latrodectus | b85e22327b17da698f72e105d359f5873a8f2f4db38c6d76ec261df841288e74

General

Target

b85e22327b17da698f72e105d359f5873a8f2f4db38c6d76ec261df841288e74.exe
Size

333KB
MD5

a47952966449b8126698b9a1e98c39ff
SHA1

89cddb3326fecfa8e5f159c1dc1d0e16094731ad
SHA256

b85e22327b17da698f72e105d359f5873a8f2f4db38c6d76ec261df841288e74
SHA512

d486287545c2cbe5ec2c449ba26468edbdf095645c9f47481c3b336696ec53e12b6aff1d4ef7ba2880c400b7799283b41370b9caa448355443ef73383e16bee2
SSDEEP

6144:XWc/eO+AJdZU44m3q08bLUk8H6/Dsdp3DDEd3uOiq1wrkL:XWcYAJdZX4m3qp8H6/Dsz3DDRX4

Score

10^/10

latrodectus discovery loader spyware stealer

Malware Config

Extracted

Family

latrodectus

Version

1.4

C2

https://apworsindos.com/test/

https://reminasolirol.com/test/

Attributes

group
Mimikast
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)

aes.hex

Signatures

Latrodectus family
latrodectus
Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Downloads MZ/PE file 1 IoCs

flow	pid	Process
44	4156	b85e22327b17da698f72e105d359f5873a8f2f4db38c6d76ec261df841288e74.exe

Executes dropped EXE 1 IoCs

pid	Process
2704	ppx.exe

Loads dropped DLL 3 IoCs

pid	Process
1104	rundll32.exe
4448	rundll32.exe
1988	rundll32.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b85e22327b17da698f72e105d359f5873a8f2f4db38c6d76ec261df841288e74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Software\Microsoft\Internet Explorer\TypedURLs	ppx.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4156	b85e22327b17da698f72e105d359f5873a8f2f4db38c6d76ec261df841288e74.exe
4156	b85e22327b17da698f72e105d359f5873a8f2f4db38c6d76ec261df841288e74.exe
4156	b85e22327b17da698f72e105d359f5873a8f2f4db38c6d76ec261df841288e74.exe
4156	b85e22327b17da698f72e105d359f5873a8f2f4db38c6d76ec261df841288e74.exe
2704	ppx.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4156 wrote to memory of 2704	4156	b85e22327b17da698f72e105d359f5873a8f2f4db38c6d76ec261df841288e74.exe	97
PID 4156 wrote to memory of 2704	4156	b85e22327b17da698f72e105d359f5873a8f2f4db38c6d76ec261df841288e74.exe	97
PID 4156 wrote to memory of 1104	4156	b85e22327b17da698f72e105d359f5873a8f2f4db38c6d76ec261df841288e74.exe	99
PID 4156 wrote to memory of 1104	4156	b85e22327b17da698f72e105d359f5873a8f2f4db38c6d76ec261df841288e74.exe	99
PID 4156 wrote to memory of 1104	4156	b85e22327b17da698f72e105d359f5873a8f2f4db38c6d76ec261df841288e74.exe	99
PID 1104 wrote to memory of 4448	1104	rundll32.exe	100
PID 1104 wrote to memory of 4448	1104	rundll32.exe	100
PID 4448 wrote to memory of 1988	4448	rundll32.exe	101
PID 4448 wrote to memory of 1988	4448	rundll32.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b85e22327b17da698f72e105d359f5873a8f2f4db38c6d76ec261df841288e74.exe
"C:\Users\Admin\AppData\Local\Temp\b85e22327b17da698f72e105d359f5873a8f2f4db38c6d76ec261df841288e74.exe"
1⤵
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Users\Admin\AppData\Local\Temp\4QJZX7AN4UJ6VQF6BCXJRWBHLA47WK0\ppx.exe
  "C:\Users\Admin\AppData\Local\Temp\4QJZX7AN4UJ6VQF6BCXJRWBHLA47WK0\ppx.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:2704
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 "C:\Users\Admin\AppData\Local\Temp\FXOLK7YVF9H0PZORI.dll",Object
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\system32\rundll32.exe
    rundll32 "C:\Users\Admin\AppData\Local\Temp\FXOLK7YVF9H0PZORI.dll",Object
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4448
  - - C:\Windows\system32\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_5651c00.dll", Object
      4⤵
      Loads dropped DLL
      PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Browser Information Discovery

Query Registry

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4QJZX7AN4UJ6VQF6BCXJRWBHLA47WK0\MonitoringFileBuilder.ini

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\92875ef7

Filesize
7.0MB

MD5
2434bc336fd6e41859048c256fe350ce

SHA1
a8941601a1fcae16029065a641392d25b6c65609

SHA256
e6ec04613f05afc4f940aaeb058bba158c4910b6b0ffdefc8286b17f3988bd59

SHA512
a67620d422ae374a305088958fe6176fce53ed0db9387acd226029fcb9084227e42b1235cbc138367816e9b278aa35fd6e85d3fdb6eb90fd86885e9cc52e3c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\FXOLK7YVF9H0PZORI.dll

Filesize
2.2MB

MD5
9d62b08fad74162f2f41f98fe5150047

SHA1
24ea8d164cc7ee120b928f37eb4fabb82d155a55

SHA256
73d7600998d2c273c388fd50be8d33d12bb4161fae0e7410af513dc19bc8804b

SHA512
eb86af928a70d34c0f9847c5c10029a906e71bf9b9dbcefba4b8424719630d572a8aaa716534e700381a3ba513463416babd024b1955d6e766c6c90e2bea2b97

Download Submit
memory/2704-89-0x00007FF640B90000-0x00007FF6413C2000-memory.dmp

Filesize
8.2MB

Download
memory/2704-104-0x00007FFB40B60000-0x00007FFB40CD2000-memory.dmp

Filesize
1.4MB

Download
memory/4156-96-0x0000000003690000-0x0000000003695000-memory.dmp

Filesize
20KB

Download
memory/4156-95-0x0000000003690000-0x0000000003695000-memory.dmp

Filesize
20KB

Download
memory/4448-106-0x0000000180000000-0x0000000181CB2000-memory.dmp

Filesize
28.7MB

Download
memory/4448-112-0x00007FFB40CE0000-0x00007FFB40F20000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing