Edit tour
Windows
Analysis Report
r2iL9TLvO3.dll
Overview
General Information
Sample name: | r2iL9TLvO3.dll (renamed file extension from exe to dll, renamed because original name is a hash value) |
Original sample name: | 9645a12079edffd20560d4631160a6052ae5728d6f73b7366588166ad281c534.exe |
Analysis ID: | 1469006 |
MD5: | d46476f7f27be8ef618b7646a46f5e66 |
SHA1: | 8219d1ead31d16f6380941827bf96a488453d5c0 |
SHA256: | 9645a12079edffd20560d4631160a6052ae5728d6f73b7366588166ad281c534 |
Tags: | exeLatrodectus |
Infos: | |
Detection
Latrodectus
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Latrodectus
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Sample uses string decryption to hide its real strings
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to query network adapater information
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Classification
- System is w10x64
- loaddll64.exe (PID: 7480 cmdline:
loaddll64. exe "C:\Us ers\user\D esktop\r2i L9TLvO3.dl l" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52) - conhost.exe (PID: 7488 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7528 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\r2i L9TLvO3.dl l",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - rundll32.exe (PID: 7556 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\r2iL 9TLvO3.dll ",#1 MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7540 cmdline:
rundll32.e xe C:\User s\user\Des ktop\r2iL9 TLvO3.dll, extra MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7620 cmdline:
rundll32.e xe "C:\Use rs\user\Ap pData\Roam ing\Custom _update\Up date_8c0cf feb.dll", extra MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7728 cmdline:
rundll32.e xe C:\User s\user\Des ktop\r2iL9 TLvO3.dll, follower MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7764 cmdline:
rundll32.e xe C:\User s\user\Des ktop\r2iL9 TLvO3.dll, run MD5: EF3179D498793BF4234F708D3BE28633)
- rundll32.exe (PID: 7640 cmdline:
rundll32.e xe "C:\Use rs\user\Ap pData\Roam ing\Custom _update\Up date_8c0cf feb.dll", extra MD5: EF3179D498793BF4234F708D3BE28633)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Unidentified 111 (Latrodectus), Latrodectus | First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware. | No Attribution |
{"C2 url": ["https://winarkamaps.com/live/", "https://stratimasesstr.com/live/"], "Group Name": "Facial", "Campaign ID": 3828029093}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Latrodectus | Yara detected Latrodectus | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Latrodectus | Yara detected Latrodectus | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Latrodectus | Yara detected Latrodectus | Joe Security | ||
JoeSecurity_Latrodectus | Yara detected Latrodectus | Joe Security | ||
JoeSecurity_Latrodectus | Yara detected Latrodectus | Joe Security | ||
JoeSecurity_Latrodectus | Yara detected Latrodectus | Joe Security | ||
JoeSecurity_Latrodectus | Yara detected Latrodectus | Joe Security | ||
Click to see the 1 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Latrodectus | Yara detected Latrodectus | Joe Security | ||
JoeSecurity_Latrodectus | Yara detected Latrodectus | Joe Security | ||
JoeSecurity_Latrodectus | Yara detected Latrodectus | Joe Security | ||
JoeSecurity_Latrodectus | Yara detected Latrodectus | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | Code function: | 3_2_00007FFB1E86A350 | |
Source: | Code function: | 3_2_00007FFB1E861A08 | |
Source: | Code function: | 6_2_00007FFB1C81A350 | |
Source: | Code function: | 6_2_00007FFB1C811A08 |
Networking |
---|