Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 23, 2023, 9:42 a.m.	Sept. 23, 2023, 9:44 a.m.

Size	281.5KB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`f8c994f9200f4155e881ab90ab1598a7`
SHA256	`7b32248b74221a7079688ad6b857505a22f9de5d0f78100112816918636de0dd`
CRC32	`6222D120`
ssdeep	`6144:xC6hRwvyDGFJ7AuEDjATIKqWk7e7HqV6TI9X+kGnvFo0e:xRwvyUJ79EDjAcKVqVikGnO0`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description)

Rat.exe "C:\Users\test22\AppData\Local\Temp\Rat.exe"
1020

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
45.66.230.113	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 45.66.230.113:120 -> 192.168.56.103:49164	2402000	ET DROP Dshield Block Listed Source group 1	Misc Attack

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Sept. 23, 2023, 9:35 a.m.	computer_name: TEST22-PC	1	1	0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 23, 2023, 9:35 a.m.	process_identifier: 1020 region_size: 319488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000910000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0

A process attempted to delay the analysis task. (1 event)

description

Rat.exe tried to sleep 171 seconds, actually delayed analysis time by 171 seconds

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 23, 2023, 9:35 a.m.	process_identifier: 1020 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 266240 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00000000008b0000 process_handle: 0xffffffffffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00042600', u'virtual_address': u'0x00004000', u'entropy': 7.0914070327777186, u'name': u'.data', u'virtual_size': u'0x00042490'}

entropy

7.09140703278

description

A section with a high entropy has been found

entropy

0.946524064171

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

45.66.230.113

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Bkav	W32.AIDetectMalware.64
Lionic	Trojan.Win32.CobaltStrike.4!c
Elastic	Windows.Trojan.CobaltStrike
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.CobaltStr.S17675256
ALYac	Gen:Variant.Zusy.476946
Cylance	unsafe
Sangfor	Trojan.Win32.CobaltStrike
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Trojan:Win32/CozyDuke.1012
K7GW	Trojan ( 0058fadf1 )
K7AntiVirus	Trojan ( 0058fadf1 )
Cyren	W64/Agent.NDUI
Symantec	Backdoor.Cobalt!gen1
ESET-NOD32	a variant of Win64/CobaltStrike.Artifact.A
APEX	Malicious
ClamAV	Win.Trojan.CobaltStrike-9044898-1
Kaspersky	HEUR:Trojan.Win64.CobaltStrike.gen
BitDefender	Gen:Variant.Zusy.476946
MicroWorld-eScan	Gen:Variant.Zusy.476946
Avast	Win64:HacktoolX-gen [Trj]
Rising	Backdoor.CobaltStrike/x64!1.D04A (CLASSIC)
TACHYON	Trojan/W64.CobaltStrike.288256
Emsisoft	Trojan.CobaltStrike (A)
F-Secure	Heuristic.HEUR/AGEN.1344219
DrWeb	BackDoor.CobaltStrike.86
VIPRE	Gen:Variant.Zusy.476946
TrendMicro	Backdoor.Win64.COBEACON.SMA
McAfee-GW-Edition	BehavesLike.Win64.Trojan.dc
FireEye	Generic.mg.f8c994f9200f4155
Sophos	ATK/Cobalt-CC
Ikarus	Trojan.Win64.Cobaltstrike
GData	Gen:Variant.Zusy.476946
Jiangmin	Trojan.Generic.fsici
Avira	HEUR/AGEN.1344219
Antiy-AVL	RiskWare/Win64.Artifact.a
Gridinsoft	Trojan.Win64.CobaltStrike.bot
Arcabit	Trojan.Zusy.D74712
ZoneAlarm	HEUR:Trojan.Win64.CobaltStrike.gen
Microsoft	Backdoor:Win64/CobaltStrike.NP!dha
Google	Detected
AhnLab-V3	Trojan/Win64.CobaltStrike.R356638
McAfee	Trojan-FSXF!F8C994F9200F
MAX	malware (ai score=82)
VBA32	Trojan.Win64.CobaltStrike
Malwarebytes	CobaltStrike.Trojan.Infiltration.DDS
Panda	Trj/GdSda.A
TrendMicro-HouseCall	Backdoor.Win64.COBEACON.SMA
Tencent	Trojan.Win64.Cobaltstrike.za
SentinelOne	Static AI - Malicious PE

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 events)

dead_host	192.168.56.103:49164
dead_host	192.168.56.103:49162
dead_host	45.66.230.113:120

Rat.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All