Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 31, 2021, 12:47 p.m.	Aug. 31, 2021, 12:54 p.m.

Size	278.0KB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`8ffdda74390bca8ecb399d1b37868977`
SHA256	`8fad3190f946b88c729be6cd98c87b9bdc5ee9ed966b5c89776665a316471ad9`
CRC32	`F3C20741`
ssdeep	`6144:pRVTg7nOngOY9zX1slOmfX3QWRrb3+2cv:pjUyncdX1slOmfnbOl`
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

mstsc.exe "C:\Users\test22\AppData\Local\Temp\mstsc.exe"
1108

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
111.90.151.16	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49200 -> 111.90.151.16:81	2032945	ET MALWARE Cobalt Strike Beacon Observed (MASB UA)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49202 -> 111.90.151.16:81	2032945	ET MALWARE Cobalt Strike Beacon Observed (MASB UA)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Aug. 31, 2021, 12:47 p.m.	computer_name: TEST22-PC	1	1	0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 31, 2021, 12:47 p.m.	process_identifier: 1108 region_size: 253952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

A process attempted to delay the analysis task. (1 event)

description

mstsc.exe tried to sleep 171 seconds, actually delayed analysis time by 171 seconds

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 31, 2021, 12:47 p.m.	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 212992 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00960000 process_handle: 0xffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

111.90.151.16

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Trojan.Heur.rCW@IjUrmeb
FireEye	Generic.mg.8ffdda74390bca8e
McAfee	GenericRXMO-OO!8FFDDA74390B
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.4390bc
Cyren	W32/Diple.F.gen!Eldorado
Symantec	Backdoor.Cobalt
ESET-NOD32	a variant of Win32/Rozena.AMZ
APEX	Malicious
ClamAV	Win.Trojan.CobaltStrike-7899872-1
Kaspersky	HEUR:Trojan.Win32.CobaltStrike.gen
BitDefender	Gen:Trojan.Heur.rCW@IjUrmeb
NANO-Antivirus	Trojan.Win32.Rozena.hpcmlv
Avast	Win32:HacktoolX-gen [Trj]
Tencent	Hacktool.Win32.CobaltStrike.za
Ad-Aware	Gen:Trojan.Heur.rCW@IjUrmeb
TACHYON	Trojan/W32.Agent.284672.IN
Emsisoft	Trojan.Rozena (A)
DrWeb	BackDoor.Siggen2.247
TrendMicro	Trojan.Win32.COBALT.SM
McAfee-GW-Edition	BehavesLike.Win32.Trojan.dh
Sophos	ML/PE-A + ATK/Cobalt-CC
Ikarus	Trojan.Win32.Rozena
Avira	TR/Crypt.XPACK.Gen7
Antiy-AVL	Trojan/Generic.ASMalwS.30CAC8E
Gridinsoft	Trojan.Win32.Gen.oa!s1
Microsoft	Trojan:Win32/Cobaltstrike.MK!MTB
ViRobot	Trojan.Win32.Cobalt.284672.A
GData	Gen:Trojan.Heur.rCW@IjUrmeb
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.CobaltStrike.R329694
Acronis	suspicious
BitDefenderTheta	AI:Packer.594089D91B
ALYac	Gen:Trojan.Heur.rCW@IjUrmeb
MAX	malware (ai score=88)
VBA32	Trojan.CobaltStrike
Malwarebytes	Backdoor.Rozena
TrendMicro-HouseCall	Trojan.Win32.COBALT.SM
Rising	Backdoor.CobaltStrike!1.D049 (CLASSIC)
Yandex	Trojan.GenAsa!/C5jzoNrl5s
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_97%
Fortinet	W32/Generic.AP.118EACE!tr
AVG	Win32:HacktoolX-gen [Trj]
CrowdStrike	win/malicious_confidence_90% (D)
MaxSecure	Trojan.Malware.300983.susgen

mstsc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All