Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 11, 2023, 1:56 p.m.	Oct. 11, 2023, 1:56 p.m.

Size	10.4MB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`bff3120685dafe9e31206887df290c02`
SHA256	`848323f362252e7704f024c82b362f1c512974b462e1bf8e9e4595464f074bde`
CRC32	`66B571CA`
ssdeep	`49152:JM2fECg63nOYO1rrb/TXvO90d7HjmAFd4A64nsfJvlTUWpGBwCRMq0O4kdgYg9j4:n37D+WzmC8saFioUhvlE1ui5wOM`
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature IsPE64 - (no description) OS_Processor_Check_Zero - OS Processor Check

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\LogonFile.exe.js
2544

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.symtab

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 11, 2023, 1:56 p.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75aad08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75aa964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75a94d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75a96f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75a9e825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75a96002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75a95fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75a949e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75a95a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x76f49a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x76f68f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x76f68e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x755c7a25 wscript+0x2fbd @ 0xab2fbd BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x75ac3ef4 registers.esp: 3470884 registers.edi: 0 registers.eax: 33393832 registers.ebp: 3470912 registers.edx: 1 registers.ebx: 0 registers.esi: 8041624 registers.ecx: 1932080604	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 11, 2023, 1:56 p.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75aad08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75aa964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75a94d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75a96f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75a9e825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75a96002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75a95fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75a949e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75a95a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x76f49a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x76f68f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x76f68e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x755c7a25
wscript+0x2fbd @ 0xab2fbd
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x75ac3ef4
registers.esp: 3470884
registers.edi: 0
registers.eax: 33393832
registers.ebp: 3470912
registers.edx: 1
registers.ebx: 0
registers.esi: 8041624
registers.ecx: 1932080604

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Bkav	W32.Common.DD6BE1DE
Lionic	Trojan.Win32.Cobalt.4!c
MicroWorld-eScan	Trojan.GenericKD.68609232
ALYac	Trojan.GenericKD.68609232
Malwarebytes	Trojan.CobaltStrike
VIPRE	Trojan.GenericKD.68609232
K7AntiVirus	Riskware ( 00584baa1 )
BitDefender	Trojan.GenericKD.68609232
K7GW	Riskware ( 00584baa1 )
CrowdStrike	win/malicious_confidence_100% (W)
Cyren	W64/ABRisk.UEHU-3503
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	WinGo/TrojanDownloader.Agent.FZ
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	Backdoor.Win32.Cobalt.eiz
Alibaba	Backdoor:Win32/Cobalt.d65399b1
NANO-Antivirus	Trojan.Win64.Cobalt.jyttuy
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/AD.PatchedWinSwrort.idayd
Zillya	Backdoor.Cobalt.Win32.789
TrendMicro	Backdoor.Win64.COBEACON.YXDG1Z
McAfee-GW-Edition	BehavesLike.Win64.Trojan.vh
FireEye	Trojan.GenericKD.68609232
Emsisoft	Trojan.GenericKD.68609232 (B)
Ikarus	Trojan.Patched
GData	Trojan.GenericKD.68609232
Webroot	W32.Trojan.GenKD
Avira	TR/AD.PatchedWinSwrort.idayd
Antiy-AVL	Trojan[Backdoor]/Win32.Cobalt
Kingsoft	Win32.Hack.Cobalt.eiz
Gridinsoft	Trojan.Win64.CobaltStrike.bot
Xcitium	Malware@#13d7cvk2kiz72
Arcabit	Trojan.Generic.D416E4D0
ZoneAlarm	Backdoor.Win32.Cobalt.eiz
Microsoft	Backdoor:Win64/Cobaltstrikebeacon
Google	Detected
AhnLab-V3	Backdoor/Win.Cobalt.C5479689
McAfee	Artemis!BFF3120685DA
MAX	malware (ai score=81)
DeepInstinct	MALICIOUS
VBA32	Backdoor.CobaltStrike
Cylance	unsafe
TrendMicro-HouseCall	Backdoor.Win64.COBEACON.YXDG1Z
Tencent	Win32.Backdoor.Cobalt.Iajl
MaxSecure	Trojan.Malware.119747489.susgen
Fortinet	Malicious_Behavior.SB
AVG	FileRepMalware [Misc]
Avast	FileRepMalware [Misc]

LogonFile.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All