popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

build_2021-09-11_01-55.exe

Cobalt Strike Darkside Ransomware Admin Tool (Sysinternals etc ...) Malicious Library PE File OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Sept. 12, 2021, 2:45 p.m. Sept. 12, 2021, 3:06 p.m.
Size 739.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 3ccf44c470e00c5f42ca53044a0609ab
SHA256 201b9ae09934efbe33dd9ac919d1a6600cdf336bf60ea50c8d2078caed49dfe3
CRC32 1149ED2B
ssdeep 12288:JhADa9u8u86WVmbFcuuiyWiQfVescboK/0uMV+1Es5JhrMpQSAe2PiukC/gTBSY:zADEr8bFpTiwVWK+as/hAaaKy
PDB Path C:\xoninufoca\zocafitecu\kiyamawux rulepaxoyu-yez.pdb
Yara
  • Admin_Tool_IN_Zero - Admin Tool Sysinternals
  • PE_Header_Zero - PE File Signature
  • OS_Processor_Check_Zero - OS Processor Check
  • Malicious_Library_Zero - Malicious_Library
  • Trojan_DarkSide_Ransomware_1_Zero - Darkside Ransomware
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

pdb_path C:\xoninufoca\zocafitecu\kiyamawux rulepaxoyu-yez.pdb
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1660
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 499712
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02d8e000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1660
region_size: 856064
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04480000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x0007b200', u'virtual_address': u'0x00027000', u'entropy': 7.9865723840558625, u'name': u'.data', u'virtual_size': u'0x02783cbc'} entropy 7.98657238406 description A section with a high entropy has been found
entropy 0.667344173442 description Overall entropy of this PE file is high
Bkav W32.AIDetect.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Fragtor.18528
CAT-QuickHeal Ransom.Stop.Z5
McAfee RDN/Generic.grp
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_100% (W)
BitDefenderTheta Gen:NN.ZexaF.34142.UuW@a4lXLcdO
Symantec Trojan.Gen.2
ESET-NOD32 a variant of Win32/Kryptik.HMKR
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan.Win32.Chapak.gen
BitDefender Trojan.GenericKDZ.77607
Avast Win32:CrypterX-gen [Trj]
Ad-Aware Gen:Variant.Fragtor.18528
Emsisoft Trojan.GenericKDZ.77607 (B)
F-Secure Trojan.TR/YAV.Minerva.pndpu
DrWeb Trojan.MulDrop18.41125
McAfee-GW-Edition BehavesLike.Win32.Emotet.bc
FireEye Generic.mg.3ccf44c470e00c5f
Sophos ML/PE-A
Ikarus Trojan.Win32.Azorult
MaxSecure Trojan.Malware.300983.susgen
Avira TR/YAV.Minerva.pndpu
MAX malware (ai score=86)
Kingsoft Win32.Troj.Undef.(kcloud)
Microsoft Trojan:Win32/Sabsik.FL.B!ml
Arcabit Trojan.Fragtor.D4860
ZoneAlarm HEUR:Trojan.Win32.Chapak.gen
GData Trojan.GenericKDZ.77607
Cynet Malicious (score: 100)
AhnLab-V3 CoinMiner/Win.Glupteba.C4629935
Acronis suspicious
ALYac Gen:Variant.Fragtor.18528
VBA32 BScope.Trojan.AET.281105
Malwarebytes Trojan.MalPack
Rising Trojan.Kryptik!1.D975 (CLASSIC)
SentinelOne Static AI - Malicious PE
eGambit Unsafe.AI_Score_95%
AVG Win32:CrypterX-gen [Trj]
Cybereason malicious.7c7166
Panda Trj/Genetic.gen