latrodectus | 5f4f3b0d4378171bb18896b50ec84331e5a9b68346d3489c326116cfd9855390

Analysis

max time kernel
147s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
07-02-2025 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f4f3b0d4378171bb18896b50ec84331e5a9b68346d3489c326116cfd9855390.exe
Size

13.0MB
MD5

f47c4d1fe89f9177e6bcaad7a901e58b
SHA1

fca0b3bc67c4566d10b4985c0423679da0a30670
SHA256

5f4f3b0d4378171bb18896b50ec84331e5a9b68346d3489c326116cfd9855390
SHA512

c43d9ae54a755b9d38acf7adfb81cafca61c335f3ae47fe869950c0842010b2a782c31334e56cee00b1f6d23809391b29431a96757eff39a0433581523a861a8
SSDEEP

393216:GNPrMFSFWUdZakpQyvHjPXEu4nHfjw3BEmt3rK:4iSF/2gDEugwBEIO

Score

10^/10

latrodectus discovery loader spyware

Malware Config

Extracted

Family

latrodectus

Version

1.4

https://apworsindos.com/test/

https://reminasolirol.com/test/

Attributes

group
Mimikast
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)

aes.hex

Signatures

Latrodectus family
latrodectus
Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Downloads MZ/PE file 1 IoCs

flow	pid	Process
58	1272	OpenWith.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	5f4f3b0d4378171bb18896b50ec84331e5a9b68346d3489c326116cfd9855390.exe

Executes dropped EXE 2 IoCs

pid	Process
932	Setup.exe
1932	ppx.exe

Loads dropped DLL 9 IoCs

pid	Process
932	Setup.exe
932	Setup.exe
932	Setup.exe
932	Setup.exe
932	Setup.exe
932	Setup.exe
4732	rundll32.exe
4436	rundll32.exe
4564	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 932 set thread context of 1600	932	Setup.exe	95

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OpenWith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Internet Explorer\TypedURLs	ppx.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
932	Setup.exe
932	Setup.exe
1600	more.com
1600	more.com
1272	OpenWith.exe
1272	OpenWith.exe
1272	OpenWith.exe
1272	OpenWith.exe
1932	ppx.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
932	Setup.exe
1600	more.com

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 932	2116	5f4f3b0d4378171bb18896b50ec84331e5a9b68346d3489c326116cfd9855390.exe	89
PID 2116 wrote to memory of 932	2116	5f4f3b0d4378171bb18896b50ec84331e5a9b68346d3489c326116cfd9855390.exe	89
PID 932 wrote to memory of 1600	932	Setup.exe	95
PID 932 wrote to memory of 1600	932	Setup.exe	95
PID 932 wrote to memory of 1600	932	Setup.exe	95
PID 932 wrote to memory of 1600	932	Setup.exe	95
PID 1600 wrote to memory of 1272	1600	more.com	102
PID 1600 wrote to memory of 1272	1600	more.com	102
PID 1600 wrote to memory of 1272	1600	more.com	102
PID 1600 wrote to memory of 1272	1600	more.com	102
PID 1600 wrote to memory of 1272	1600	more.com	102
PID 1600 wrote to memory of 1272	1600	more.com	102
PID 1272 wrote to memory of 1932	1272	OpenWith.exe	111
PID 1272 wrote to memory of 1932	1272	OpenWith.exe	111
PID 1272 wrote to memory of 4732	1272	OpenWith.exe	112
PID 1272 wrote to memory of 4732	1272	OpenWith.exe	112
PID 1272 wrote to memory of 4732	1272	OpenWith.exe	112
PID 4732 wrote to memory of 4436	4732	rundll32.exe	113
PID 4732 wrote to memory of 4436	4732	rundll32.exe	113
PID 4436 wrote to memory of 4564	4436	rundll32.exe	114
PID 4436 wrote to memory of 4564	4436	rundll32.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5f4f3b0d4378171bb18896b50ec84331e5a9b68346d3489c326116cfd9855390.exe
"C:\Users\Admin\AppData\Local\Temp\5f4f3b0d4378171bb18896b50ec84331e5a9b68346d3489c326116cfd9855390.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Windows\SysWOW64\more.com
    C:\Windows\SysWOW64\more.com
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Windows\SysWOW64\OpenWith.exe
      C:\Windows\SysWOW64\OpenWith.exe
      4⤵
      Downloads MZ/PE file
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1272
    - - C:\Users\Admin\AppData\Local\Temp\T2Q4SFKC0KCJ5XM68L6\ppx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\T2Q4SFKC0KCJ5XM68L6\ppx.exe"
        5⤵
        Executes dropped EXE
        Modifies Internet Explorer settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:1932
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 "C:\Users\Admin\AppData\Local\Temp\7LPZGYXA5FYZQ4CE46EKA8QT8U0W.dll",Object
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4732
      - C:\Windows\system32\rundll32.exe
        
