Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 29, 2021, 9:51 a.m.	July 29, 2021, 9:55 a.m.

Size	14.0KB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`6cac30135f4d5639c81e29e7d32d95e0`
SHA256	`18172c576df793d31efad7ab1623e2fcc15e8f744bc8381d1a8a63421963e3e6`
CRC32	`9DB03E50`
ssdeep	`192:A4H+DgGK83SxHn2OQ/dmBI4KBfTgir+xzWphagguzbqUqV/Qjo7AGa:AM+kGKqbOCdWIVBff+xzWv3fCXAn`
Yara	IsPE32 - (no description) UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature

file.exe "C:\Users\test22\AppData\Local\Temp\file.exe"
1772

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
45.140.17.74	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49164 -> 45.140.17.74:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49162 -> 45.140.17.74:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49163 -> 45.140.17.74:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49164 45.140.17.74:443	C=, ST=, L=, O=, OU=, CN=	C=, ST=, L=, O=, OU=, CN=	6e:ce:5e:ce:41:92:68:3d:2d:84:e2:5b:0b:a7:e0:4f:9c:b7:eb:7c
TLSv1 192.168.56.102:49162 45.140.17.74:443	C=, ST=, L=, O=, OU=, CN=	C=, ST=, L=, O=, OU=, CN=	6e:ce:5e:ce:41:92:68:3d:2d:84:e2:5b:0b:a7:e0:4f:9c:b7:eb:7c
TLSv1 192.168.56.102:49163 45.140.17.74:443	C=, ST=, L=, O=, OU=, CN=	C=, ST=, L=, O=, OU=, CN=	6e:ce:5e:ce:41:92:68:3d:2d:84:e2:5b:0b:a7:e0:4f:9c:b7:eb:7c

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA July 29, 2021, 9:51 a.m.	computer_name: TEST22-PC	1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	GET https://45.140.17.74/aPr9
suspicious_features	Connection to IP address				suspicious_request	GET https://45.140.17.74/cx

Performs some HTTP requests (2 events)

request	GET https://45.140.17.74/aPr9
request	GET https://45.140.17.74/cx

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 29, 2021, 9:51 a.m.	process_identifier: 1772 region_size: 4194304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ff0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory July 29, 2021, 9:51 a.m.	process_identifier: 1772 region_size: 253952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03110000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

A process attempted to delay the analysis task. (1 event)

description

file.exe tried to sleep 171 seconds, actually delayed analysis time by 171 seconds

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 29, 2021, 9:51 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00500000 process_handle: 0xffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

45.140.17.74

Network activity contains more than one unique useragent (2 events)

process	file.exe				useragent
process	file.exe				useragent	Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 events)

DrWeb	Trojan.Inject3.2700
MicroWorld-eScan	Trojan.GenericKD.37289622
FireEye	Generic.mg.6cac30135f4d5639
ALYac	Trojan.GenericKD.37289622
Cylance	Unsafe
Zillya	Trojan.Rozena.Win32.99309
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005622831 )
Alibaba	Trojan:Win32/Rozena.132cfc78
K7GW	Trojan ( 005622831 )
Cybereason	malicious.35f4d5
Arcabit	Trojan.Generic.D238FE96
Cyren	W32/Diple.G.gen!Eldorado
Symantec	Backdoor.Cobalt
ESET-NOD32	a variant of Win32/Rozena.AMZ
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Trojan.CobaltStrike-7899872-1
BitDefender	Trojan.GenericKD.37289622
NANO-Antivirus	Trojan.Win32.Inject3.horsiq
Avast	Win32:Trojan-gen
Tencent	Malware.Win32.Gencirc.10ce3d9a
Ad-Aware	Trojan.GenericKD.37289622
Sophos	ML/PE-A + ATK/Cobalt-A
F-Secure	Trojan.TR/Crypt.XPACK.Gen7
TrendMicro	Trojan.Win32.COBALT.SM
McAfee-GW-Edition	Cobalt-EVTS!6CAC30135F4D
Emsisoft	Trojan.Rozena (A)
Ikarus	Win32.Outbreak
Jiangmin	Trojan.Generic.ftawl
Webroot	W32.Trojan.Cobaltstrike
Avira	TR/Crypt.XPACK.Gen7
MAX	malware (ai score=100)
Antiy-AVL	Trojan/Generic.ASMalwS.30BBA6D
Gridinsoft	Trojan.Win32.Heur.oa!s1
Microsoft	Trojan:Win32/Cobaltstrike.MK!MTB
ViRobot	Trojan.Win32.Cobalt.14336.J
ZoneAlarm	HEUR:Trojan.Win32.CobaltStrike.gen
GData	Trojan.GenericKD.37289622
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.CobaltStrike.R329694
McAfee	Cobalt-EVTS!6CAC30135F4D
TACHYON	Trojan/W32.Agent.14336.WO
VBA32	TScope.Malware-Cryptor.SB
Malwarebytes	Trojan.CobaltStrike
TrendMicro-HouseCall	Trojan.Win32.COBALT.SM
Rising	Backdoor.CobaltStrike!1.D049 (CLASSIC)
Yandex	Trojan.GenAsa!/C5jzoNrl5s
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Generic.AP.118EACE!tr

file.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All