popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

b4cfc49d647ebeffb99579dbd4be2a4ca779e3d36b60656aaa9d616ac343e991

CobaltStrike Generic Malware UPX Malicious Library Malicious Packer PE64 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 13, 2021, 10:19 a.m. Aug. 13, 2021, 10:19 a.m.
Size 2.5MB
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5 b594afc619b7f19b04c125b093ddb099
SHA256 b4cfc49d647ebeffb99579dbd4be2a4ca779e3d36b60656aaa9d616ac343e991
CRC32 33E868BB
ssdeep 24576:lR5N5YQjiT5MEiIoSFfxnqq+/BIBRo/OWhUpH/f0HLa8q16:dH1jMJiIoMJnqq+/BIztx8He8q1
Yara
  • PE_Header_Zero - PE File Signature
  • Malicious_Packer_Zero - Malicious Packer
  • IsPE64 - (no description)
  • Generic_Malware_Zero - Generic Malware
  • CobaltStrike_IN - CobaltStrike
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

section .symtab
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
0x27870030
0xcc000c
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30

exception.instruction_r: ac 3c 61 7c 02 2c 20 41 c1 c9 0d 41 01 c1 e2 ed
exception.instruction: lodsb al, byte ptr [rsi]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x27870030
registers.r14: 1453503984
registers.r15: -1
registers.rcx: 110
registers.rsi: 110
registers.r10: 0
registers.rbx: 663159254
registers.rsp: 2292560
registers.r11: 514
registers.r8: 8791739670792
registers.r9: 0
registers.rdx: 1999578720
registers.r12: 46
registers.rbp: 663158794
registers.rdi: 0
registers.rax: 0
registers.r13: 1
1 0 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1016
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000027870000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0
Lionic Trojan.Win64.Shelma.4!c
Symantec Trojan.Gen.MBT
APEX Malicious
Kaspersky Trojan.Win64.Shelma.mur
Avast FileRepMetagen [Malware]
Sophos Mal/Generic-R
Comodo TrojWare.Win32.UMal.ziapx@0
McAfee-GW-Edition Artemis!Trojan
Ikarus Win32.Outbreak
Webroot W32.Trojan.Gen
Avira TR/AD.PatchedWinSwrort.njyhr
Kingsoft Win32.Troj.Win64.m.(kcloud)
ZoneAlarm Trojan.Win64.Shelma.mur
Microsoft Trojan:Win32/Sabsik.FL.B!ml
Cynet Malicious (score: 100)
McAfee Artemis!B594AFC619B7
Fortinet W64/Shelma.MUR!tr
MaxSecure Trojan.Malware.300983.susgen
AVG FileRepMetagen [Malware]
Time & API Arguments Status Return Repeated

LdrGetProcedureAddress

 ordinal: 0
function_address: 0x000007feff017a50
function_name: wine_get_version
module: ntdll
module_address: 0x00000000771c0000
-1073741511 0