Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 26, 2023, 5:26 p.m.	July 26, 2023, 5:32 p.m.

Size	112.0KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`e4efed1ac69b15ff3dfc8024a28eb967`
SHA256	`a92a6d6f59fd04e04c6f911e39219c61eb6013e6db92905796642092dc1ce3d7`
CRC32	`AB54159D`
ssdeep	`3072:V6F1nkPsgo2qtM6ri5ITVTrf3/h/J5BdtEsh:Y3kPQ2qtre5IThrHh/pHEsh`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check IsPE64 - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature

code.exe "C:\Users\test22\AppData\Local\Temp\code.exe"
2548

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
104.208.85.234	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49165 -> 104.208.85.234:26509	2033713	ET MALWARE Cobalt Strike Beacon Observed	Targeted Malicious Activity was Detected
TCP 192.168.56.101:49163 -> 104.208.85.234:26509	2033713	ET MALWARE Cobalt Strike Beacon Observed	Targeted Malicious Activity was Detected
TCP 104.208.85.234:26509 -> 192.168.56.101:49162	2035442	ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA July 26, 2023, 5:23 p.m.	computer_name: TEST22-PC	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 26, 2023, 5:23 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 26, 2023, 5:23 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000053f000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 26, 2023, 5:23 p.m.	process_identifier: 2548 region_size: 4194304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002e50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 26, 2023, 5:23 p.m.	process_identifier: 2548 region_size: 319488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002390000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1

Communicates with host for which no DNS query was performed (1 event)

host

104.208.85.234

Network activity contains more than one unique useragent (2 events)

process	code.exe				useragent
process	code.exe				useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MANM)

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Bkav	W32.Common.038A36DE
Lionic	Trojan.Win32.Cobalt.4!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Backdoor.Cobalt
ALYac	Trojan.GenericKD.68253391
Cylance	unsafe
VIPRE	Trojan.GenericKD.68253391
Sangfor	Backdoor.Win64.Cobalt.Vyzx
K7AntiVirus	Trojan ( 005a5cf71 )
Alibaba	Backdoor:Win32/Cobalt.e0cdc1c7
K7GW	Trojan ( 005a5cf71 )
Cyren	W64/ABRisk.VBWB-8053
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win64/Inject.Y.gen
APEX	Malicious
Kaspersky	Backdoor.Win32.Cobalt.efl
BitDefender	Trojan.GenericKD.68253391
NANO-Antivirus	Trojan.Win64.Cobalt.jxkbom
MicroWorld-eScan	Trojan.GenericKD.68253391
Avast	Win64:BackdoorX-gen [Trj]
Tencent	Malware.Win32.Gencirc.13e480d5
Emsisoft	Trojan.GenericKD.68253391 (B)
F-Secure	Heuristic.HEUR/AGEN.1363347
DrWeb	BackDoor.Meterpreter.157
TrendMicro	Backdoor.Win64.COBEACON.YXDGTZ
McAfee-GW-Edition	Artemis!Trojan
FireEye	Generic.mg.e4efed1ac69b15ff
Sophos	Mal/Generic-S
GData	Trojan.GenericKD.68253391
Webroot	W32.Trojan.Gen
Avira	HEUR/AGEN.1363347
Antiy-AVL	Trojan/Win64.Inject
Gridinsoft	Trojan.Win64.CobaltStrike.bot
Arcabit	Trojan.Generic.D41176CF
ZoneAlarm	Backdoor.Win32.Cobalt.efl
Microsoft	Trojan:Win64/CobaltStrike.D!MTB
Google	Detected
McAfee	Artemis!E4EFED1AC69B
MAX	malware (ai score=81)
Malwarebytes	Trojan.CobaltStrike
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Backdoor.Win64.COBEACON.YXDGTZ
Rising	Backdoor.Cobalt!8.1233E (CLOUD)
Yandex	Trojan.Inject!9+pjKIy/PIA
Ikarus	Trojan.Win64.Inject
MaxSecure	Trojan.Malware.214476368.susgen
Fortinet	W64/Inject.Y!tr
AVG	Win64:BackdoorX-gen [Trj]
DeepInstinct	MALICIOUS

code.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All