Overview
overview
10Static
static
3Mal2/Comn.dll
windows7-x64
3Mal2/Comn.dll
windows10-2004-x64
3Mal2/QtCore4.dll
windows7-x64
3Mal2/QtCore4.dll
windows10-2004-x64
3Mal2/QtGui4.dll
windows7-x64
3Mal2/QtGui4.dll
windows10-2004-x64
3Mal2/Set-up.exe
windows7-x64
10Mal2/Set-up.exe
windows10-2004-x64
10Mal2/breast.html
windows7-x64
3Mal2/breast.html
windows10-2004-x64
4Mal2/libcr..._1.dll
windows7-x64
3Mal2/libcr..._1.dll
windows10-2004-x64
3Mal2/libssl-1_1.dll
windows7-x64
3Mal2/libssl-1_1.dll
windows10-2004-x64
3Mal2/msvcp80.dll
windows7-x64
3Mal2/msvcp80.dll
windows10-2004-x64
3Mal2/msvcr80.dll
windows7-x64
3Mal2/msvcr80.dll
windows10-2004-x64
3Analysis
-
max time kernel
108s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
17/03/2025, 02:50
Static task
static1
Behavioral task
behavioral1
Sample
Mal2/Comn.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Mal2/Comn.dll
Resource
win10v2004-20250313-en
Behavioral task
behavioral3
Sample
Mal2/QtCore4.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Mal2/QtCore4.dll
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
Mal2/QtGui4.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Mal2/QtGui4.dll
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
Mal2/Set-up.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
Mal2/Set-up.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
Mal2/breast.html
Resource
win7-20250207-en
Behavioral task
behavioral10
Sample
Mal2/breast.html
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
Mal2/libcrypto-1_1.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
Mal2/libcrypto-1_1.dll
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
Mal2/libssl-1_1.dll
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
Mal2/libssl-1_1.dll
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
Mal2/msvcp80.dll
Resource
win7-20250207-en
Behavioral task
behavioral16
Sample
Mal2/msvcp80.dll
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
Mal2/msvcr80.dll
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
Mal2/msvcr80.dll
Resource
win10v2004-20250314-en
General
-
Target
Mal2/Set-up.exe
-
Size
335KB
-
MD5
61dc7844b70f4e6ffce0ec875dcc7faf
-
SHA1
436a95a2135264bacaae51f6aa6a60c2ad6308c7
-
SHA256
6ca9becba92609d2974352a205725346c696e864d087b63ea2afabd52707fb87
-
SHA512
bbf2ce889e76a024b5c85b84b544608526b3a460f9751d3b2aa51a404f517705dc6d40756caa8071a65271e67791a16fb2bbbbc4d0b78c93e670c96404fba765
-
SSDEEP
6144:k32qf6qqDdoAZrdsTs/88TuIc4vlico6CUwtXHQgO6aFuO:k32qKRfiTKNyGFuO
Malware Config
Extracted
lumma
https://partparcadi.shop/api
https://crosshairc.life/api
https://mrodularmall.top/api
https://jowinjoinery.icu/api
https://plegenassedk.top/api
https://htardwarehu.icu/api
https://jcjlaspcorne.icu/api
https://bugildbett.top/api
https://weaponrywo.digital/api
Extracted
latrodectus
1.4
https://remustarofilac.com/test/
https://horetimodual.com/test/
-
group
Ferrary
-
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Signatures
-
Latrodectus family
-
Latrodectus loader
Latrodectus is a loader written in C++.
-
Lumma family
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Downloads MZ/PE file 1 IoCs
flow pid Process 18 3652 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4836 set thread context of 692 4836 Set-up.exe 87 -
Loads dropped DLL 3 IoCs
pid Process 4528 rundll32.exe 4540 rundll32.exe 4640 rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Set-up.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language more.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4836 Set-up.exe 4836 Set-up.exe 692 more.com 692 more.com 3652 svchost.exe 3652 svchost.exe 3652 svchost.exe 3652 svchost.exe 3652 svchost.exe 3652 svchost.exe 3652 svchost.exe 3652 svchost.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4836 Set-up.exe 692 more.com -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeImpersonatePrivilege 3652 svchost.exe Token: SeImpersonatePrivilege 3652 svchost.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4836 wrote to memory of 692 4836 Set-up.exe 87 PID 4836 wrote to memory of 692 4836 Set-up.exe 87 PID 4836 wrote to memory of 692 4836 Set-up.exe 87 PID 4836 wrote to memory of 692 4836 Set-up.exe 87 PID 692 wrote to memory of 3652 692 more.com 89 PID 692 wrote to memory of 3652 692 more.com 89 PID 692 wrote to memory of 3652 692 more.com 89 PID 692 wrote to memory of 3652 692 more.com 89 PID 692 wrote to memory of 3652 692 more.com 89 PID 3652 wrote to memory of 4528 3652 svchost.exe 91 PID 3652 wrote to memory of 4528 3652 svchost.exe 91 PID 3652 wrote to memory of 4528 3652 svchost.exe 91 PID 4528 wrote to memory of 4540 4528 rundll32.exe 92 PID 4528 wrote to memory of 4540 4528 rundll32.exe 92 PID 4540 wrote to memory of 4640 4540 rundll32.exe 93 PID 4540 wrote to memory of 4640 4540 rundll32.exe 93 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Mal2\Set-up.exe"C:\Users\Admin\AppData\Local\Temp\Mal2\Set-up.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe3⤵
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\rundll32.exerundll32 "C:\Users\Admin\AppData\Local\Temp\C60S7YHHHIV4Q7BSM1R1CJEVRE.dll",Editor4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\system32\rundll32.exerundll32 "C:\Users\Admin\AppData\Local\Temp\C60S7YHHHIV4Q7BSM1R1CJEVRE.dll",Editor5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_16aa8554.dll", Editor6⤵
- Loads dropped DLL
PID:4640
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD506ba9f3ecacbca2920c8272a7719ca76
SHA1a22039c0bcfdf41a2c2f6f37aa38e2d77f36f39a
SHA256489541a61e66ed36c56d7c7b35ed57129a9febb201efb9156420cbe9d325c9a6
SHA51238ba64295f030a630b0cd2f3db915743cf801d454b50a6cb36653a75384da15658682846c3ea78fe1637b5fb3ecef58a4a39e1fd4bb21cc16e4f226f78d9d27b
-
Filesize
1.0MB
MD5b138fa65adf56d95d329cfa47986db3f
SHA1aeb086a2995018453999761a9eed149f7d1306a7
SHA2566dd0208e65d649500976eefb2ae45a15e00f1ed4821560a53eadaf4ef6e4a97d
SHA512bfa9fe182c5f5674969c1b50e82cc4d1c7fb74ab57c5b8c381e8817366a210e4c97e9d66a71da41c01af7f8be2a3526a8c7b4bd955a49fe5071768fc3b452145