Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 2, 2021, 11:16 a.m.	June 2, 2021, 11:19 a.m.

Size	1.7MB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`1c3b8ae594cb4ce24c2680b47cebf808`
SHA256	`ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330`
CRC32	`20CBA60A`
ssdeep	`6144:GBv2rCsfI34JBE8LCiohg05tnCCRem/V9FkkKdKb+/++9GIyRv9QTaq+D/aYndvj:GBurzfI2B9roDtVcKb+/+EzD+7aJ`
PDB Path	C:\Users\dev\Desktop\ëíëê² íë¤\Dll6\x64\Release\Dll6.pdb
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description) IsDLL - (no description) APT_APT29_Win_FlipFlop_LDR - A loader for the CobaltStrike malware family, which ultimately takes the first and second bytes of an embedded file, and flips them prior to executing the resulting payload. OS_Processor_Check_Zero - OS Processor Check

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\DOCUMENT.exe.dll,Open
3576
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\DOCUMENT.exe.dll,Open
  2864
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\DOCUMENT.exe.dll,
900

Name	Response	Post-Analysis Lookup
cdn.theyardservice.com	A 5.79.71.225 A 5.79.71.205 A 178.162.203.202 A 178.162.203.226 A 85.17.31.122 A 178.162.217.107 A 178.162.203.211 A 85.17.31.82	178.162.203.211
dataplane.theyardservice.com	A 5.79.71.225 A 5.79.71.205 A 178.162.203.202 A 178.162.203.226 A 85.17.31.122 A 178.162.217.107 A 178.162.203.211 A 85.17.31.82	5.79.71.205

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA June 2, 2021, 11:16 a.m.	computer_name: TEST22-PC	1	1	0

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 2, 2021, 11:16 a.m.			0	0
IsDebuggerPresent June 2, 2021, 11:16 a.m.			0	0

pdb_path

C:\Users\dev\Desktop\ëíëê² íë¤\Dll6\x64\Release\Dll6.pdb

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 2, 2021, 11:16 a.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000735bc000 process_handle: 0xffffffffffffffff	1	0	0

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 2, 2021, 11:16 a.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 262144 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000001db0000 process_handle: 0xffffffffffffffff	1	0	0

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 2, 2021, 11:16 a.m.	flags: 0 family: 2		111	0

host

172.217.25.14

file	C:\Windows\System32\vboxdisp.dll
file	C:\Windows\System32\vboxhook.dll
file	C:\Windows\System32\vboxmrxnp.dll
file	C:\Windows\System32\vboxogl.dll
file	C:\Windows\System32\vboxoglarrayspu.dll
file	C:\Windows\System32\vboxoglcrutil.dll
file	C:\Windows\System32\vboxoglerrorspu.dll
file	C:\Windows\System32\vboxoglfeedbackspu.dll
file	C:\Windows\System32\vboxoglpackspu.dll
file	C:\Windows\System32\drivers\VBoxSF.sys
file	C:\Windows\System32\VBoxControl.exe
file	C:\Windows\System32\vboxservice.exe
file	C:\Windows\System32\vboxtray.exe
file	C:\Windows\System32\drivers\VBoxGuest.sys
file	C:\Windows\System32\drivers\VBoxVideo.sys

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions
registry	HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\VBOX__
registry	HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
registry	HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\VBOX__

registry

HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools

Cynet	Malicious (score: 99)
CAT-QuickHeal	Trojan.Khalesi
ALYac	Trojan.Agent.CobaltStrike
Malwarebytes	Trojan.CobaltStrike
K7AntiVirus	Trojan ( 0057d2181 )
Alibaba	Trojan:Win32/Khalesi.849e3ee7
K7GW	Trojan ( 0057d2181 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.NativeZone.2
Cyren	W64/Cobaltstrike.C.gen!Eldorado
Symantec	Backdoor.Cobalt
ESET-NOD32	a variant of Win64/Rozena.KA
TrendMicro-HouseCall	Trojan.Win64.COBEACON.SUM
Paloalto	generic.ml
Kaspersky	Trojan.Win32.Khalesi.jaqc
BitDefender	Gen:Variant.NativeZone.2
ViRobot	Trojan.Win64.S.Cobalt.1747968
MicroWorld-eScan	Gen:Variant.NativeZone.2
Avast	Win64:Trojan-gen
Ad-Aware	Gen:Variant.NativeZone.2
Emsisoft	Gen:Variant.NativeZone.2 (B)
Comodo	Malware@#nhkruipfa8c3
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Trojan.Win64.COBEACON.SUM
McAfee-GW-Edition	Artemis!Trojan
FireEye	Gen:Variant.NativeZone.2
Sophos	Mal/Generic-S + Troj/Cobalt-BQ
Jiangmin	Trojan.Khalesi.apzn
MaxSecure	Trojan.Malware.118402540.susgen
Avira	TR/Rozena.kphbb
MAX	malware (ai score=100)
Kingsoft	Win32.Troj.Khalesi.ja.(kcloud)
Gridinsoft	Trojan.Win64.Agent.oa
Microsoft	Trojan:Win32/NativeZone.C!dha
AegisLab	Trojan.Win32.Khalesi.4!c
ZoneAlarm	Trojan.Win32.Khalesi.jaqc
GData	Gen:Variant.NativeZone.2
AhnLab-V3	Trojan/Win.CobaltStrike.R423201
McAfee	Trojan-FTRB!1C3B8AE594CB
VBA32	Trojan.Khalesi
Cylance	Unsafe
Rising	Backdoor.CobaltLoader!1.D6C6 (CLASSIC)
Ikarus	Trojan.Win64.Rozena
Fortinet	W32/Khalesi.JAQC!tr
Webroot	W32.Trojan.Gen
AVG	Win64:Trojan-gen
Panda	Trj/CI.A

DOCUMENT.exe