Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 14, 2023, 7:55 a.m.	Dec. 14, 2023, 8:06 a.m.

Size	14.0KB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`a9cd040f3de100f802ccbce93bebd7a3`
SHA256	`8bfed2fc726e8d292fb7fd8238409aa096b8a17a6030c9aca6995bcbcf6b7a47`
CRC32	`17F0F52E`
ssdeep	`192:ADH+DgGK83SxHn2OQ/dmBI4KBfTgir+xzx5a07bqUqV/Qjo7AGa:AT+kGKqbOCdWIVBff+xzaAfCXAn`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature

artifact.exe "C:\Users\test22\AppData\Local\Temp\artifact.exe"
1552

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
81.70.153.38	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49165 -> 81.70.153.38:80	2033713	ET MALWARE Cobalt Strike Beacon Observed	Targeted Malicious Activity was Detected
TCP 192.168.56.103:49163 -> 81.70.153.38:80	2033713	ET MALWARE Cobalt Strike Beacon Observed	Targeted Malicious Activity was Detected

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Dec. 14, 2023, 7:55 a.m.	computer_name: TEST22-PC	1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	GET http://81.70.153.38/zZ5S
suspicious_features	Connection to IP address				suspicious_request	GET http://81.70.153.38/ga.js

Performs some HTTP requests (2 events)

request	GET http://81.70.153.38/zZ5S
request	GET http://81.70.153.38/ga.js

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 1552 region_size: 4194304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 1552 region_size: 249856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02df0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

A process attempted to delay the analysis task. (1 event)

description

artifact.exe tried to sleep 171 seconds, actually delayed analysis time by 171 seconds

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Dec. 14, 2023, 7:55 a.m.	process_identifier: 1552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00600000 process_handle: 0xffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

81.70.153.38

Network activity contains more than one unique useragent (2 events)

process	artifact.exe				useragent
process	artifact.exe				useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)

File has been identified by 61 AntiVirus engines on VirusTotal as malicious (50 out of 61 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Sheljector.trJD
Elastic	Windows.Trojan.CobaltStrike
DrWeb	Trojan.Inject3.2700
MicroWorld-eScan	Trojan.GenericKDZ.80482
FireEye	Generic.mg.a9cd040f3de100f8
CAT-QuickHeal	Trojan.GenericPMF.S22096310
Skyhigh	BehavesLike.Win32.Trojan.lm
McAfee	Cobalt-EVTS!A9CD040F3DE1
Malwarebytes	Generic.Malware.AI.DDS
Zillya	Trojan.Rozena.Win32.99309
Sangfor	Trojan.Win32.CobaltStrike
K7AntiVirus	Trojan ( 005622831 )
Alibaba	Trojan:Win32/Rozena.12cc
K7GW	Trojan ( 005622831 )
Cybereason	malicious.79c3f2
Arcabit	Trojan.Generic.D13A62
VirIT	Trojan.Win32.Inject3.DZW
Symantec	Backdoor.Cobalt
ESET-NOD32	a variant of Win32/Rozena.AMZ
APEX	Malicious
ClamAV	Win.Trojan.CobaltStrike-7899872-1
Kaspersky	HEUR:Trojan.Win32.CobaltStrike.gen
BitDefender	Trojan.GenericKDZ.80482
NANO-Antivirus	Trojan.Win32.Inject3.horsiq
Avast	Win32:HacktoolX-gen [Trj]
Tencent	Hacktool.Win32.CobaltStrike.za
Emsisoft	Trojan.Rozena (A)
F-Secure	Trojan.TR/Crypt.XPACK.Gen7
VIPRE	Trojan.GenericKDZ.80482
TrendMicro	Trojan.Win32.COBALT.SM
Sophos	ATK/Cobalt-A
Ikarus	Trojan.Win32.CobaltStrike
Jiangmin	Trojan.Generic.ftawl
Webroot	W32.Trojan.Cobaltstrike
Google	Detected
Avira	TR/Crypt.XPACK.Gen7
Varist	W32/Diple.G.gen!Eldorado
Antiy-AVL	Trojan/Win32.Wacatac
Kingsoft	malware.kb.a.997
Gridinsoft	Trojan.Win32.Gen.tr
Microsoft	Backdoor:Win64/CobaltStrike!pz
ViRobot	Trojan.Win32.Cobalt.14336.J
ZoneAlarm	HEUR:Trojan.Win32.CobaltStrike.gen
GData	Win32.Trojan.PSE.PHVAWJ
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.CobaltStrike.R329694
VBA32	TScope.Malware-Cryptor.SB
ALYac	Trojan.GenericKDZ.80482
MAX	malware (ai score=86)

artifact.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All