ScreenShot
| Created | 2021.06.25 15:25 | Machine | s1_win7_x6401 |
| Filename | XyliBot.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 18 detected (malicious, high confidence, Unsafe, Attribute, HighConfidence, Wacapew, score, ET#88%, RDMK, cmRtazp0SVt22MTEXjkqrmxWs2tJ, Static AI, Malicious PE, ZexaF, @@0@aGQ3W2ni, susgen) | ||
| md5 | 51707a312ec0701a9d63f87259ab6657 | ||
| sha256 | be5abd65ddbe919fb56b35427c73544aed9b37082a169a162b00bfb8b07ef943 | ||
| ssdeep | 196608:PlvV4N05bH2UBGKJ3jBb5Nvj/mAiIdEsXKvyjoZU:PlvV4NfO939TvLmsEOKD | ||
| imphash | 6aaaa79487c6ff1a64326922c92a172d | ||
| impfuzzy | 12:iCsUTXgB4004sADTQK3EUMZjFUgDdT9xTKjAgZGCZB:R/gmP4ZHEzZ++dbTk/B | ||
Network IP location
Signature (6cnts)
| Level | Description |
|---|---|
| watch | File has been identified by 18 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is likely packed with VMProtect |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | NPKI_Zero | File included NPKI | binaries (upload) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | VMProtect_Zero | VMProtect packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
winmm.dll
0x1eab000 timeGetTime
wininet.dll
0x1eab008 InternetOpenUrlW
winspool.drv
0x1eab010 EnumPrintersW
comctl32.dll
0x1eab018 InitializeFlatSB
shell32.dll
0x1eab020 Shell_NotifyIconW
user32.dll
0x1eab028 DrawFocusRect
version.dll
0x1eab030 VerQueryValueW
oleaut32.dll
0x1eab038 VariantChangeType
advapi32.dll
0x1eab040 RegUnLoadKeyW
netapi32.dll
0x1eab048 NetWkstaGetInfo
msvcrt.dll
0x1eab050 memset
kernel32.dll
0x1eab058 GetVersionExW
0x1eab05c GetVersion
0x1eab060 GetSystemTime
wsock32.dll
0x1eab068 send
ole32.dll
0x1eab070 OleUninitialize
gdi32.dll
0x1eab078 StartDocW
kernel32.dll
0x1eab080 GetModuleFileNameW
kernel32.dll
0x1eab088 GetModuleHandleA
0x1eab08c LoadLibraryA
0x1eab090 LocalAlloc
0x1eab094 LocalFree
0x1eab098 GetModuleFileNameA
0x1eab09c ExitProcess
EAT(Export Address Table) Library
0x4dd880 TMethodImplementationIntercept
0x41277c __dbk_fcall_wrapper
0x7e863c dbkFCallWrapperAddr
winmm.dll
0x1eab000 timeGetTime
wininet.dll
0x1eab008 InternetOpenUrlW
winspool.drv
0x1eab010 EnumPrintersW
comctl32.dll
0x1eab018 InitializeFlatSB
shell32.dll
0x1eab020 Shell_NotifyIconW
user32.dll
0x1eab028 DrawFocusRect
version.dll
0x1eab030 VerQueryValueW
oleaut32.dll
0x1eab038 VariantChangeType
advapi32.dll
0x1eab040 RegUnLoadKeyW
netapi32.dll
0x1eab048 NetWkstaGetInfo
msvcrt.dll
0x1eab050 memset
kernel32.dll
0x1eab058 GetVersionExW
0x1eab05c GetVersion
0x1eab060 GetSystemTime
wsock32.dll
0x1eab068 send
ole32.dll
0x1eab070 OleUninitialize
gdi32.dll
0x1eab078 StartDocW
kernel32.dll
0x1eab080 GetModuleFileNameW
kernel32.dll
0x1eab088 GetModuleHandleA
0x1eab08c LoadLibraryA
0x1eab090 LocalAlloc
0x1eab094 LocalFree
0x1eab098 GetModuleFileNameA
0x1eab09c ExitProcess
EAT(Export Address Table) Library
0x4dd880 TMethodImplementationIntercept
0x41277c __dbk_fcall_wrapper
0x7e863c dbkFCallWrapperAddr