ScreenShot
Created | 2024.07.25 09:01 | Machine | s1_win7_x6403 |
Filename | lobo.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : mailcious | ||
VT API (file) | |||
md5 | 848abdbd09c052799a0e0180b59f6fee | ||
sha256 | 1aa0622a744ec4d28a561bac60ec5e907476587efbadfde546d2b145be4b8109 | ||
ssdeep | 6144:/DiElZeVJ9/+pPQHe5wocklXck9UBd4MvQhdaAadaH8CaTnlmIa+w4Iqr6KGus24:/DiETMgqkKBJm5+fnHYftcv7vQG6zIs | ||
imphash | 89d186e701948ed4026afa52bc6342f0 | ||
impfuzzy | 48:ZW0XOzMrlvqQcpV5CrMdtmG7pZO3gFZS70HNwjo:tXm2lSQcpV5oMdtmG7pZ9SkNw8 |
Network IP location
Signature (36cnts)
Level | Description |
---|---|
danger | Executed a process and injected code into it |
watch | Allocates execute permission to another process indicative of possible code injection |
watch | Attempts to create or modify system certificates |
watch | Checks the version of Bios |
watch | Code injection by writing an executable or DLL to the memory of another process |
watch | Communicates with host for which no DNS query was performed |
watch | Detects Avast Antivirus through the presence of a library |
watch | Harvests credentials from local email clients |
watch | Installs itself for autorun at Windows startup |
watch | One or more of the buffers contains an embedded PE file |
watch | Potential code injection by writing to the memory of another process |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
notice | A process attempted to delay the analysis task. |
notice | A process created a hidden window |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | An executable file was downloaded by the process explert.exe |
notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
notice | Creates a suspicious process |
notice | Creates executable files on the filesystem |
notice | Drops a binary and executes it |
notice | Drops an executable to the user AppData folder |
notice | Executes one or more WMI queries |
notice | Executes one or more WMI queries which can be used to identify virtual machines |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Resolves a suspicious Top Level Domain (TLD) |
notice | Uses Windows utilities for basic Windows functionality |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | Command line console output was observed |
info | One or more processes crashed |
info | Queries for the computername |
info | Uses Windows APIs to generate a cryptographic key |
Rules (26cnts)
Level | Name | Description | Collection |
---|---|---|---|
warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
notice | ScreenShot | Take ScreenShot | memory |
info | anti_dbg | Checks if being debugged | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | Is_DotNET_EXE | (no description) | binaries (download) |
info | IsDLL | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | IsPE64 | (no description) | binaries (download) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
Network (13cnts) ?
Suricata ids
ET MALWARE ZharkBot CnC Domain in DNS Lookup (solutionhub .cc)
ET DNS Query for .cc TLD
ET MALWARE Observed ZharkBot Domain (solutionhub .cc in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE ZharkBot User-Agent Observed
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET DNS Query for .cc TLD
