latrodectus | 877925b41dad686c247e309ae0059db79ecf44185ae52ceeb20bfef6d73689fa

General

Target

877925b41dad686c247e309ae0059db79ecf44185ae52ceeb20bfef6d73689fa.exe
Size

3.5MB
MD5

e0768a6da09a16c08b60ffbfa874a2a5
SHA1

8b2db9fafb8069486d01943847ece90d49cf8fc2
SHA256

877925b41dad686c247e309ae0059db79ecf44185ae52ceeb20bfef6d73689fa
SHA512

5daef2dd43e288fda8dfa88ada672ff5baf155058fecda1fb13e60f2d39cde70a99fae4064ec16e3783f663a93b84b3fdb2a7dcf20809a16794c17b0ab0509d9
SSDEEP

49152:nAil1zLyAEOAvKtNFZhMo3UAHe8SGz8OYKSgFVDzOWTniN+GQeCUYdCRGkSCLcnq:n9MAgcjZhmKLnzdr8CUycSCLcnq

Score

10^/10

latrodectus loader

Malware Config

Extracted

Family

latrodectus

Version

1.4

C2

https://torifalemarta.com/test/

Attributes

group
Epsilon
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)

aes.hex

Signatures

Detects Latrodectus 6 IoCs

Detects Latrodectus v1.4.

resource	yara_rule
behavioral1/memory/2568-0-0x0000000001B40000-0x0000000001B56000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/2568-1-0x0000000001B40000-0x0000000001B56000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/2568-2-0x0000000001B40000-0x0000000001B56000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/2568-8-0x0000000001B40000-0x0000000001B56000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/2588-9-0x0000000001B50000-0x0000000001B66000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/2588-11-0x0000000001B50000-0x0000000001B66000-memory.dmp	family_latrodectus_1_4

Latrodectus family
latrodectus
Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Deletes itself 1 IoCs

pid	Process
2568	877925b41dad686c247e309ae0059db79ecf44185ae52ceeb20bfef6d73689fa.exe

Executes dropped EXE 1 IoCs

pid	Process
2588	Update_c5c72e0b.exe

Loads dropped DLL 1 IoCs

pid	Process
2568	877925b41dad686c247e309ae0059db79ecf44185ae52ceeb20bfef6d73689fa.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2568	877925b41dad686c247e309ae0059db79ecf44185ae52ceeb20bfef6d73689fa.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2588	2568	877925b41dad686c247e309ae0059db79ecf44185ae52ceeb20bfef6d73689fa.exe	30
PID 2568 wrote to memory of 2588	2568	877925b41dad686c247e309ae0059db79ecf44185ae52ceeb20bfef6d73689fa.exe	30
PID 2568 wrote to memory of 2588	2568	877925b41dad686c247e309ae0059db79ecf44185ae52ceeb20bfef6d73689fa.exe	30

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\877925b41dad686c247e309ae0059db79ecf44185ae52ceeb20bfef6d73689fa.exe
"C:\Users\Admin\AppData\Local\Temp\877925b41dad686c247e309ae0059db79ecf44185ae52ceeb20bfef6d73689fa.exe"
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Roaming\Custom_update\Update_c5c72e0b.exe
  "C:\Users\Admin\AppData\Roaming\Custom_update\Update_c5c72e0b.exe"
  2⤵
  - Executes dropped EXE
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Custom_update\Update_c5c72e0b.exe

Filesize
3.5MB

MD5
e0768a6da09a16c08b60ffbfa874a2a5

SHA1
8b2db9fafb8069486d01943847ece90d49cf8fc2

SHA256
877925b41dad686c247e309ae0059db79ecf44185ae52ceeb20bfef6d73689fa

SHA512
5daef2dd43e288fda8dfa88ada672ff5baf155058fecda1fb13e60f2d39cde70a99fae4064ec16e3783f663a93b84b3fdb2a7dcf20809a16794c17b0ab0509d9

Download Submit
memory/2568-0-0x0000000001B40000-0x0000000001B56000-memory.dmp

Filesize
88KB

Download
memory/2568-1-0x0000000001B40000-0x0000000001B56000-memory.dmp

Filesize
88KB

Download
memory/2568-2-0x0000000001B40000-0x0000000001B56000-memory.dmp

Filesize
88KB

Download
memory/2568-8-0x0000000001B40000-0x0000000001B56000-memory.dmp

Filesize
88KB

Download
memory/2568-7-0x0000000140000000-0x0000000140394000-memory.dmp

Filesize
3.6MB

Download
memory/2588-9-0x0000000001B50000-0x0000000001B66000-memory.dmp

Filesize
88KB

Download
memory/2588-11-0x0000000001B50000-0x0000000001B66000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing