Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 24, 2021, 7:06 p.m.	June 24, 2021, 7:15 p.m.

Size	14.0KB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`254a83dec82335daf2ca5eea7ea3fa9a`
SHA256	`fad4aa474affa78e820e731061ed7614feba095422465f0ca4c05a1f3506beb8`
CRC32	`012F237C`
ssdeep	`192:AVH+DgGK83SxHn2OQ/dmBI4KBfTgir+xzle4BoFP4VMqbqUqV/Qjo7AGa:At+kGKqbOCdWIVBff+xz44Be4LfCXAn`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library

staged.exe "C:\Users\test22\AppData\Local\Temp\staged.exe"
8232

Name	Response	Post-Analysis Lookup
sharkfishinguk.com	A 3.95.159.27	3.95.159.27

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
3.95.159.27	Active	Moloch
34.238.192.43	Active	Moloch
194.226.139.106	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49808 -> 34.238.192.43:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49808 34.238.192.43:443	C=, ST=, L=, O=, OU=, CN=	C=, ST=, L=, O=, OU=, CN=	6e:ce:5e:ce:41:92:68:3d:2d:84:e2:5b:0b:a7:e0:4f:9c:b7:eb:7c

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA June 24, 2021, 7:06 p.m.	computer_name: TEST22-PC	1	1	0

Performs some HTTP requests (1 event)

request

GET https://ajax.aspnetcdn.com/ajax/jquery.ui/1.12.1/jquery-ui.min.js

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 24, 2021, 7:06 p.m.	process_identifier: 8232 region_size: 4194304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ca0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

A process attempted to delay the analysis task. (1 event)

description

staged.exe tried to sleep 206 seconds, actually delayed analysis time by 206 seconds

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 24, 2021, 7:06 p.m.	process_identifier: 8232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x004d0000 process_handle: 0xffffffff	1	0	0

Communicates with host for which no DNS query was performed (3 events)

host	172.217.25.14
host	34.238.192.43
host	194.226.139.106

Network activity contains more than one unique useragent (2 events)

process	staged.exe				useragent
process	staged.exe				useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36 Edg/80.0.361.62

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Fugrafa.858
FireEye	Generic.mg.254a83dec82335da
McAfee	GenericRXMO-OO!254A83DEC823
Cylance	Unsafe
Zillya	Trojan.Rozena.Win32.99309
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005622831 )
K7GW	Trojan ( 005622831 )
Cyren	W32/Diple.G.gen!Eldorado
Symantec	Backdoor.Cobalt
ESET-NOD32	a variant of Win32/Rozena.AMZ
TrendMicro-HouseCall	Trojan.Win32.COBALT.SM
Avast	Win32:Trojan-gen
ClamAV	Win.Trojan.CobaltStrike-7899872-1
Kaspersky	HEUR:Trojan.Win32.CobaltStrike.gen
BitDefender	Gen:Variant.Fugrafa.858
NANO-Antivirus	Trojan.Win32.Inject3.horsiq
Paloalto	generic.ml
APEX	Malicious
Tencent	Malware.Win32.Gencirc.10ce3d9a
Ad-Aware	Gen:Variant.Fugrafa.858
TACHYON	Trojan/W32.Agent.14336.WO
Sophos	ML/PE-A + ATK/Cobalt-A
DrWeb	Trojan.Inject3.2700
TrendMicro	Trojan.Win32.COBALT.SM
McAfee-GW-Edition	GenericRXMO-OO!254A83DEC823
Emsisoft	Gen:Variant.Fugrafa.858 (B)
Ikarus	Trojan.Win32.Rozena
GData	Gen:Variant.Fugrafa.858
Jiangmin	Trojan.Generic.ftawl
MaxSecure	Trojan.Malware.300983.susgen
Avira	TR/Crypt.XPACK.Gen7
Antiy-AVL	Trojan/Generic.ASMalwS.30BBA6D
Gridinsoft	Trojan.Win32.Heur.oa!s1
ViRobot	Trojan.Win32.Cobalt.14336.J
ZoneAlarm	HEUR:Trojan.Win32.Generic
Microsoft	Trojan:Win32/Cobaltstrike.MK!MTB
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.CobaltStrike.R329694
VBA32	TScope.Malware-Cryptor.SB
ALYac	Gen:Variant.Fugrafa.858
MAX	malware (ai score=82)
Malwarebytes	Trojan.CobaltStrike
Rising	Backdoor.CobaltStrike!1.D049 (CLASSIC)
Yandex	Trojan.GenAsa!/C5jzoNrl5s
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Generic.AP.118EACE!tr
AVG	Win32:Trojan-gen
Cybereason	malicious.ec8233

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (6 events)

dead_host	192.168.56.102:49813
dead_host	192.168.56.102:49814
dead_host	192.168.56.102:49811
dead_host	192.168.56.102:49809
dead_host	3.95.159.27:443
dead_host	192.168.56.102:49815

staged.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All