Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 29, 2023, 5:32 p.m.	March 29, 2023, 5:48 p.m.

Size	284.5KB
Type	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`54a5f1bf56bb033fabafce49f03f6794`
SHA256	`ba79214e7710368ac5a31fd31dd0ac3c06747dc19c8d2351e269f34d13e9525e`
CRC32	`3BA27968`
ssdeep	`6144:kaRthwnolFjehLmM56GFivgnx6j5qDc4bf1cf:katXFjgiw6Mggnsqo4bfA`
Yara	Malicious_Library_Zero - Malicious_Library IsDLL - (no description) IsPE32 - (no description) PE_Header_Zero - PE File Signature

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cubalibre2.dll,DllMain
1488
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cubalibre2.dll,DllRegisterServer
2132
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cubalibre2.dll,DllGetClassObject
1508
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cubalibre2.dll,DllUnregisterServer
2224
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cubalibre2.dll,StartW
2344
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cubalibre2.dll,
2460

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
212.193.30.14	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 212.193.30.14:10443 -> 192.168.56.103:49187	2260001	SURICATA Applayer Wrong direction first Data	Generic Protocol Command Decode
TCP 212.193.30.14:10443 -> 192.168.56.103:49191	2260001	SURICATA Applayer Wrong direction first Data	Generic Protocol Command Decode
TCP 212.193.30.14:10443 -> 192.168.56.103:49207	2260001	SURICATA Applayer Wrong direction first Data	Generic Protocol Command Decode
TCP 212.193.30.14:10443 -> 192.168.56.103:49195	2260001	SURICATA Applayer Wrong direction first Data	Generic Protocol Command Decode
TCP 212.193.30.14:10443 -> 192.168.56.103:49174	2260001	SURICATA Applayer Wrong direction first Data	Generic Protocol Command Decode
TCP 212.193.30.14:10443 -> 192.168.56.103:49203	2260001	SURICATA Applayer Wrong direction first Data	Generic Protocol Command Decode
TCP 212.193.30.14:10443 -> 192.168.56.103:49211	2260001	SURICATA Applayer Wrong direction first Data	Generic Protocol Command Decode
TCP 212.193.30.14:10443 -> 192.168.56.103:49199	2260001	SURICATA Applayer Wrong direction first Data	Generic Protocol Command Decode
TCP 212.193.30.14:10443 -> 192.168.56.103:49215	2260001	SURICATA Applayer Wrong direction first Data	Generic Protocol Command Decode
TCP 212.193.30.14:10443 -> 192.168.56.103:49179	2260001	SURICATA Applayer Wrong direction first Data	Generic Protocol Command Decode
TCP 212.193.30.14:10443 -> 192.168.56.103:49170	2260001	SURICATA Applayer Wrong direction first Data	Generic Protocol Command Decode
TCP 212.193.30.14:10443 -> 192.168.56.103:49183	2260001	SURICATA Applayer Wrong direction first Data	Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA March 29, 2023, 5:32 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 29, 2023, 5:32 p.m.			0	0
IsDebuggerPresent March 29, 2023, 5:32 p.m.			0	0
IsDebuggerPresent March 29, 2023, 5:32 p.m.			0	0
IsDebuggerPresent March 29, 2023, 5:32 p.m.			0	0
IsDebuggerPresent March 29, 2023, 5:32 p.m.			0	0

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 29, 2023, 5:32 p.m.	process_identifier: 1488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bb0a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2023, 5:32 p.m.	process_identifier: 1488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2023, 5:32 p.m.	process_identifier: 1488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74471000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2023, 5:32 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bb0a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2023, 5:32 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2023, 5:32 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74451000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2023, 5:32 p.m.	process_identifier: 1508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bb0a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2023, 5:32 p.m.	process_identifier: 1508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74420000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2023, 5:32 p.m.	process_identifier: 1508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2023, 5:32 p.m.	process_identifier: 2224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bb0a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2023, 5:32 p.m.	process_identifier: 2224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74420000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2023, 5:32 p.m.	process_identifier: 2224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2023, 5:32 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bb0a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2023, 5:32 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2023, 5:32 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74471000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2023, 5:32 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75931000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2023, 5:32 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76e01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2023, 5:32 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x752e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2023, 5:32 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2023, 5:32 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74451000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

rundll32.exe tried to sleep 150 seconds, actually delayed analysis time by 150 seconds

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 29, 2023, 5:32 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 225280 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00590000 process_handle: 0xffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

212.193.30.14

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Lionic	Trojan.Win32.CobaltStrike.4!c
Elastic	Windows.Trojan.CobaltStrike
Cynet	Malicious (score: 100)
CAT-QuickHeal	Backdoor.Cobaltstrike
McAfee	Injector-FEY.c!54A5F1BF56BB
Cylance	unsafe
Sangfor	Trojan.Win32.CobaltStrike
K7AntiVirus	Riskware ( 00584baa1 )
Alibaba	Trojan:Win32/Rozena.4c0
K7GW	Riskware ( 00584baa1 )
CrowdStrike	win/malicious_confidence_100% (W)
Cyren	W32/ABRisk.SAJV-1141
Symantec	Backdoor.Cobalt
ESET-NOD32	a variant of Win32/CobaltStrike.Artifact.A
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Countermeasure.LoaderWinGeneric-9804845-2
Kaspersky	HEUR:Trojan.Win32.CobaltStrike.gen
BitDefender	Gen:Variant.FochiBlz.7924
NANO-Antivirus	Trojan.Win32.CobaltStrike.jsnzvk
ViRobot	Trojan.Win.Z.Cobaltstrike.291328.C
MicroWorld-eScan	Gen:Variant.FochiBlz.7924
Avast	Win32:Malware-gen
Rising	Backdoor.CobaltStrike!8.11F7B (CLOUD)
Emsisoft	Gen:Variant.FochiBlz.7924 (B)
VIPRE	Gen:Variant.FochiBlz.7924
TrendMicro	Ransom.Win32.HIVE.SMYXBJR.hp
McAfee-GW-Edition	Injector-FEY.c!54A5F1BF56BB
FireEye	Generic.mg.54a5f1bf56bb033f
Sophos	ATK/Cobalt-W
Ikarus	PUA.RiskWare.Cobaltstrike
GData	Gen:Variant.FochiBlz.7924
Jiangmin	Trojan.Cometer.cse
Avira	HEUR/AGEN.1362273
MAX	malware (ai score=83)
Antiy-AVL	RiskWare/Win32.Artifact
Arcabit	Trojan.FochiBlz.D1EF4
ZoneAlarm	HEUR:Trojan.Win32.CobaltStrike.gen
Microsoft	Backdoor:Win64/CobaltStrike.NP!dha
Google	Detected
AhnLab-V3	Trojan/Win.FEY.R512891
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZedlaF.36344.rK4@aug8n!d
ALYac	Gen:Variant.FochiBlz.7924
TACHYON	Trojan/W64.Cobalt.291328
VBA32	BScope.Trojan.Swrort
TrendMicro-HouseCall	Trojan.Win32.COBALT.SM
Tencent	Malware.Win32.Gencirc.10bda54b
SentinelOne	Static AI - Suspicious PE
Fortinet	Riskware/CobaltStrike_Artifact

cubalibre2

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All