ScreenShot
Created | 2024.09.11 10:44 | Machine | s1_win7_x6401 |
Filename | 66e0736c4382a_lyla.exe#lyla | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 45 detected (CryptBot, malicious, high confidence, Dacic, Vr77, Attribute, HighConfidence, Barys, TrojanPSW, du8Y4XG1zuF, PRIVATELOADER, YXEIKZ, ConvaGent, Detected, njyvu, ai score=87, Cryptnot, CCJD, 17KK2SY, Artemis, Outbreak, Genetic, R014C0DIA24, confidence, 3DGW) | ||
md5 | e52fc4b24fffbcde2ea11efb2efa1f08 | ||
sha256 | 95704aebba0511e4853ac25736a52048cb4f87b74df5ae42886602f9ca0f1808 | ||
ssdeep | 98304:e/vu1NXotYuJgvgfHxIL87vkxlCxRNsHYkX5:Ku1JRSYgvwXCxRNxkX5 | ||
imphash | 92a00f4d0a4448266e9c638fdb1341b9 | ||
impfuzzy | 24:8fiFCDcn+kLEGTX5XG0bhkNJl6vlbDcqxZ96HGXZQ:8fiJ+k4GTXJG0bhkNJl6vRwqt6HGG |
Network IP location
Signature (7cnts)
Level | Description |
---|---|
danger | File has been identified by 45 AntiVirus engines on VirusTotal as malicious |
notice | Drops an executable to the user AppData folder |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | Performs some HTTP requests |
notice | Resolves a suspicious Top Level Domain (TLD) |
notice | Sends data using the HTTP POST Method |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
Rules (9cnts)
Level | Name | Description | Collection |
---|---|---|---|
warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
watch | UPX_Zero | UPX packed file | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
info | IsDLL | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
ET INFO HTTP Request to a *.top domain
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0xf3c1e0 DeleteCriticalSection
0xf3c1e4 EnterCriticalSection
0xf3c1e8 FreeLibrary
0xf3c1ec GetLastError
0xf3c1f0 GetModuleHandleA
0xf3c1f4 GetModuleHandleW
0xf3c1f8 GetProcAddress
0xf3c1fc GetStartupInfoA
0xf3c200 GetTempPathA
0xf3c204 InitializeCriticalSection
0xf3c208 IsDBCSLeadByteEx
0xf3c20c LeaveCriticalSection
0xf3c210 LoadLibraryA
0xf3c214 MultiByteToWideChar
0xf3c218 SetUnhandledExceptionFilter
0xf3c21c Sleep
0xf3c220 TlsGetValue
0xf3c224 VirtualProtect
0xf3c228 VirtualQuery
0xf3c22c WideCharToMultiByte
0xf3c230 lstrlenA
msvcrt.dll
0xf3c238 __getmainargs
0xf3c23c __initenv
0xf3c240 __lconv_init
0xf3c244 __mb_cur_max
0xf3c248 __p__acmdln
0xf3c24c __p__commode
0xf3c250 __p__fmode
0xf3c254 __set_app_type
0xf3c258 __setusermatherr
0xf3c25c _amsg_exit
0xf3c260 _assert
0xf3c264 _cexit
0xf3c268 _errno
0xf3c26c _chsize
0xf3c270 _filelengthi64
0xf3c274 _fileno
0xf3c278 _initterm
0xf3c27c _iob
0xf3c280 _lock
0xf3c284 _onexit
0xf3c288 _unlock
0xf3c28c abort
0xf3c290 atoi
0xf3c294 calloc
0xf3c298 exit
0xf3c29c fclose
0xf3c2a0 fflush
0xf3c2a4 fgetpos
0xf3c2a8 fopen
0xf3c2ac fputc
0xf3c2b0 fread
0xf3c2b4 free
