Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 1, 2021, 10:25 a.m.	Nov. 1, 2021, 10:42 a.m.

Size	722.5KB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`97a33f10e994d32f43404eac8ff3bb02`
SHA256	`0ba7554e7d120ce355c6995c6af95542499e4ec2f6012ed16b32a85175761a94`
CRC32	`06E1C5C1`
ssdeep	`12288:dECr4PP2Y44oAVzbqXJOjqPDB1AaK93sPs5hEPMemDnEHoo7:dExjq7k93sPsrDemDnEHoS`
Yara	IsPE64 - (no description) PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check IsDLL - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trendmicro.dll,DllMain
2404
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trendmicro.dll,DllMain
  3032
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trendmicro.dll,DllRegisterServer
2524
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trendmicro.dll,DllRegisterServer
  1620
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trendmicro.dll,DllGetClassObject
2320
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trendmicro.dll,DllGetClassObject
  2452
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trendmicro.dll,DllUnregisterServer
2104
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trendmicro.dll,DllUnregisterServer
  2560
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trendmicro.dll,StartW
352
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trendmicro.dll,StartW
  2500
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\trendmicro.dll,
3036

Name	Response	Post-Analysis Lookup
nutsstats.com

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 1, 2021, 10:25 a.m.			0	0
IsDebuggerPresent Nov. 1, 2021, 10:25 a.m.			0	0
IsDebuggerPresent Nov. 1, 2021, 10:25 a.m.			0	0
IsDebuggerPresent Nov. 1, 2021, 10:25 a.m.			0	0
IsDebuggerPresent Nov. 1, 2021, 10:25 a.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 1, 2021, 10:26 a.m.	stacktrace: 0x3d00030 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c exception.instruction_r: ac 3c 61 7c 02 2c 20 41 c1 c9 0d 41 01 c1 e2 ed exception.instruction: lodsb al, byte ptr [rsi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x3d00030 registers.r14: 1453503984 registers.r15: 0 registers.rcx: 110 registers.rsi: 110 registers.r10: 0 registers.rbx: 63963641 registers.rsp: 66515912 registers.r11: 514 registers.r8: 8791747600644 registers.r9: 0 registers.rdx: 2001282656 registers.r12: 0 registers.rbp: 63963146 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 1620 region_size: 53248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000006bac0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 3032 region_size: 53248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000006bac0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 2452 region_size: 53248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000006bac0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 2500 region_size: 53248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000006bac0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 2560 region_size: 53248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000006bac0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 1, 2021, 10:25 a.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000003d00000 process_handle: 0xffffffffffffffff	1	0	0

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Lionic	Trojan.Win64.Cobalt.4!c
MicroWorld-eScan	Trojan.GenericKD.37897443
FireEye	Trojan.GenericKD.37897443
ALYac	Trojan.GenericKD.37897443
Cylance	Unsafe
Sangfor	Trojan.Win64.Cobalt.gen
Alibaba	Trojan:Win64/Cobalt.6ca2237b
K7GW	Trojan ( 00588b491 )
K7AntiVirus	Trojan ( 00588b491 )
Arcabit	Trojan.Generic.D24244E3
Symantec	Trojan.Gen.2
ESET-NOD32	Win64/CobaltStrike.Artifact.A
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.Win64.Cobalt.gen
BitDefender	Trojan.GenericKD.37897443
Avast	Win64:Trojan-gen
Tencent	Win64.Trojan.Cobalt.Huzb
Ad-Aware	Trojan.GenericKD.37897443
Emsisoft	Trojan.GenericKD.37897443 (B)
F-Secure	Trojan.TR/Kryptik.bdjbc
DrWeb	BackDoor.CobaltStrike.1
TrendMicro	Trojan.Win64.BAZARLOADER.SMYXBIMZ
McAfee-GW-Edition	Artemis!Trojan
Sophos	Mal/Generic-S
Jiangmin	Trojan.Cobalt.uo
Webroot	W32.Trojan.Gen
Avira	TR/Kryptik.bdjbc
MAX	malware (ai score=88)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	HEUR:Trojan.Win64.Cobalt.gen
GData	Trojan.GenericKD.37897443
Cynet	Malicious (score: 100)
McAfee	Artemis!97A33F10E994
Malwarebytes	Trojan.Bazar
Ikarus	Trojan.Win64.Crypt
Fortinet	W64/BazarLoader.AS!tr
AVG	Win64:Trojan-gen
Panda	Trj/CI.A

trendmicro.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All