popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

clip.exe

Cobalt Strike Darkside Ransomware Admin Tool (Sysinternals etc ...) Malicious Library PE File OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Sept. 11, 2021, 2:59 p.m. Sept. 11, 2021, 3:11 p.m.
Size 313.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 55f7df48adecada9346b12f5cd4d685a
SHA256 0d6b90a3b5727e7b5fdbb5af55a3a35e7ba8bae1858c6d6037efc5aedec0d60a
CRC32 C7155B18
ssdeep 3072:nzawPiwoCsLdkdXnMF9ezDXyfX0JlYCF7e8Dsfqyg3l0w1V/4FD2mkM2aifncKU:nzhiwoRuXMFkfyfX0jY1w5wFymk6
PDB Path C:\talabewasec\giw.pdb
Yara
  • Admin_Tool_IN_Zero - Admin Tool Sysinternals
  • PE_Header_Zero - PE File Signature
  • OS_Processor_Check_Zero - OS Processor Check
  • Malicious_Library_Zero - Malicious_Library
  • Trojan_DarkSide_Ransomware_1_Zero - Darkside Ransomware
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

pdb_path C:\talabewasec\giw.pdb
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 69632
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02f7e000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00320000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x00010c00', u'virtual_address': u'0x00027000', u'entropy': 7.754736307732061, u'name': u'.data', u'virtual_size': u'0x027197fc'} entropy 7.75473630773 description A section with a high entropy has been found
entropy 0.2144 description Overall entropy of this PE file is high