Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 12, 2022, 5:52 p.m.	Dec. 12, 2022, 5:54 p.m.

Size	278.0KB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`d8d8cb60d196a26765261b1ca8604d1e`
SHA256	`2f4fc4fa579889b69b00bf7a19ae05eb737bc8afdcb41858761d678fa232a6c1`
CRC32	`B8899CA8`
ssdeep	`6144:kReAPthOUKR5z6VrRLM7VEq8Hnm1wb+1ES:kIAlhNKR5zELM7LyWw61`
Yara	IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature

43.exe "C:\Users\test22\AppData\Local\Temp\43.exe"
1460

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
5.253.234.40	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Dec. 12, 2022, 5:50 p.m.	computer_name: TEST22-PC	1	1	0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 1460 region_size: 253952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00700000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

A process attempted to delay the analysis task. (1 event)

description

43.exe tried to sleep 171 seconds, actually delayed analysis time by 171 seconds

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 212992 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x006a0000 process_handle: 0xffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

5.253.234.40

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 events)

Bkav	W32.AIDetect.malware1
Lionic	Trojan.Win64.CozyDuke.trLC
MicroWorld-eScan	Trojan.GenericKDZ.89145
FireEye	Generic.mg.d8d8cb60d196a267
McAfee	CobaltStrike-so!D8D8CB60D196
Cylance	Unsafe
VIPRE	Trojan.GenericKDZ.89145
Sangfor	Trojan.Win32.CobaltStrike
K7AntiVirus	Trojan ( 005622831 )
Alibaba	Trojan:Win32/CozyDuke.1011
K7GW	Trojan ( 005622831 )
Cybereason	malicious.0d196a
Arcabit	Trojan.Generic.D15C39
VirIT	Trojan.Win32.Genus.CYE
Cyren	W32/Diple.F.gen!Eldorado
Symantec	Backdoor.Cobalt
Elastic	Windows.Trojan.CobaltStrike
ESET-NOD32	Win32/Rozena.SA
Cynet	Malicious (score: 100)
APEX	Malicious
ClamAV	Win.Trojan.CobaltStrike-7899872-1
Kaspersky	HEUR:Trojan.Win32.CobaltStrike.gen
BitDefender	Trojan.GenericKDZ.89145
NANO-Antivirus	Trojan.Win32.Rozena.hpcmlv
Avast	Win32:HacktoolX-gen [Trj]
Tencent	Hacktool.Win32.CobaltStrike.za
Ad-Aware	Trojan.GenericKDZ.89145
TACHYON	Trojan/W32.Agent.284672.IN
Emsisoft	Trojan.Rozena (A)
DrWeb	BackDoor.Siggen2.247
TrendMicro	Trojan.Win32.COBALT.SM
McAfee-GW-Edition	BehavesLike.Win32.Generic.dh
Sophos	ATK/Cobalt-CC
SentinelOne	Static AI - Malicious PE
Jiangmin	Trojan.Cometer.aww
Avira	TR/Crypt.XPACK.Gen7
Antiy-AVL	Trojan/Win32.Cometer
Gridinsoft	Trojan.Win32.Gen.oa!s1
Microsoft	Backdoor:Win64/CobaltStrike.NP!dha
ViRobot	Trojan.Win32.Cobalt.284672.A
ZoneAlarm	HEUR:Trojan.Win32.CobaltStrike.gen
GData	Trojan.GenericKDZ.89145
Google	Detected
AhnLab-V3	Trojan/Win32.CobaltStrike.R329694
Acronis	suspicious
BitDefenderTheta	AI:Packer.256D82581B
ALYac	Trojan.GenericKDZ.89145
MAX	malware (ai score=82)
VBA32	Trojan.CobaltStrike
Malwarebytes	Rozena.Trojan.Shell.DDS

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 events)

dead_host	192.168.56.103:49163
dead_host	5.253.234.40:7777
dead_host	192.168.56.103:49165

43.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All