Overview

overview

10

Static

static

3

489541a61e...a6.dll

windows7-x64

10

489541a61e...a6.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20/03/2025, 02:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    489541a61e66ed36c56d7c7b35ed57129a9febb201efb9156420cbe9d325c9a6.dll

  • Size

    1.8MB

  • MD5

    06ba9f3ecacbca2920c8272a7719ca76

  • SHA1

    a22039c0bcfdf41a2c2f6f37aa38e2d77f36f39a

  • SHA256

    489541a61e66ed36c56d7c7b35ed57129a9febb201efb9156420cbe9d325c9a6

  • SHA512

    38ba64295f030a630b0cd2f3db915743cf801d454b50a6cb36653a75384da15658682846c3ea78fe1637b5fb3ecef58a4a39e1fd4bb21cc16e4f226f78d9d27b

  • SSDEEP

    49152:9srSb808eyLlSRqVNPseFyTJ1CLXuzYYjc8F4HcDsYfPFGMSugRP:KL1PYTI9Hco

Score
10/10
latrodectusloader

Malware Config

Extracted

Family

latrodectus

Version

1.4

C2

https://remustarofilac.com/test/

https://horetimodual.com/test/
Attributes
  • group

    Ferrary

  • user_agent

    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)

aes.hex

Extracted

Family

latrodectus

aes.hex

Signatures

  • Latrodectus family
    latrodectus
  • Latrodectus loader

    Latrodectus is a loader written in C++.

    loaderlatrodectus
  • Deletes itself 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\489541a61e66ed36c56d7c7b35ed57129a9febb201efb9156420cbe9d325c9a6.dll,#1
    1⤵
    • Deletes itself
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Windows\system32\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_499bc163.dll", #1
      2⤵
      • Loads dropped DLL
      PID:2580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Custom_update\Update_499bc163.dll
    Filesize

    1.8MB

    MD5

    06ba9f3ecacbca2920c8272a7719ca76

    SHA1

    a22039c0bcfdf41a2c2f6f37aa38e2d77f36f39a

    SHA256

    489541a61e66ed36c56d7c7b35ed57129a9febb201efb9156420cbe9d325c9a6

    SHA512

    38ba64295f030a630b0cd2f3db915743cf801d454b50a6cb36653a75384da15658682846c3ea78fe1637b5fb3ecef58a4a39e1fd4bb21cc16e4f226f78d9d27b

    Download Submit

  • memory/2112-0-0x0000000180000000-0x0000000181CB2000-memory.dmp

    Filesize

    28.7MB

    Download

  • memory/2112-4-0x0000000001E80000-0x0000000003B31000-memory.dmp

    Filesize

    28.7MB

    Download

  • memory/2112-8-0x000007FEF5F30000-0x000007FEF6103000-memory.dmp

    Filesize

    1.8MB

    Download