ScreenShot
| Created | 2024.09.20 10:47 | Machine | s1_win7_x6403 |
| Filename | 66ebf725efe38_lyla.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 52 detected (AIDetectMalware, CryptBot, Dacic, Unsafe, Veua, malicious, confidence, Attribute, HighConfidence, high confidence, Barys, TrojanPSW, du8Y4XG1zuF, owqqw, PRIVATELOADER, YXEIRZ, Detected, Cryptnot, Malware@#n6odze40f4ds, CCJD, Eldorado, Artemis, Stop, GdSda) | ||
| md5 | 117cd56896073eaa680d408fe7fb51c8 | ||
| sha256 | 9b985f2af040a18f231b1c4851365e8f10a5ef394f455306fdc8f395b374f01e | ||
| ssdeep | 49152:KfuaMm44Xnz/IYkmjVcIhGWczrYfRX9Iu14k85M7xgc6jbb36ST9llys58JLNQuC:WzRkmELkpX9RFXEb36Y9l9201LcDS | ||
| imphash | 92a00f4d0a4448266e9c638fdb1341b9 | ||
| impfuzzy | 24:8fiFCDcn+kLEGTX5XG0bhkNJl6vlbDcqxZ96HGXZQ:8fiJ+k4GTXJG0bhkNJl6vRwqt6HGG | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 52 AntiVirus engines on VirusTotal as malicious |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | Sends data using the HTTP POST Method |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
Rules (9cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0xf341e0 DeleteCriticalSection
0xf341e4 EnterCriticalSection
0xf341e8 FreeLibrary
0xf341ec GetLastError
0xf341f0 GetModuleHandleA
0xf341f4 GetModuleHandleW
0xf341f8 GetProcAddress
0xf341fc GetStartupInfoA
0xf34200 GetTempPathA
0xf34204 InitializeCriticalSection
0xf34208 IsDBCSLeadByteEx
0xf3420c LeaveCriticalSection
0xf34210 LoadLibraryA
0xf34214 MultiByteToWideChar
0xf34218 SetUnhandledExceptionFilter
0xf3421c Sleep
0xf34220 TlsGetValue
0xf34224 VirtualProtect
0xf34228 VirtualQuery
0xf3422c WideCharToMultiByte
0xf34230 lstrlenA
msvcrt.dll
0xf34238 __getmainargs
0xf3423c __initenv
0xf34240 __lconv_init
0xf34244 __mb_cur_max
0xf34248 __p__acmdln
0xf3424c __p__commode
0xf34250 __p__fmode
0xf34254 __set_app_type
0xf34258 __setusermatherr
0xf3425c _amsg_exit
0xf34260 _assert
0xf34264 _cexit
0xf34268 _errno
0xf3426c _chsize
0xf34270 _filelengthi64
0xf34274 _fileno
0xf34278 _initterm
0xf3427c _iob
0xf34280 _lock
0xf34284 _onexit
0xf34288 _unlock
0xf3428c abort
0xf34290 atoi
0xf34294 calloc
0xf34298 exit
0xf3429c fclose
0xf342a0 fflush
0xf342a4 fgetpos
0xf342a8 fopen
0xf342ac fputc
0xf342b0 fread
0xf342b4 free
0xf342b8 freopen
0xf342bc fsetpos
0xf342c0 fwrite
0xf342c4 getc
0xf342c8 islower
0xf342cc isspace
0xf342d0 isupper
0xf342d4 isxdigit
0xf342d8 localeconv
0xf342dc malloc
0xf342e0 memcmp
0xf342e4 memcpy
0xf342e8 memmove
0xf342ec memset
0xf342f0 mktime
0xf342f4 localtime
0xf342f8 difftime
0xf342fc _mkdir
0xf34300 perror
0xf34304 puts
0xf34308 realloc
0xf3430c remove
0xf34310 setlocale
0xf34314 signal
0xf34318 strchr
0xf3431c strcmp
0xf34320 strcpy
0xf34324 strerror
0xf34328 strlen
0xf3432c strncmp
0xf34330 strncpy
0xf34334 strtol
0xf34338 strtoul
0xf3433c tolower
0xf34340 ungetc
0xf34344 vfprintf
0xf34348 time
0xf3434c wcslen
0xf34350 wcstombs
0xf34354 _stat
0xf34358 _utime
0xf3435c _fileno
0xf34360 _chmod
SHELL32.dll
0xf34368 ShellExecuteA
EAT(Export Address Table) Library
0x4dddcf main
KERNEL32.dll
0xf341e0 DeleteCriticalSection
0xf341e4 EnterCriticalSection
0xf341e8 FreeLibrary
0xf341ec GetLastError
0xf341f0 GetModuleHandleA
0xf341f4 GetModuleHandleW
0xf341f8 GetProcAddress
0xf341fc GetStartupInfoA
0xf34200 GetTempPathA
0xf34204 InitializeCriticalSection
0xf34208 IsDBCSLeadByteEx
0xf3420c LeaveCriticalSection
0xf34210 LoadLibraryA
0xf34214 MultiByteToWideChar
0xf34218 SetUnhandledExceptionFilter
0xf3421c Sleep
0xf34220 TlsGetValue
0xf34224 VirtualProtect
0xf34228 VirtualQuery
0xf3422c WideCharToMultiByte
0xf34230 lstrlenA
msvcrt.dll
0xf34238 __getmainargs
0xf3423c __initenv
0xf34240 __lconv_init
0xf34244 __mb_cur_max
0xf34248 __p__acmdln
0xf3424c __p__commode
0xf34250 __p__fmode
0xf34254 __set_app_type
0xf34258 __setusermatherr
0xf3425c _amsg_exit
0xf34260 _assert
0xf34264 _cexit
0xf34268 _errno
0xf3426c _chsize
0xf34270 _filelengthi64
0xf34274 _fileno
0xf34278 _initterm
0xf3427c _iob
0xf34280 _lock
0xf34284 _onexit
0xf34288 _unlock
0xf3428c abort
0xf34290 atoi
0xf34294 calloc
0xf34298 exit
0xf3429c fclose
0xf342a0 fflush
0xf342a4 fgetpos
0xf342a8 fopen
0xf342ac fputc
0xf342b0 fread
0xf342b4 free
0xf342b8 freopen
0xf342bc fsetpos
0xf342c0 fwrite
0xf342c4 getc
0xf342c8 islower
0xf342cc isspace
0xf342d0 isupper
0xf342d4 isxdigit
0xf342d8 localeconv
0xf342dc malloc
0xf342e0 memcmp
0xf342e4 memcpy
0xf342e8 memmove
0xf342ec memset
0xf342f0 mktime
0xf342f4 localtime
0xf342f8 difftime
0xf342fc _mkdir
0xf34300 perror
0xf34304 puts
0xf34308 realloc
0xf3430c remove
0xf34310 setlocale
0xf34314 signal
0xf34318 strchr
0xf3431c strcmp
0xf34320 strcpy
0xf34324 strerror
0xf34328 strlen
0xf3432c strncmp
0xf34330 strncpy
0xf34334 strtol
0xf34338 strtoul
0xf3433c tolower
0xf34340 ungetc
0xf34344 vfprintf
0xf34348 time
0xf3434c wcslen
0xf34350 wcstombs
0xf34354 _stat
0xf34358 _utime
0xf3435c _fileno
0xf34360 _chmod
SHELL32.dll
0xf34368 ShellExecuteA
EAT(Export Address Table) Library
0x4dddcf main