Latrodectus updates to version 1.4 with AES-256 string encryption

We found a new Latrodectus version (1.4) which switched its string encryption routine to AES-256.

This new version also utilizes the /test/ C2 endpoint, indicating that it is an early testing sample for this version.

In a nutshell:

PRNG and XOR string decryption replaced by AES-256

New FNV1a32 Campaign ID 619171486 translates to Campaign Wiski

New RC4 key “2sDbsEUXvhgLOO4Irt8AF6el3jJ0M1MowXyao00Nn6ZUjtjXwb” to encrypt the C2 traffic

Switching to new C2 endpoint /test/ instead of /live/, indicating a development version

Stealthy self-deletion technique by renaming primary data stream to :wtfbbq

Places a mutex called running

Dive deeper into the report

Sample SHA256:

5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8

Threat identifiers

See why we think this is malicious in plain language.

Process map

See the whole path of the sample’s execution

MITRE ATT&CK Matrix

Map the malicious activities on the MITRE ATT&CK Framework

Network connections

Explore detailed information on the IP addresses, URLs and DNS, including function logs and PCAP Streams

Pre-filtered IOCs

Download the IOCs and artifacts to have a clear picture of the threat.

Files

Download the files that the malware downloads, drops or modifies.

Explore how you can use these insights

Incident
Response

Threat
Hunting

Threat Intelligence
Generation

UniqueSignal (NEW!)

DeepResponse

Professional Services

TotalInsight

FinalVerdict

Analyzer (Legacy)

Use Cases

Industry

Success Stories

By Category

By Company

Why VMRay

News

Contact

Careers

Insights

Malware Analysis Reports

Cybersecurity glossary