ScreenShot
| Created | 2024.09.11 10:47 | Machine | s1_win7_x6403 |
| Filename | 66dfd447dcd00_lyla.exe#lyla3 | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 50 detected (CryptBot, malicious, high confidence, TrojanPWS, Dacic, Unsafe, Vi76, Attribute, HighConfidence, Barys, Cryptnot, TrojanPSW, du8Y4XG1zuF, yngzz, PRIVATELOADER, YXEIJZ, Detected, ai score=87, CCJD, 17KK2SY, Eldorado, R661185, Artemis, Genetic, confidence, 3DGW) | ||
| md5 | b36f21ca653ea179246c98cda2373879 | ||
| sha256 | ce083654b6506740c3a45c15e4fb24dcd05cd39e6509bdeeeedd330750a9511a | ||
| ssdeep | 49152:LZQCY6KFqjMJ9nFpnRmTH4S3dvxqydZMuhLpR+mXsU4AXe8BRDWOvryIkAw3W:2C6R4BdvsydZrzZsU4AXNrDcIrgW | ||
| imphash | 92a00f4d0a4448266e9c638fdb1341b9 | ||
| impfuzzy | 24:8fiFCDcn+kLEGTX5XG0bhkNJl6vlbDcqxZ96HGXZQ:8fiJ+k4GTXJG0bhkNJl6vRwqt6HGG | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 50 AntiVirus engines on VirusTotal as malicious |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | Sends data using the HTTP POST Method |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
Rules (9cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
ET INFO HTTP Request to a *.top domain
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
ET INFO HTTP Request to a *.top domain
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0xf331e0 DeleteCriticalSection
0xf331e4 EnterCriticalSection
0xf331e8 FreeLibrary
0xf331ec GetLastError
0xf331f0 GetModuleHandleA
0xf331f4 GetModuleHandleW
0xf331f8 GetProcAddress
0xf331fc GetStartupInfoA
0xf33200 GetTempPathA
0xf33204 InitializeCriticalSection
0xf33208 IsDBCSLeadByteEx
0xf3320c LeaveCriticalSection
0xf33210 LoadLibraryA
0xf33214 MultiByteToWideChar
0xf33218 SetUnhandledExceptionFilter
0xf3321c Sleep
0xf33220 TlsGetValue
0xf33224 VirtualProtect
0xf33228 VirtualQuery
0xf3322c WideCharToMultiByte
0xf33230 lstrlenA
msvcrt.dll
0xf33238 __getmainargs
0xf3323c __initenv
0xf33240 __lconv_init
0xf33244 __mb_cur_max
0xf33248 __p__acmdln
0xf3324c __p__commode
0xf33250 __p__fmode
0xf33254 __set_app_type
0xf33258 __setusermatherr
0xf3325c _amsg_exit
0xf33260 _assert
0xf33264 _cexit
0xf33268 _errno
0xf3326c _chsize
0xf33270 _filelengthi64
0xf33274 _fileno
0xf33278 _initterm
0xf3327c _iob
0xf33280 _lock
0xf33284 _onexit
0xf33288 _unlock
0xf3328c abort
0xf33290 atoi
0xf33294 calloc
0xf33298 exit
0xf3329c fclose
0xf332a0 fflush
0xf332a4 fgetpos
0xf332a8 fopen
0xf332ac fputc
0xf332b0 fread
0xf332b4 free
0xf332b8 freopen
0xf332bc fsetpos
0xf332c0 fwrite
0xf332c4 getc
0xf332c8 islower
0xf332cc isspace
0xf332d0 isupper
0xf332d4 isxdigit
0xf332d8 localeconv
0xf332dc malloc
0xf332e0 memcmp
0xf332e4 memcpy
0xf332e8 memmove
0xf332ec memset
0xf332f0 mktime
0xf332f4 localtime
0xf332f8 difftime
0xf332fc _mkdir
0xf33300 perror
0xf33304 puts
0xf33308 realloc
0xf3330c remove
0xf33310 setlocale
0xf33314 signal
0xf33318 strchr
0xf3331c strcmp
0xf33320 strcpy
0xf33324 strerror
0xf33328 strlen
0xf3332c strncmp
0xf33330 strncpy
0xf33334 strtol
0xf33338 strtoul
0xf3333c tolower
0xf33340 ungetc
0xf33344 vfprintf
0xf33348 time
0xf3334c wcslen
0xf33350 wcstombs
0xf33354 _stat
0xf33358 _utime
0xf3335c _fileno
0xf33360 _chmod
SHELL32.dll
0xf33368 ShellExecuteA
EAT(Export Address Table) Library
0x4ea29d main
KERNEL32.dll
0xf331e0 DeleteCriticalSection
0xf331e4 EnterCriticalSection
0xf331e8 FreeLibrary
0xf331ec GetLastError
0xf331f0 GetModuleHandleA
0xf331f4 GetModuleHandleW
0xf331f8 GetProcAddress
0xf331fc GetStartupInfoA
0xf33200 GetTempPathA
0xf33204 InitializeCriticalSection
0xf33208 IsDBCSLeadByteEx
0xf3320c LeaveCriticalSection
0xf33210 LoadLibraryA
0xf33214 MultiByteToWideChar
0xf33218 SetUnhandledExceptionFilter
0xf3321c Sleep
0xf33220 TlsGetValue
0xf33224 VirtualProtect
0xf33228 VirtualQuery
0xf3322c WideCharToMultiByte
0xf33230 lstrlenA
msvcrt.dll
0xf33238 __getmainargs
0xf3323c __initenv
0xf33240 __lconv_init
0xf33244 __mb_cur_max
0xf33248 __p__acmdln
0xf3324c __p__commode
0xf33250 __p__fmode
0xf33254 __set_app_type
0xf33258 __setusermatherr
0xf3325c _amsg_exit
0xf33260 _assert
0xf33264 _cexit
0xf33268 _errno
0xf3326c _chsize
0xf33270 _filelengthi64
0xf33274 _fileno
0xf33278 _initterm
0xf3327c _iob
0xf33280 _lock
0xf33284 _onexit
0xf33288 _unlock
0xf3328c abort
0xf33290 atoi
0xf33294 calloc
0xf33298 exit
0xf3329c fclose
0xf332a0 fflush
0xf332a4 fgetpos
0xf332a8 fopen
0xf332ac fputc
0xf332b0 fread
0xf332b4 free
0xf332b8 freopen
0xf332bc fsetpos
0xf332c0 fwrite
0xf332c4 getc
0xf332c8 islower
0xf332cc isspace
0xf332d0 isupper
0xf332d4 isxdigit
0xf332d8 localeconv
0xf332dc malloc
0xf332e0 memcmp
0xf332e4 memcpy
0xf332e8 memmove
0xf332ec memset
0xf332f0 mktime
0xf332f4 localtime
0xf332f8 difftime
0xf332fc _mkdir
0xf33300 perror
0xf33304 puts
0xf33308 realloc
0xf3330c remove
0xf33310 setlocale
0xf33314 signal
0xf33318 strchr
0xf3331c strcmp
0xf33320 strcpy
0xf33324 strerror
0xf33328 strlen
0xf3332c strncmp
0xf33330 strncpy
0xf33334 strtol
0xf33338 strtoul
0xf3333c tolower
0xf33340 ungetc
0xf33344 vfprintf
0xf33348 time
0xf3334c wcslen
0xf33350 wcstombs
0xf33354 _stat
0xf33358 _utime
0xf3335c _fileno
0xf33360 _chmod
SHELL32.dll
0xf33368 ShellExecuteA
EAT(Export Address Table) Library
0x4ea29d main