Overview

overview

10

Static

static

3

sqx.dll

windows7-x64

10

sqx.dll

windows10-2004-x64

10

Resubmissions

30-11-2024 00:13

241130-ahvwystmfv 10

29-11-2024 21:13

241129-z2qtsa1lhn 10

27-11-2024 19:30

241127-x7tfratjar 10

27-11-2024 19:27

241127-x6eafawrbz 10

26-11-2024 23:43

241126-3qkp6sslfn 10

Analysis

  • max time kernel
    1794s
  • max time network
    1800s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2024 00:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sqx.dll

  • Size

    1.3MB

  • MD5

    dd862590d9e4ea1791df147912ae4c8f

  • SHA1

    852d7a9ea4db5ff4cd51a92447a8d5701cfb322b

  • SHA256

    14ffcbbfb305287ea15264df3363567f36a26917ae2018af0f40e2009b8a7184

  • SHA512

    3e9222d8bd91d3e53f5e378318a78a7c5aa12011272031f7c0d8c36c5b255db1d0a168cc02e1159eb021dd18206352dd6dcb857fefc2222937c467350dc6d568

  • SSDEEP

    24576:pQrDp6J8JM3IgVvF7EtPCo1Frk5fRJhqYEjTvpAbHT0HRZonw4by:pQpI8JM3IwEtPCo1F45fvhq/jTyb4HR+

Score
10/10
bruteratellatrodectusbackdoorloader

Malware Config

Extracted

Family

latrodectus

C2

https://reateberam.com/test/

https://dogirafer.com/test/

Signatures

  • Brute Ratel C4

    A customized command and control framework for red teaming and adversary simulation.

    backdoorbruteratel
  • Bruteratel family
    bruteratel
  • Detect BruteRatel badger 1 IoCs
  • Detects Latrodectus 3 IoCs

    Detects Latrodectus v1.4.

  • Latrodectus family
    latrodectus
  • Latrodectus loader

    Latrodectus is a loader written in C++.

    loaderlatrodectus
  • Blocklisted process makes network request 45 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 1 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3456
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\sqx.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3456-25-0x0000000002500000-0x0000000002515000-memory.dmp

    Filesize

    84KB

    Download

  • memory/3456-26-0x0000000002500000-0x0000000002515000-memory.dmp

    Filesize

    84KB

    Download

  • memory/4752-0-0x000001A3C0700000-0x000001A3C073E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4752-1-0x000001A3C0740000-0x000001A3C078C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4752-20-0x00007FF4724B0000-0x00007FF4724C5000-memory.dmp

    Filesize

    84KB

    Download

  • memory/4752-22-0x00007FF472490000-0x00007FF472491000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4752-24-0x00007FF472470000-0x00007FF472471000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4752-23-0x00007FF472480000-0x00007FF472481000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4752-21-0x00007FF4724A0000-0x00007FF4724A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4752-19-0x00007FF4724D0000-0x00007FF4724D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4752-29-0x000001A3C0740000-0x000001A3C078C000-memory.dmp

    Filesize

    304KB

    Download