        rundll32 "C:\Users\Admin\AppData\Local\Temp\7LPZGYXA5FYZQ4CE46EKA8QT8U0W.dll",Object
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\system32\rundll32.exe
        
        rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_2e86d825.dll", Object
        7⤵
        Loads dropped DLL
        
        PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7LPZGYXA5FYZQ4CE46EKA8QT8U0W.dll

Filesize
2.2MB

MD5
0e6d633a9d02f94e7eca499ae6cd7ed7

SHA1
dd22a17c5a89730cef0af7a302f5ee9c35567325

SHA256
108ac26fd8fff9a3093606f2fcf1e42b8704971cae407266041f8132591ba213

SHA512
8859256d1025eb3869dae1a0d887eda46650ea337855a1a97367b9733df57d37ce2812968211d1479f4e42ab6b5c7c232b3b6c2e14d3c1c0cdfce8f2e50a6e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c4ba23d

Filesize
1.0MB

MD5
49d9adc84b6f51b3582a13789358f343

SHA1
e25a48e67c82eb3f8d139fd8d830487c7ba69cd7

SHA256
338cc769ec9e296b17f86d5ade3e4d1cf4474ee7ba8c6333277f460433786fd2

SHA512
17ea41b091bf2aa30715fe4003b0420e8c42027892195401398130cd0ee7a8b13167b5b61f36b1193030a97a0c3eed455fe95a7e4e14298026b10545c38fc482

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

Filesize
23.9MB

MD5
4d26c08fe77828b3da86abad4ab3c829

SHA1
9fa67221b67a0cf8885110de75d68264aed12672

SHA256
162fad4f6063e22b2b55ae2bfa872c6622465a9a1f31119f5efd1f3cd621d7ef

SHA512
a042b288f4dee8bf69c192be2d17554f7980b56b182d87a2dbb5a3199dc63fdad760c637c50fbb2c55f8b28a86640e9a0547f07506779214e2795c081ebf5f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\artiste.cfg

Filesize
811KB

MD5
3389b9e742f5414f4fc77127848a7bfa

SHA1
136c171fa33c40f75a2f6386aefd4a953853bfc3

SHA256
5755bd5b69464832376fbb41105490da89f4e0041553e9d7e89422997ff8e7fd

SHA512
85cb23884af4e8bebfa45cadf2e41e1224f8a7ce4e361adae59ca699df82b999e440b45143e6bfa7d664f18b56c1367d0bc03f4e703ee08475202be5a3ef5ef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\boundary.mkv

Filesize
61KB

MD5
a492352e1f6d33a8857061517ef2250d

SHA1
01a6931272820e925d6f044dda5e1990d0e08f82

SHA256
69ccd2e2a9e4a6b0f89512f8108cc66683a05f69295c2c09a7cadadd319cc0f1

SHA512
4e52b98ba91d60e2a47750bd85c789892e7a82c0b9377f733313a97b355025912ae9eb7871b6eb8045c4db6a46a1f0e565211e596b99b6466cf3ac794858c8f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ssleay32.dll

