Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 10, 2021, 8:48 a.m.	April 10, 2021, 8:53 a.m.

Size	17.5KB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`5046b4c2a231193546d561943408d4f3`
SHA256	`7bc0fdc6b2caf2175c49bfbf735c70e462424aa45cf5d193bd8788eddac08c8c`
CRC32	`18D8231D`
ssdeep	`192:jDMAe4Ckj19RZZ6wpSfu1bKcq5uHj7khBDSeKNH4XpP4yQBUbOj6kxiY:jDMAoKz6WtKEj7aBDiy4PbAY`
Yara	win_files_operation - Affect private profile PE_Header_Zero - PE File Signature Zero IsPE64 - (no description) IsWindowsGUI - (no description) MinGW_1 - (no description)

visa.exe "C:\Users\test22\AppData\Local\Temp\visa.exe"
1468

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
104.236.24.153	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 10, 2021, 8:41 a.m.	process_identifier: 1468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000000860000 process_handle: 0xffffffffffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

104.236.24.153

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

104.236.24.153:80

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Elastic	malicious (high confidence)
ClamAV	Win.Trojan.CobaltStrike-9044898-1
CAT-QuickHeal	Trojan.Generic
McAfee	Artemis!5046B4C2A231
Malwarebytes	Generic.Trojan.Malicious.DDS
Zillya	Tool.CobaltStrike.Win64.273
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Trojan:Win32/CobaltStrike.9b04a4c9
K7GW	Trojan ( 0050e1491 )
K7AntiVirus	Trojan ( 0050e1491 )
Arcabit	Trojan.Bulz.D62F09
Cyren	W64/Ulise.BW.gen!Eldorado
Symantec	Backdoor.Cobalt!gen1
ESET-NOD32	a variant of Win64/RiskWare.CobaltStrike.Artifact.A
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Gen:Variant.Bulz.405257
MicroWorld-eScan	Gen:Variant.Bulz.405257
Avast	Win64:Malware-gen
Tencent	Malware.Win32.Gencirc.10ce3ce7
Ad-Aware	Gen:Variant.Bulz.405257
Emsisoft	Gen:Variant.Bulz.405257 (B)
DrWeb	Exploit.ShellCode.46
TrendMicro	Backdoor.Win64.COBEACON.SMA
McAfee-GW-Edition	Artemis!Trojan
FireEye	Generic.mg.5046b4c2a2311935
Sophos	ML/PE-A + ATK/Cobalt-A
Jiangmin	Trojan.Generic.fsibr
Avira	HEUR/AGEN.1139243
Gridinsoft	Trojan.Win64.Agent.oa!s1
Microsoft	Trojan:Win32/Cobaltstrike.MK!MTB
AegisLab	Trojan.Win32.Generic.4!c
GData	Gen:Variant.Bulz.405257
AhnLab-V3	Malware/Win64.RL_Generic.R360995
ALYac	Gen:Variant.Bulz.405257
MAX	malware (ai score=80)
VBA32	Exploit.Shellcode
Cylance	Unsafe
TrendMicro-HouseCall	Backdoor.Win64.COBEACON.SMA
Rising	Backdoor.CobaltStrike/x64!1.D04A (CLOUD)
Ikarus	Trojan-Downloader.Win64.Agent
eGambit	Unsafe.AI_Score_96%
Fortinet	W64/Agent.CY!tr
MaxSecure	Trojan.Malware.7164915.susgen
AVG	Win64:Malware-gen
Cybereason	malicious.2a2311
Qihoo-360	Win64/HackTool.CobaltStrike.H8oAWCcA

visa.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All