popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

aloy64.exe

UPX OS Processor Check PE64 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Dec. 9, 2022, 10:23 a.m. Dec. 9, 2022, 10:25 a.m.
Size 387.0KB
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 1cb5a9c2bc4adfe101f6069d525ba9b2
SHA256 40ab463703114d972269c34abeecf0f796c88c20cceaaf0e582ed0a132e556fa
CRC32 E5B637FD
ssdeep 6144:fduncjk3xxCY3Z57rsM/f+xpnW3IpULzArfC43Qp951nHhZW4oI29NyA6xUjqQ43:f1jkRLsGGxpnWjL8G4qot9NGxUjqQ4L
Yara
  • OS_Processor_Check_Zero - OS Processor Check
  • PE_Header_Zero - PE File Signature
  • IsPE64 - (no description)
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
apps.identrust.com
A 23.44.173.97
CNAME a1952.dscq.akamai.net
CNAME identrust.edgesuite.net
A 23.44.173.113
23.43.165.66
aloyadakmashin.com
A 104.21.4.44
A 172.67.131.166
172.67.131.166
IP Address Status Action
104.21.4.44 Active Moloch
164.124.101.2 Active Moloch
23.44.173.97 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49169 -> 104.21.4.44:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49162 -> 104.21.4.44:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49166 -> 104.21.4.44:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49169
104.21.4.44:443 		C=US, O=Let's Encrypt, CN=E1 CN=*.aloyadakmashin.com 47:62:0b:e6:2b:22:09:25:c2:dd:6e:4c:d7:e3:d6:27:c9:ac:3f:15
TLSv1
192.168.56.102:49162
104.21.4.44:443 		C=US, O=Let's Encrypt, CN=E1 CN=*.aloyadakmashin.com 47:62:0b:e6:2b:22:09:25:c2:dd:6e:4c:d7:e3:d6:27:c9:ac:3f:15
TLSv1
192.168.56.102:49166
104.21.4.44:443 		C=US, O=Let's Encrypt, CN=E1 CN=*.aloyadakmashin.com 47:62:0b:e6:2b:22:09:25:c2:dd:6e:4c:d7:e3:d6:27:c9:ac:3f:15

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
section .gfids
request GET http://apps.identrust.com/roots/dstrootcax3.p7c
request GET https://aloyadakmashin.com/wp-content/chunky/8uODOeX9A6h677hAR_wP4SNeevFUo28JctX6oX0Cyc1RyLjVKgDnzzecFDV1HC81DeYUiU26g4uSuk8HLG7KJ97SjzYuMsNsAIljaKX8tBBhPz2SuQul8jbxWqgrRph5LKUsU1L5nQSG_ND-TIGx6pAfnCWxhIq6WzPCrbjF9TqvNj9M/soup.gif
request GET https://aloyadakmashin.com/wp-content/chunky/rDB1NLsu9aUkPE5NGS_57H2NjPwKcJkELAYMrCPRP8APG07YdNMRwmlP4jgrz9k4UzXihBNpdYbMabkKcr08KoABeTtw4TVhXlqVZfsvQh0_7Muf59hT_2girKV1lW50cnbaXgwqawnYLybzElJH587MaijvV3y3BeA0oOYWAzfx5clB/soup.gif
request GET https://aloyadakmashin.com/wp-content/chunky/Scx5kV7S-QDBwELo_NP1SZhxgFnvjJWhyfoACcYtM2Xq50J9kS8dZ4yz7p3OM9WdtsnuIfaVeSMplbWvl0Ewj2X9dZ6VHTnEu6aZwB7TTrjaEMc6AiRfWo3eoACQaWLRl4rW--nWZ6w90ypW965LQiswZo0Kq3AS4Bw4BQPqD5IUGcXk/soup.gif
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 139264
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000004c0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 262144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000004f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
section {u'size_of_data': u'0x00011e00', u'virtual_address': u'0x0004e000', u'entropy': 7.415068628157992, u'name': u'.data', u'virtual_size': u'0x000131b8'} entropy 7.41506862816 description A section with a high entropy has been found
Lionic Trojan.Win32.CobaltStrike.4!c
Elastic malicious (high confidence)
FireEye Generic.mg.1cb5a9c2bc4adfe1
McAfee Artemis!1CB5A9C2BC4A
CrowdStrike win/malicious_confidence_100% (W)
Symantec ML.Attribute.HighConfidence
APEX Malicious
Kaspersky UDS:Trojan.Win32.Cobalt.mxi
McAfee-GW-Edition BehavesLike.Win64.Generic.fh
Trapmine malicious.high.ml.score
Sophos Mal/Generic-S
Webroot W32.Trojan.Gen
Kingsoft Win32.Troj.Undef.(kcloud)
Microsoft Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm UDS:Trojan.Win32.Cobalt.mxi
Cynet Malicious (score: 100)
Rising Trojan.CobaltStrike!8.EDF2 (CLOUD)
AVG Win64:TrojanX-gen [Trj]
Cybereason malicious.98da31
Avast Win64:TrojanX-gen [Trj]