ET MALWARE Observed ZharkBot Domain (solutionhub .cc in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE ZharkBot User-Agent Observed
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x43e018 ReadProcessMemory
0x43e01c WriteProcessMemory
0x43e020 GetModuleHandleA
0x43e024 GetProcAddress
0x43e028 GetEnvironmentVariableA
0x43e02c CreateDirectoryA
0x43e030 WaitForSingleObject
0x43e034 CreateMutexA
0x43e038 Sleep
0x43e03c GetModuleFileNameA
0x43e040 VirtualProtectEx
0x43e044 CreateProcessW
0x43e048 GetVersion
0x43e04c GetComputerNameA
0x43e050 WriteConsoleW
0x43e054 HeapSize
0x43e058 CreateFileW
0x43e05c GetProcessHeap
0x43e060 SetStdHandle
0x43e064 VirtualAllocEx
0x43e068 VirtualAlloc
0x43e06c SetThreadContext
0x43e070 GetThreadContext
0x43e074 CreateProcessA
0x43e078 ResumeThread
0x43e07c K32GetModuleFileNameExA
0x43e080 GetLastError
0x43e084 K32EnumProcesses
0x43e088 OpenProcess
0x43e08c TerminateProcess
0x43e090 GetCurrentProcessId
0x43e094 CopyFileA
0x43e098 CloseHandle
0x43e09c SetEnvironmentVariableW
0x43e0a0 FreeEnvironmentStringsW
0x43e0a4 GetEnvironmentStringsW
0x43e0a8 GetOEMCP
0x43e0ac GetACP
0x43e0b0 IsValidCodePage
0x43e0b4 FindNextFileW
0x43e0b8 FindFirstFileExW
0x43e0bc FindClose
0x43e0c0 HeapReAlloc
0x43e0c4 ReadConsoleW
0x43e0c8 SetFilePointerEx
0x43e0cc GetFileSizeEx
0x43e0d0 ReadFile
0x43e0d4 GetConsoleMode
0x43e0d8 GetConsoleOutputCP
0x43e0dc FlushFileBuffers
0x43e0e0 GetFileType
0x43e0e4 GetCurrentThreadId
0x43e0e8 WideCharToMultiByte
0x43e0ec EnterCriticalSection
0x43e0f0 LeaveCriticalSection
0x43e0f4 InitializeCriticalSectionEx
0x43e0f8 DeleteCriticalSection
0x43e0fc EncodePointer
0x43e100 DecodePointer
0x43e104 MultiByteToWideChar
0x43e108 LCMapStringEx
0x43e10c CompareStringEx
0x43e110 GetCPInfo
0x43e114 QueryPerformanceCounter
0x43e118 GetSystemTimeAsFileTime
0x43e11c GetModuleHandleW
0x43e120 GetStringTypeW
0x43e124 IsProcessorFeaturePresent
0x43e128 InitializeSListHead
0x43e12c IsDebuggerPresent
0x43e130 UnhandledExceptionFilter
0x43e134 SetUnhandledExceptionFilter
0x43e138 GetStartupInfoW
0x43e13c GetCurrentProcess
0x43e140 RaiseException
0x43e144 RtlUnwind
0x43e148 SetLastError
0x43e14c InitializeCriticalSectionAndSpinCount
0x43e150 TlsAlloc
0x43e154 TlsGetValue
0x43e158 TlsSetValue
0x43e15c TlsFree
0x43e160 FreeLibrary
0x43e164 LoadLibraryExW
0x43e168 ExitProcess
0x43e16c GetModuleHandleExW
0x43e170 CreateThread
0x43e174 ExitThread
0x43e178 FreeLibraryAndExitThread
0x43e17c GetStdHandle
0x43e180 WriteFile
0x43e184 GetModuleFileNameW
0x43e188 GetCommandLineA
0x43e18c GetCommandLineW
0x43e190 HeapFree
0x43e194 HeapAlloc
0x43e198 CompareStringW
0x43e19c LCMapStringW
0x43e1a0 GetLocaleInfoW
0x43e1a4 IsValidLocale
0x43e1a8 GetUserDefaultLCID
0x43e1ac EnumSystemLocalesW
0x43e1b0 SetEndOfFile
ADVAPI32.dll
0x43e000 RegSetValueExA
0x43e004 RegQueryValueExA
0x43e008 RegOpenKeyExA
0x43e00c RegCloseKey
0x43e010 GetUserNameA
SHELL32.dll
0x43e1cc ShellExecuteA
ole32.dll
0x43e1e8 CoInitializeEx
0x43e1ec CoInitializeSecurity
0x43e1f0 CoSetProxyBlanket
0x43e1f4 CoCreateInstance
0x43e1f8 CoUninitialize
OLEAUT32.dll
0x43e1b8 SysAllocString
0x43e1bc SysFreeString
0x43e1c0 VariantInit
0x43e1c4 VariantClear
WININET.dll
0x43e1d4 InternetReadFile
0x43e1d8 InternetOpenW
