Summary | ZeroBOX

code.exe

Malicious Library UPX OS Processor Check PE64 PE File
Category Machine Started Completed
FILE s1_win7_x6401 July 26, 2023, 5:26 p.m. July 26, 2023, 5:32 p.m.
Size 112.0KB
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 e4efed1ac69b15ff3dfc8024a28eb967
SHA256 a92a6d6f59fd04e04c6f911e39219c61eb6013e6db92905796642092dc1ce3d7
CRC32 AB54159D
ssdeep 3072:V6F1nkPsgo2qtM6ri5ITVTrf3/h/J5BdtEsh:Y3kPQ2qtre5IThrHh/pHEsh
Yara
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check
  • IsPE64 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
104.208.85.234 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49165 -> 104.208.85.234:26509 2033713 ET MALWARE Cobalt Strike Beacon Observed Targeted Malicious Activity was Detected
TCP 192.168.56.101:49163 -> 104.208.85.234:26509 2033713 ET MALWARE Cobalt Strike Beacon Observed Targeted Malicious Activity was Detected
TCP 104.208.85.234:26509 -> 192.168.56.101:49162 2035442 ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1 A Network Trojan was detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
section _RDATA
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000000053f000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2548
region_size: 4194304
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002e50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2548
region_size: 319488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002390000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0
host 104.208.85.234
process code.exe useragent
process code.exe useragent Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MANM)
Bkav W32.Common.038A36DE
Lionic Trojan.Win32.Cobalt.4!c
Cynet Malicious (score: 100)
CAT-QuickHeal Backdoor.Cobalt
ALYac Trojan.GenericKD.68253391
Cylance unsafe
VIPRE Trojan.GenericKD.68253391
Sangfor Backdoor.Win64.Cobalt.Vyzx
K7AntiVirus Trojan ( 005a5cf71 )
Alibaba Backdoor:Win32/Cobalt.e0cdc1c7
K7GW Trojan ( 005a5cf71 )
Cyren W64/ABRisk.VBWB-8053
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win64/Inject.Y.gen
APEX Malicious
Kaspersky Backdoor.Win32.Cobalt.efl
BitDefender Trojan.GenericKD.68253391
NANO-Antivirus Trojan.Win64.Cobalt.jxkbom
MicroWorld-eScan Trojan.GenericKD.68253391
Avast Win64:BackdoorX-gen [Trj]
Tencent Malware.Win32.Gencirc.13e480d5
Emsisoft Trojan.GenericKD.68253391 (B)
F-Secure Heuristic.HEUR/AGEN.1363347
DrWeb BackDoor.Meterpreter.157
TrendMicro Backdoor.Win64.COBEACON.YXDGTZ
McAfee-GW-Edition Artemis!Trojan
FireEye Generic.mg.e4efed1ac69b15ff
Sophos Mal/Generic-S
GData Trojan.GenericKD.68253391
Webroot W32.Trojan.Gen
Avira HEUR/AGEN.1363347
Antiy-AVL Trojan/Win64.Inject
Gridinsoft Trojan.Win64.CobaltStrike.bot
Arcabit Trojan.Generic.D41176CF
ZoneAlarm Backdoor.Win32.Cobalt.efl
Microsoft Trojan:Win64/CobaltStrike.D!MTB
Google Detected
McAfee Artemis!E4EFED1AC69B
MAX malware (ai score=81)
Malwarebytes Trojan.CobaltStrike
Panda Trj/Chgt.AD
TrendMicro-HouseCall Backdoor.Win64.COBEACON.YXDGTZ
Rising Backdoor.Cobalt!8.1233E (CLOUD)
Yandex Trojan.Inject!9+pjKIy/PIA
Ikarus Trojan.Win64.Inject
MaxSecure Trojan.Malware.214476368.susgen
Fortinet W64/Inject.Y!tr
AVG Win64:BackdoorX-gen [Trj]
DeepInstinct MALICIOUS