
TLSH T11295E1227386C537C9AE01303A19D66B5579FDB74B3140DBA3C8292EAE744C1A639F93
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter k3dg3___
Tags:193-203-203-40 alpha Latrodectus msi

Intelligence

File Origin
# of uploads :
3
# of downloads :
100
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
Win.Trojan.Latrodectus-10031447-0
Create hunting rule

Verdict:
Suspicious
Score:
50%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66e344ff751db35a8b9f87bc
Tags:
Exploit Generic Stealth
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug fingerprint lolbin peloader remote shell32 wix
Link:
https://www.filescan.io/uploads/66e3450033e6b7716c4cd4dd/reports/b47375ba-bfba-46b2-b250-1d2ec2de65ab/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/f60c7e2cd7078584e1fb2eacd6270c314f1e23f76a4cd78c5d13eec215f0e41c
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/f60c7e2cd7078584e1fb2eacd6270c314f1e23f76a4cd78c5d13eec215f0e41c
Result
Threat name:
Latrodectus
Create hunting rule
Detection:
malicious
Classification:
spre.bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1510408
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks if browser processes are running
Contains functionality to steal Internet Explorer form passwords
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Performs a network lookup / discovery via net view
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Yara detected Latrodectus
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1510408 Sample: vfs.msi Startdate: 12/09/2024 Architecture: WINDOWS Score: 100 70 wernugemar.com 2->70 72 opengameirar.com 2->72 74 3 other IPs or domains 2->74 80 Suricata IDS alerts for network traffic 2->80 82 Found malware configuration 2->82 84 Antivirus detection for URL or domain 2->84 86 4 other signatures 2->86 10 rundll32.exe 2 2->10         started        14 msiexec.exe 14 40 2->14         started        16 rundll32.exe 2->16         started        18 2 other processes 2->18 signatures3 process4 file5 58 C:\Users\user\AppData\...\Update_d0c962ed.dll, PE32+ 10->58 dropped 60 :wtfbbq (copy), PE32+ 10->60 dropped 96 Checks if browser processes are running 10->96 98 Contains functionality to steal Internet Explorer form passwords 10->98 20 rundll32.exe 22 10->20         started        62 C:\Windows\Installer\MSI50C0.tmp, PE32 14->62 dropped 64 C:\Windows\Installer\MSI4852.tmp, PE32 14->64 dropped 66 C:\Windows\Installer\MSI4822.tmp, PE32 14->66 dropped 68 3 other files (none is malicious) 14->68 dropped 100 Drops executables to the windows directory (C:\Windows) and starts them 14->100 24 msiexec.exe 14->24         started        26 MSI50C0.tmp 14->26         started        signatures6 process7 dnsIp8 76 wernugemar.com 104.21.41.75, 443, 52753, 52754 CLOUDFLARENETUS United States 20->76 78 opengameirar.com 188.114.96.3, 443, 52748, 52749 CLOUDFLARENETUS European Union 20->78 88 System process connects to network (likely due to code injection or exploit) 20->88 90 Tries to steal Mail credentials (via file / registry access) 20->90 92 Tries to harvest and steal browser information (history, passwords, etc) 20->92 28 cmd.exe 1 20->28         started        31 cmd.exe 1 20->31         started        33 cmd.exe 1 20->33         started        35 3 other processes 20->35 signatures9 process10 signatures11 102 Uses ipconfig to lookup or modify the Windows network settings 28->102 104 Performs a network lookup / discovery via net view 28->104 37 conhost.exe 28->37         started        39 ipconfig.exe 1 28->39         started        41 systeminfo.exe 2 1 31->41         started        44 conhost.exe 31->44         started        46 conhost.exe 33->46         started        48 net.exe 1 33->48         started        50 conhost.exe 35->50         started        52 conhost.exe 35->52         started        54 4 other processes 35->54 process12 signatures13 94 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 41->94 56 WmiPrvSE.exe 41->56         started        process14
Score:
26%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/f60c7e2cd7078584e1fb2eacd6270c314f1e23f76a4cd78c5d13eec215f0e41c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f60c7e2cd7078584e1fb2eacd6270c314f1e23f76a4cd78c5d13eec215f0e41c/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ygh4lgxa6cyjyp3f2wnmjymgfhr4i7xnjgnpdc5cpxmefpq4qoa._file
Verdict:
malicious
Similar samples:
156c0afc01a5e346b95ebdb60cea9b7046ad7a61199cd63d6ad0f4ae32a576ac
Latrodectus
2333dd858fc40899a1bff3fb39fbc0b4e65a864bfd4eb73c26b48aaddcca7061
Latrodectus
4e7ac0bdb516e983b3cab7f79850d8102d2bf4117bb343b68d0da73780cceb1a
Latrodectus
71a429fdbaa04f8eee80c05b123ba00635569801ca041fdc7c6ac41de8aa72d3
Latrodectus
8041a15e27c785f2adcce9e8c643f5cc619b52e50cd36ff043d13c4089ce1cad
Latrodectus
bb9203ca1305e47a2ec1443a640efcd5e2c7d11223184639729673579e12967e
Latrodectus
f60c7e2cd7078584e1fb2eacd6270c314f1e23f76a4cd78c5d13eec215f0e41c
Latrodectus
+ 85 additional samples on MalwareBazaar
Result
Malware family:
latrodectus
Create hunting rule
Score:
  10/10
Tags:
family:latrodectus discovery loader persistence privilege_escalation
Link:
https://tria.ge/reports/240912-ygy4zs1crp/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Enumerates connected drives
Detects Latrodectus
Latrodectus loader
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f47286f5-da94-41bf-a7bd-d710bc2e5576
Malware family:
Latrodectus
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f60c7e2cd707/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f60c7e2cd7078584e1fb2eacd6270c314f1e23f76a4cd78c5d13eec215f0e41c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_APT29_WINELOADER_Backdoor
Create hunting rule
Author:daniyyell
Description:Detects APT29's WINELOADER backdoor variant used in phishing campaigns, this rule also detect bad pdf,shtml,htm and vbs or maybe more depends
Reference:https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties
Rule name:Detect_LATAM_MSI_Banker
Create hunting rule
Rule name:Detect_Malicious_VBScript_Base64
Create hunting rule
Author:daniyyell
Description:Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

b6b610a367e7a20eddac6170779df88fadd2c04d1c1185d3349b69bfefb99e8d

GuLoader

Java Script (JS) js 6ed4c0b2e67a048fea0163a19588d4cf3ae469b62cbf8536cb6c2a213cbfd56f

Latrodectus

Microsoft Software Installer (MSI) msi f60c7e2cd7078584e1fb2eacd6270c314f1e23f76a4cd78c5d13eec215f0e41c

(this sample)

Latrodectus

Executable exe 2333dd858fc40899a1bff3fb39fbc0b4e65a864bfd4eb73c26b48aaddcca7061

  
Dropped by
SHA256 6ed4c0b2e67a048fea0163a19588d4cf3ae469b62cbf8536cb6c2a213cbfd56f
  
Dropping
SHA256 2333dd858fc40899a1bff3fb39fbc0b4e65a864bfd4eb73c26b48aaddcca7061
  
Dropping
MD5 6dc0d350d735fd1acc8219cfa5d02b9b
  
Dropped by
MD5 49ed597d3e71dee0ced6c17c9ecc5ee9

Comments