latrodectus | f01b02a08c1953e7db9ce61207b121c6efbe986181ba0df1ec205b5909bd856c

General

Target

f01b02a08c1953e7db9ce61207b121c6efbe986181ba0df1ec205b5909bd856c.exe
Size

2.3MB
MD5

9fb83bee6ff97065c498f48fc094f848
SHA1

860112de5e833eb5fd9abaaf6db7c881c13220f8
SHA256

f01b02a08c1953e7db9ce61207b121c6efbe986181ba0df1ec205b5909bd856c
SHA512

103f87414802d1edd3d932626a370cd8b3e37666d541e7550257ffa5f5e6b0ce357f11dd14f13a5ff831d02da6a596d101682adf68855c1982093da03bdf8a96
SSDEEP

49152:YMLtHPldWW5afLAUCweyFI0ZBAFCGLcRe2xTIYLEs:j5aMUzRe2M

Score

10^/10

latrodectus loader

Malware Config

Extracted

Family

latrodectus

C2

https://pomaspoteraka.com/test/

https://finilamedima.com/test/

Signatures

Detects Latrodectus 7 IoCs

Detects Latrodectus v1.4.

resource	yara_rule
behavioral1/memory/2868-0-0x0000000000400000-0x0000000000416000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/2868-1-0x0000000000400000-0x0000000000416000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/2868-2-0x0000000000400000-0x0000000000416000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/2868-8-0x0000000000400000-0x0000000000416000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/2260-12-0x0000000001B40000-0x0000000001B56000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/2260-10-0x0000000001B40000-0x0000000001B56000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/2260-9-0x0000000001B40000-0x0000000001B56000-memory.dmp	family_latrodectus_1_4

Latrodectus family
latrodectus
Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Deletes itself 1 IoCs

pid	Process
2868	f01b02a08c1953e7db9ce61207b121c6efbe986181ba0df1ec205b5909bd856c.exe

Executes dropped EXE 2 IoCs

pid	Process
2260	Update_a2e0b9cd.exe
2428	Update_a2e0b9cd.exe

Loads dropped DLL 1 IoCs

pid	Process
2868	f01b02a08c1953e7db9ce61207b121c6efbe986181ba0df1ec205b5909bd856c.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2868	f01b02a08c1953e7db9ce61207b121c6efbe986181ba0df1ec205b5909bd856c.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2260	2868	f01b02a08c1953e7db9ce61207b121c6efbe986181ba0df1ec205b5909bd856c.exe	28
PID 2868 wrote to memory of 2260	2868	f01b02a08c1953e7db9ce61207b121c6efbe986181ba0df1ec205b5909bd856c.exe	28
PID 2868 wrote to memory of 2260	2868	f01b02a08c1953e7db9ce61207b121c6efbe986181ba0df1ec205b5909bd856c.exe	28
PID 2388 wrote to memory of 2428	2388	taskeng.exe	32
PID 2388 wrote to memory of 2428	2388	taskeng.exe	32
PID 2388 wrote to memory of 2428	2388	taskeng.exe	32

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f01b02a08c1953e7db9ce61207b121c6efbe986181ba0df1ec205b5909bd856c.exe
"C:\Users\Admin\AppData\Local\Temp\f01b02a08c1953e7db9ce61207b121c6efbe986181ba0df1ec205b5909bd856c.exe"
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Roaming\Custom_update\Update_a2e0b9cd.exe
  "C:\Users\Admin\AppData\Roaming\Custom_update\Update_a2e0b9cd.exe"
  2⤵
  - Executes dropped EXE
  PID:2260

C:\Windows\system32\taskeng.exe
taskeng.exe {15F6052B-60F0-46B1-82CE-53CF4346E9E1} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Roaming\Custom_update\Update_a2e0b9cd.exe
  C:\Users\Admin\AppData\Roaming\Custom_update\Update_a2e0b9cd.exe
  2⤵
  - Executes dropped EXE
  PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Custom_update\Update_a2e0b9cd.exe

Filesize
2.3MB

MD5
9fb83bee6ff97065c498f48fc094f848

SHA1
860112de5e833eb5fd9abaaf6db7c881c13220f8

SHA256
f01b02a08c1953e7db9ce61207b121c6efbe986181ba0df1ec205b5909bd856c

SHA512
103f87414802d1edd3d932626a370cd8b3e37666d541e7550257ffa5f5e6b0ce357f11dd14f13a5ff831d02da6a596d101682adf68855c1982093da03bdf8a96

Download Submit
memory/2260-12-0x0000000001B40000-0x0000000001B56000-memory.dmp

Filesize
88KB

Download
memory/2260-10-0x0000000001B40000-0x0000000001B56000-memory.dmp

Filesize
88KB

Download
memory/2260-9-0x0000000001B40000-0x0000000001B56000-memory.dmp

Filesize
88KB

Download
memory/2868-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2868-1-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2868-2-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2868-8-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2868-6-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing