Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 29, 2021, 6:28 p.m.	Oct. 29, 2021, 6:30 p.m.

Size	281.5KB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`5dfe5aee3f22321fe7efbb310a79a235`
SHA256	`83653a93fc7d8cba1b6d9bcc7650a10b1b7f0c10ab2b1c112f9d1b7d37333051`
CRC32	`5FF0352B`
ssdeep	`6144:6CAZKYdFL8YrBZp4U4RriT4RxcqwjHzr5vkx1OQ:OZFD/NuFiTkx9wjHzr5BQ`
Yara	IsPE64 - (no description) PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library

test.exe "C:\Users\test22\AppData\Local\Temp\test.exe"
1752

Name	Response	Post-Analysis Lookup
updata.microsoft-api.workers.dev	A 104.21.33.71 A 172.67.159.138	172.67.159.138

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.159.138	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49176 -> 172.67.159.138:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49175 -> 172.67.159.138:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49177 -> 172.67.159.138:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49176 172.67.159.138:443	None	None	None
TLSv1 192.168.56.102:49175 172.67.159.138:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	dd:8f:b2:73:61:e0:5d:5d:f2:9b:06:75:7c:ee:cd:a3:37:1f:14:ae
TLSv1 192.168.56.102:49177 172.67.159.138:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	dd:8f:b2:73:61:e0:5d:5d:f2:9b:06:75:7c:ee:cd:a3:37:1f:14:ae

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Oct. 29, 2021, 6:28 p.m.	computer_name: TEST22-PC	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Performs some HTTP requests (1 event)

request

GET https://updata.microsoft-api.workers.dev/be.css

A process attempted to delay the analysis task. (1 event)

description

test.exe tried to sleep 194 seconds, actually delayed analysis time by 194 seconds

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 29, 2021, 6:28 p.m.	process_identifier: 1752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 266240 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00000000005b0000 process_handle: 0xffffffffffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00042600', u'virtual_address': u'0x00004000', u'entropy': 7.1952516660407895, u'name': u'.data', u'virtual_size': u'0x00042490'}

entropy

7.19525166604

description

A section with a high entropy has been found

entropy

0.946524064171

description

Overall entropy of this PE file is high

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Lionic	Trojan.Win64.CobaltStrike.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.CobaltStr.S17675256
ALYac	Gen:Variant.Ursu.350187
Cylance	Unsafe
Sangfor	Trojan.Win32.CobaltStrike
Alibaba	Trojan:Win32/CozyDuke.1012
K7GW	Trojan ( 00580b4c1 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Ursu.D557EB
Cyren	W64/Cobalt.A.gen!Eldorado
Symantec	Backdoor.Cobalt!gen1
ESET-NOD32	a variant of Win64/CobaltStrike.Artifact.A
APEX	Malicious
Avast	Win64:HacktoolX-gen [Trj]
ClamAV	Win.Trojan.CobaltStrike-9044898-1
Kaspersky	HEUR:Trojan.Win64.CobaltStrike.gen
BitDefender	Gen:Variant.Ursu.350187
ViRobot	Trojan.Win32.Z.Cobaltstrike.288256.OH
MicroWorld-eScan	Gen:Variant.Ursu.350187
Tencent	Hacktool.Win32.CobaltStrike.zb
Ad-Aware	Gen:Variant.Ursu.350187
Sophos	ML/PE-A + ATK/Cobalt-CC
DrWeb	BackDoor.Meterpreter.157
TrendMicro	Backdoor.Win64.COBEACON.SMA
McAfee-GW-Edition	Trojan-FSXF!5DFE5AEE3F22
FireEye	Generic.mg.5dfe5aee3f22321f
Emsisoft	Gen:Variant.Ursu.350187 (B)
Ikarus	Trojan.Win64.Cobaltstrike
Jiangmin	Trojan.Generic.fsici
Avira	HEUR/AGEN.1137815
Antiy-AVL	Trojan/Generic.ASMalwS.30B56F3
Gridinsoft	Trojan.Win64.Agent.oa!s1
Microsoft	Trojan:Win32/Cobaltstrike.MK!MTB
ZoneAlarm	HEUR:Trojan.Win64.CobaltStrike.gen
GData	Gen:Variant.Ursu.350187
TACHYON	Trojan/W64.CobaltStrike.288256
AhnLab-V3	Trojan/Win64.CobaltStrike.R356638
McAfee	Trojan-FSXF!5DFE5AEE3F22
MAX	malware (ai score=81)
Malwarebytes	Trojan.CobaltStrike
TrendMicro-HouseCall	Backdoor.Win64.COBEACON.SMA
Rising	Backdoor.CobaltStrike/x64!1.D04A (CLASSIC)
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_87%
Fortinet	W64/Agent.CY!tr
AVG	Win64:HacktoolX-gen [Trj]
Cybereason	malicious.e3f223
Paloalto	generic.ml

test.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All