Filesize
371KB

MD5
4cf48f279c78b7425e3703c1ad42f700

SHA1
00533d5d1ecd33a5e84bb472889f0753646ee786

SHA256
0be0065ac04801d2b1b5c82ec283a07570c1322dca555d2dabd4fa12586ace47

SHA512
f8256f6ad676283d2cf5beb0c8bd62023517995d83046f1774a9e2f7d68c79e4aaf1ce896437a8f29e5d37a87b8edd3c8a8530968ab1d7c02e0c4fa4546e0d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcruntime140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcruntime140_1.dll

Filesize
48KB

MD5
cf0a1c4776ffe23ada5e570fc36e39fe

SHA1
2050fadecc11550ad9bde0b542bcf87e19d37f1a

SHA256
6fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47

SHA512
d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\zlib1.dll

Filesize
103KB

MD5
05aed489d2951b8e5f941f3caacefb39

SHA1
1c023e3050339e054bb014b6495fd6fd1e369ecc

SHA256
e7b2042f8b024c9376cba5d00897eb6066ce0cb7126e4201b303bcd41907d76d

SHA512
efd086408e8fa1791b19d213619d933c45a93295140481169cecb1c0f190d53a06621aa2798891267a0bc3c29f2089c44afeb886a9cfb4fde791061f20e8e8e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\T2Q4SFKC0KCJ5XM68L6\MonitoringFileBuilder.ini

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\a003d141

Filesize
7.0MB

MD5
2434bc336fd6e41859048c256fe350ce

SHA1
a8941601a1fcae16029065a641392d25b6c65609

SHA256
e6ec04613f05afc4f940aaeb058bba158c4910b6b0ffdefc8286b17f3988bd59

SHA512
a67620d422ae374a305088958fe6176fce53ed0db9387acd226029fcb9084227e42b1235cbc138367816e9b278aa35fd6e85d3fdb6eb90fd86885e9cc52e3c29

Download Submit
memory/932-143-0x00007FFB379D0000-0x00007FFB37B42000-memory.dmp

Filesize
1.4MB

Download
memory/932-135-0x00007FFB379D0000-0x00007FFB37B42000-memory.dmp

Filesize
1.4MB

Download
memory/1272-258-0x0000000003770000-0x0000000003775000-memory.dmp

Filesize
20KB

Download
memory/1272-152-0x00000000004F0000-0x000000000054F000-memory.dmp

Filesize
380KB

Download
memory/1272-156-0x00000000004F0000-0x000000000054F000-memory.dmp

Filesize
380KB

Download
memory/1272-153-0x0000000000990000-0x00000000009AC000-memory.dmp

Filesize
112KB

Download
memory/1272-257-0x0000000003770000-0x0000000003775000-memory.dmp

Filesize
20KB

Download
memory/1272-151-0x00007FFB56BD0000-0x00007FFB56DC5000-memory.dmp

Filesize
2.0MB

Download
memory/1600-146-0x00007FFB56BD0000-0x00007FFB56DC5000-memory.dmp

Filesize
2.0MB

Download
memory/1600-147-0x0000000074B80000-0x0000000074CFB000-memory.dmp

Filesize
1.5MB

Download
memory/1932-247-0x00007FF76B420000-0x00007FF76BC52000-memory.dmp

Filesize
8.2MB

Download
memory/1932-255-0x00007FFB38BC0000-0x00007FFB38D32000-memory.dmp

Filesize
1.4MB

Download
memory/4436-265-0x0000000180000000-0x0000000181CB2000-memory.dmp

Filesize
28.7MB

Download
memory/4436-273-0x00007FFB38BB0000-0x00007FFB38DF0000-memory.dmp

Filesize
2.2MB

Download