latrodectus | e9a007d03d495c867a25e655feace833390d24c781939398d6fb70ed4db4ad53

General

Target

e9a007d03d495c867a25e655feace833390d24c781939398d6fb70ed4db4ad53.exe
Size

11.1MB
MD5

a6cf2e5db58c8490d5313639623fcd20
SHA1

9ffae6b3e9630d52beaeb9c7e7da963d80ab9d1c
SHA256

e9a007d03d495c867a25e655feace833390d24c781939398d6fb70ed4db4ad53
SHA512

8e2b058d559b0c57b126ff5f4f3dcae6d721cbc3eeb39cb6583fbf23c6e52e0adf38713d4664621ea50bac6aa66653e41dbcd6ac2452c851587694d178fe9f78
SSDEEP

196608:D52JzMnXtRXm1h6rwaLIjnVlaQK1EdUwr1ZdZ4PRfMXtNgIDo26b/WVyjKFdu9CR:ceRcKnIjn7K1E2wr1TZ4Pc9DChjKFduy

Score

10^/10

latrodectus discovery loader spyware stealer

Malware Config

Extracted

Family

latrodectus

Version

1.4

C2

https://apworsindos.com/test/

https://reminasolirol.com/test/

Attributes

group
Mimikast
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)

aes.hex

Signatures

Latrodectus family
latrodectus
Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Downloads MZ/PE file 1 IoCs

flow	pid	Process
54	1348	e9a007d03d495c867a25e655feace833390d24c781939398d6fb70ed4db4ad53.exe

Executes dropped EXE 1 IoCs

pid	Process
4044	ppx.exe

Loads dropped DLL 3 IoCs

pid	Process
3392	rundll32.exe
2916	rundll32.exe
2704	rundll32.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e9a007d03d495c867a25e655feace833390d24c781939398d6fb70ed4db4ad53.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Internet Explorer\TypedURLs	ppx.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1348	e9a007d03d495c867a25e655feace833390d24c781939398d6fb70ed4db4ad53.exe
1348	e9a007d03d495c867a25e655feace833390d24c781939398d6fb70ed4db4ad53.exe
1348	e9a007d03d495c867a25e655feace833390d24c781939398d6fb70ed4db4ad53.exe
1348	e9a007d03d495c867a25e655feace833390d24c781939398d6fb70ed4db4ad53.exe
1348	e9a007d03d495c867a25e655feace833390d24c781939398d6fb70ed4db4ad53.exe
1348	e9a007d03d495c867a25e655feace833390d24c781939398d6fb70ed4db4ad53.exe
4044	ppx.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 4044	1348	e9a007d03d495c867a25e655feace833390d24c781939398d6fb70ed4db4ad53.exe	95
PID 1348 wrote to memory of 4044	1348	e9a007d03d495c867a25e655feace833390d24c781939398d6fb70ed4db4ad53.exe	95
PID 1348 wrote to memory of 3392	1348	e9a007d03d495c867a25e655feace833390d24c781939398d6fb70ed4db4ad53.exe	98
PID 1348 wrote to memory of 3392	1348	e9a007d03d495c867a25e655feace833390d24c781939398d6fb70ed4db4ad53.exe	98
PID 1348 wrote to memory of 3392	1348	e9a007d03d495c867a25e655feace833390d24c781939398d6fb70ed4db4ad53.exe	98
PID 3392 wrote to memory of 2916	3392	rundll32.exe	99
PID 3392 wrote to memory of 2916	3392	rundll32.exe	99
PID 2916 wrote to memory of 2704	2916	rundll32.exe	100
PID 2916 wrote to memory of 2704	2916	rundll32.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e9a007d03d495c867a25e655feace833390d24c781939398d6fb70ed4db4ad53.exe
"C:\Users\Admin\AppData\Local\Temp\e9a007d03d495c867a25e655feace833390d24c781939398d6fb70ed4db4ad53.exe"
1⤵
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Users\Admin\AppData\Local\Temp\4TZ7GYY6ESBQ4N7Q4LDAODU\ppx.exe
  "C:\Users\Admin\AppData\Local\Temp\4TZ7GYY6ESBQ4N7Q4LDAODU\ppx.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:4044
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 "C:\Users\Admin\AppData\Local\Temp\VTAVBS650SRPM6FHT7.dll",Object
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Windows\system32\rundll32.exe
    rundll32 "C:\Users\Admin\AppData\Local\Temp\VTAVBS650SRPM6FHT7.dll",Object
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\system32\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_296e0974.dll", Object
      4⤵
      Loads dropped DLL
      PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Browser Information Discovery

Query Registry

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4TZ7GYY6ESBQ4N7Q4LDAODU\MonitoringFileBuilder.ini

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\VTAVBS650SRPM6FHT7.dll

Filesize
2.2MB

MD5
777aeff0c2c3485b1df2df2f360baa88

SHA1
2878a2778e345e7c105c0264354c4f32d15750cd

SHA256
c2246dbb239f7cc59b8725d1600479ef8f4ac7fb8565792c3904d7ce99d6cba5

SHA512
441a685be2a11f12a446660003fef333465b1a46e60e7f94d56f5e2e15c33b05d98ac7b3f60f465c06372628d0c51f6e17653ab565851f40890a49ff2c149d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\dca91a6b

Filesize
7.0MB

MD5
2434bc336fd6e41859048c256fe350ce

SHA1
a8941601a1fcae16029065a641392d25b6c65609

SHA256
e6ec04613f05afc4f940aaeb058bba158c4910b6b0ffdefc8286b17f3988bd59

SHA512
a67620d422ae374a305088958fe6176fce53ed0db9387acd226029fcb9084227e42b1235cbc138367816e9b278aa35fd6e85d3fdb6eb90fd86885e9cc52e3c29

Download Submit
memory/1348-0-0x0000000001A40000-0x0000000001A98000-memory.dmp

Filesize
352KB

Download
memory/1348-2-0x0000000000E50000-0x0000000001800000-memory.dmp

Filesize
9.7MB

Download
memory/1348-103-0x0000000004370000-0x0000000004375000-memory.dmp

Filesize
20KB

Download
memory/1348-102-0x0000000004370000-0x0000000004375000-memory.dmp

Filesize
20KB

Download
memory/2916-110-0x0000000180000000-0x0000000181CB2000-memory.dmp

Filesize
28.7MB

Download
memory/2916-117-0x00007FFBCC1E0000-0x00007FFBCC420000-memory.dmp

Filesize
2.2MB

Download
memory/4044-94-0x00007FF704210000-0x00007FF704A42000-memory.dmp

Filesize
8.2MB

Download
memory/4044-100-0x00007FFBCC1F0000-0x00007FFBCC362000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing