latrodectus | aee22a35cbdac3f16c3ed742c0b1bfe9739a13469cf43b36fb2c63565111028c

Resubmissions

05-04-2024 15:16

240405-snretsfh64 10

13-03-2024 17:07

240313-vm19raad8v 8

Analysis

max time kernel
299s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
submitted
13-03-2024 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

falcon.dll
Size

694KB
MD5

da8ae8e1de522b20a462239c6893613e
SHA1

7f65ef885815d81d220f9f42877ff0d696b0134c
SHA256

aee22a35cbdac3f16c3ed742c0b1bfe9739a13469cf43b36fb2c63565111028c
SHA512

d2dca9ba9272a0bdfa88f7520545e21a1f4d18dcacec36b072369cee8e28ba635a0214b47caef74b6f7fcd06e120d898da997e71c8955c72510972c66d2a855d
SSDEEP

12288:tBx7p/GvTjNe0Za4+Lpf6DdeFvSMX/ekiBvu7FYgN96:tBx7FGvvNea+tSDoFvB/edBB

Score

10^/10

latrodectus loader

Malware Config

Extracted

Family

latrodectus

https://aytobusesre.com/live/

https://scifimond.com/live/

Signatures

Latrodectus family
latrodectus
Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Detect larodectus Loader variant 2 4 IoCs

loader

resource	yara_rule
behavioral1/memory/228-0-0x00000248D9000000-0x00000248D9014000-memory.dmp	family_latrodectus_v2
behavioral1/memory/228-5-0x00000248D9000000-0x00000248D9014000-memory.dmp	family_latrodectus_v2
behavioral1/memory/2780-6-0x00000216D76E0000-0x00000216D76F4000-memory.dmp	family_latrodectus_v2
behavioral1/memory/2780-7-0x00000216D76E0000-0x00000216D76F4000-memory.dmp	family_latrodectus_v2

Blocklisted process makes network request 64 IoCs

flow	pid	Process
267	2780	rundll32.exe
270	2780	rundll32.exe
273	2780	rundll32.exe
274	2780	rundll32.exe
278	2780	rundll32.exe
280	2780	rundll32.exe
282	2780	rundll32.exe
283	2780	rundll32.exe
285	2780	rundll32.exe
287	2780	rundll32.exe
288	2780	rundll32.exe
290	2780	rundll32.exe
291	2780	rundll32.exe
292	2780	rundll32.exe
295	2780	rundll32.exe
296	2780	rundll32.exe
298	2780	rundll32.exe
300	2780	rundll32.exe
301	2780	rundll32.exe
303	2780	rundll32.exe
304	2780	rundll32.exe
305	2780	rundll32.exe
306	2780	rundll32.exe
309	2780	rundll32.exe
310	2780	rundll32.exe
312	2780	rundll32.exe
313	2780	rundll32.exe
314	2780	rundll32.exe
315	2780	rundll32.exe
317	2780	rundll32.exe
319	2780	rundll32.exe
320	2780	rundll32.exe
321	2780	rundll32.exe
322	2780	rundll32.exe
323	2780	rundll32.exe
324	2780	rundll32.exe
325	2780	rundll32.exe
326	2780	rundll32.exe
327	2780	rundll32.exe
328	2780	rundll32.exe
329	2780	rundll32.exe
331	2780	rundll32.exe
332	2780	rundll32.exe
334	2780	rundll32.exe
336	2780	rundll32.exe
338	2780	rundll32.exe
339	2780	rundll32.exe
340	2780	rundll32.exe
341	2780	rundll32.exe
342	2780	rundll32.exe
343	2780	rundll32.exe
347	2780	rundll32.exe
348	2780	rundll32.exe
350	2780	rundll32.exe
352	2780	rundll32.exe
353	2780	rundll32.exe
355	2780	rundll32.exe
356	2780	rundll32.exe
357	2780	rundll32.exe
358	2780	rundll32.exe
360	2780	rundll32.exe
363	2780	rundll32.exe
364	2780	rundll32.exe
365	2780	rundll32.exe

Deletes itself 1 IoCs

pid	Process
228	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
2780	rundll32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
228	rundll32.exe
228	rundll32.exe
228	rundll32.exe
228	rundll32.exe
2780	rundll32.exe
2780	rundll32.exe
2780	rundll32.exe
2780	rundll32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
228	rundll32.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 2780	228	rundll32.exe	88
PID 228 wrote to memory of 2780	228	rundll32.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\falcon.dll, vgml
1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:228
- C:\Windows\system32\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_9729806f.dll", vgml
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Custom_update\Update_9729806f.dll

Filesize
694KB

MD5
da8ae8e1de522b20a462239c6893613e

SHA1
7f65ef885815d81d220f9f42877ff0d696b0134c

SHA256
aee22a35cbdac3f16c3ed742c0b1bfe9739a13469cf43b36fb2c63565111028c

SHA512
d2dca9ba9272a0bdfa88f7520545e21a1f4d18dcacec36b072369cee8e28ba635a0214b47caef74b6f7fcd06e120d898da997e71c8955c72510972c66d2a855d

Download Submit
memory/228-0-0x00000248D9000000-0x00000248D9014000-memory.dmp

Filesize
80KB

Download
memory/228-5-0x00000248D9000000-0x00000248D9014000-memory.dmp

Filesize
80KB

Download
memory/228-2-0x0000000180000000-0x00000001800B5000-memory.dmp

Filesize
724KB

Download
memory/2780-6-0x00000216D76E0000-0x00000216D76F4000-memory.dmp

Filesize
80KB

Download
memory/2780-7-0x00000216D76E0000-0x00000216D76F4000-memory.dmp

Filesize
80KB

Download