We found a new Latrodectus version (1.4) which switched its string encryption routine to AES-256.Â
This new version also utilizes the /test/ C2 endpoint, indicating that it is an early testing sample for this version.
In a nutshell:
Â
PRNG and XOR string decryption replaced by AES-256
New FNV1a32 Campaign ID 619171486 translates to Campaign Wiski Â
New RC4 key “2sDbsEUXvhgLOO4Irt8AF6el3jJ0M1MowXyao00Nn6ZUjtjXwb” to encrypt the C2 traffic Â
Switching to new C2 endpoint /test/ instead of /live/, indicating a development version Â
Stealthy self-deletion technique by renaming primary data stream to :wtfbbq Â
Places a mutex called running
Sample SHA256:
5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8
Threat identifiers
See why we think this is malicious in plain language.
Process map
See the whole path of the sample’s execution
MITRE ATT&CK Matrix
Map the malicious activities on the MITRE ATT&CK Framework
Network connections
Explore detailed information on the IP addresses, URLs and DNS, including function logs and PCAP Streams
Pre-filtered IOCs
Download the IOCs and artifacts to have a clear picture of the threat.
Files
Download the files that the malware downloads, drops or modifies.
Explore how you can use these insights
Incident Response
Threat Hunting
Ready to stress-test your malware sandbox? Join us for a no-fluff, all-demo webinar that shows you real techniques to evaluate and optimize your sandboxing solution!