0x43e1dc InternetOpenUrlA
0x43e1e0 InternetCloseHandle
EAT(Export Address Table) is none
KERNEL32.dll
0x43e018 ReadProcessMemory
0x43e01c WriteProcessMemory
0x43e020 GetModuleHandleA
0x43e024 GetProcAddress
0x43e028 GetEnvironmentVariableA
0x43e02c CreateDirectoryA
0x43e030 WaitForSingleObject
0x43e034 CreateMutexA
0x43e038 Sleep
0x43e03c GetModuleFileNameA
0x43e040 VirtualProtectEx
0x43e044 CreateProcessW
0x43e048 GetVersion
0x43e04c GetComputerNameA
0x43e050 WriteConsoleW
0x43e054 HeapSize
0x43e058 CreateFileW
0x43e05c GetProcessHeap
0x43e060 SetStdHandle
0x43e064 VirtualAllocEx
0x43e068 VirtualAlloc
0x43e06c SetThreadContext
0x43e070 GetThreadContext
0x43e074 CreateProcessA
0x43e078 ResumeThread
0x43e07c K32GetModuleFileNameExA
0x43e080 GetLastError
0x43e084 K32EnumProcesses
0x43e088 OpenProcess
0x43e08c TerminateProcess
0x43e090 GetCurrentProcessId
0x43e094 CopyFileA
0x43e098 CloseHandle
0x43e09c SetEnvironmentVariableW
0x43e0a0 FreeEnvironmentStringsW
0x43e0a4 GetEnvironmentStringsW
0x43e0a8 GetOEMCP
0x43e0ac GetACP
0x43e0b0 IsValidCodePage
0x43e0b4 FindNextFileW
0x43e0b8 FindFirstFileExW
0x43e0bc FindClose
0x43e0c0 HeapReAlloc
0x43e0c4 ReadConsoleW
0x43e0c8 SetFilePointerEx
0x43e0cc GetFileSizeEx
0x43e0d0 ReadFile
0x43e0d4 GetConsoleMode
0x43e0d8 GetConsoleOutputCP
0x43e0dc FlushFileBuffers
0x43e0e0 GetFileType
0x43e0e4 GetCurrentThreadId
0x43e0e8 WideCharToMultiByte
0x43e0ec EnterCriticalSection
0x43e0f0 LeaveCriticalSection
0x43e0f4 InitializeCriticalSectionEx
0x43e0f8 DeleteCriticalSection
0x43e0fc EncodePointer
0x43e100 DecodePointer
0x43e104 MultiByteToWideChar
0x43e108 LCMapStringEx
0x43e10c CompareStringEx
0x43e110 GetCPInfo
0x43e114 QueryPerformanceCounter
0x43e118 GetSystemTimeAsFileTime
0x43e11c GetModuleHandleW
0x43e120 GetStringTypeW
0x43e124 IsProcessorFeaturePresent
0x43e128 InitializeSListHead
0x43e12c IsDebuggerPresent
0x43e130 UnhandledExceptionFilter
0x43e134 SetUnhandledExceptionFilter
0x43e138 GetStartupInfoW
0x43e13c GetCurrentProcess
0x43e140 RaiseException
0x43e144 RtlUnwind
0x43e148 SetLastError
0x43e14c InitializeCriticalSectionAndSpinCount
0x43e150 TlsAlloc
0x43e154 TlsGetValue
0x43e158 TlsSetValue
0x43e15c TlsFree
0x43e160 FreeLibrary
0x43e164 LoadLibraryExW
0x43e168 ExitProcess
0x43e16c GetModuleHandleExW
0x43e170 CreateThread
0x43e174 ExitThread
0x43e178 FreeLibraryAndExitThread
0x43e17c GetStdHandle
0x43e180 WriteFile
0x43e184 GetModuleFileNameW
0x43e188 GetCommandLineA
0x43e18c GetCommandLineW
0x43e190 HeapFree
0x43e194 HeapAlloc
0x43e198 CompareStringW
0x43e19c LCMapStringW
0x43e1a0 GetLocaleInfoW
0x43e1a4 IsValidLocale
0x43e1a8 GetUserDefaultLCID
0x43e1ac EnumSystemLocalesW
0x43e1b0 SetEndOfFile
ADVAPI32.dll
0x43e000 RegSetValueExA
0x43e004 RegQueryValueExA
0x43e008 RegOpenKeyExA
0x43e00c RegCloseKey
0x43e010 GetUserNameA
SHELL32.dll
0x43e1cc ShellExecuteA
ole32.dll
0x43e1e8 CoInitializeEx
0x43e1ec CoInitializeSecurity
0x43e1f0 CoSetProxyBlanket
0x43e1f4 CoCreateInstance
0x43e1f8 CoUninitialize
OLEAUT32.dll
0x43e1b8 SysAllocString
0x43e1bc SysFreeString
0x43e1c0 VariantInit
0x43e1c4 VariantClear
WININET.dll
0x43e1d4 InternetReadFile
0x43e1d8 InternetOpenW
0x43e1dc InternetOpenUrlA
0x43e1e0 InternetCloseHandle
EAT(Export Address Table) is none