0xf3c2b8 freopen
0xf3c2bc fsetpos
0xf3c2c0 fwrite
0xf3c2c4 getc
0xf3c2c8 islower
0xf3c2cc isspace
0xf3c2d0 isupper
0xf3c2d4 isxdigit
0xf3c2d8 localeconv
0xf3c2dc malloc
0xf3c2e0 memcmp
0xf3c2e4 memcpy
0xf3c2e8 memmove
0xf3c2ec memset
0xf3c2f0 mktime
0xf3c2f4 localtime
0xf3c2f8 difftime
0xf3c2fc _mkdir
0xf3c300 perror
0xf3c304 puts
0xf3c308 realloc
0xf3c30c remove
0xf3c310 setlocale
0xf3c314 signal
0xf3c318 strchr
0xf3c31c strcmp
0xf3c320 strcpy
0xf3c324 strerror
0xf3c328 strlen
0xf3c32c strncmp
0xf3c330 strncpy
0xf3c334 strtol
0xf3c338 strtoul
0xf3c33c tolower
0xf3c340 ungetc
0xf3c344 vfprintf
0xf3c348 time
0xf3c34c wcslen
0xf3c350 wcstombs
0xf3c354 _stat
0xf3c358 _utime
0xf3c35c _fileno
0xf3c360 _chmod
SHELL32.dll
0xf3c368 ShellExecuteA
EAT(Export Address Table) Library
0x42a7d7 main
KERNEL32.dll
0xf3c1e0 DeleteCriticalSection
0xf3c1e4 EnterCriticalSection
0xf3c1e8 FreeLibrary
0xf3c1ec GetLastError
0xf3c1f0 GetModuleHandleA
0xf3c1f4 GetModuleHandleW
0xf3c1f8 GetProcAddress
0xf3c1fc GetStartupInfoA
0xf3c200 GetTempPathA
0xf3c204 InitializeCriticalSection
0xf3c208 IsDBCSLeadByteEx
0xf3c20c LeaveCriticalSection
0xf3c210 LoadLibraryA
0xf3c214 MultiByteToWideChar
0xf3c218 SetUnhandledExceptionFilter
0xf3c21c Sleep
0xf3c220 TlsGetValue
0xf3c224 VirtualProtect
0xf3c228 VirtualQuery
0xf3c22c WideCharToMultiByte
0xf3c230 lstrlenA
msvcrt.dll
0xf3c238 __getmainargs
0xf3c23c __initenv
0xf3c240 __lconv_init
0xf3c244 __mb_cur_max
0xf3c248 __p__acmdln
0xf3c24c __p__commode
0xf3c250 __p__fmode
0xf3c254 __set_app_type
0xf3c258 __setusermatherr
0xf3c25c _amsg_exit
0xf3c260 _assert
0xf3c264 _cexit
0xf3c268 _errno
0xf3c26c _chsize
0xf3c270 _filelengthi64
0xf3c274 _fileno
0xf3c278 _initterm
0xf3c27c _iob
0xf3c280 _lock
0xf3c284 _onexit
0xf3c288 _unlock
0xf3c28c abort
0xf3c290 atoi
0xf3c294 calloc
0xf3c298 exit
0xf3c29c fclose
0xf3c2a0 fflush
0xf3c2a4 fgetpos
0xf3c2a8 fopen
0xf3c2ac fputc
0xf3c2b0 fread
0xf3c2b4 free
0xf3c2b8 freopen
0xf3c2bc fsetpos
0xf3c2c0 fwrite
0xf3c2c4 getc
0xf3c2c8 islower
0xf3c2cc isspace
0xf3c2d0 isupper
0xf3c2d4 isxdigit
0xf3c2d8 localeconv
0xf3c2dc malloc
0xf3c2e0 memcmp
0xf3c2e4 memcpy
0xf3c2e8 memmove
0xf3c2ec memset
0xf3c2f0 mktime
0xf3c2f4 localtime
0xf3c2f8 difftime
0xf3c2fc _mkdir
0xf3c300 perror
0xf3c304 puts
0xf3c308 realloc
0xf3c30c remove
0xf3c310 setlocale
0xf3c314 signal
0xf3c318 strchr
0xf3c31c strcmp
0xf3c320 strcpy
0xf3c324 strerror
0xf3c328 strlen
0xf3c32c strncmp
0xf3c330 strncpy
0xf3c334 strtol
0xf3c338 strtoul
0xf3c33c tolower
0xf3c340 ungetc
0xf3c344 vfprintf
0xf3c348 time
0xf3c34c wcslen
0xf3c350 wcstombs
0xf3c354 _stat
0xf3c358 _utime
0xf3c35c _fileno
0xf3c360 _chmod
SHELL32.dll
0xf3c368 ShellExecuteA
EAT(Export Address Table) Library
0x42a7d7 main