Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 3, 2024, 7:39 a.m.	May 3, 2024, 7:47 a.m.

Size	289.0KB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`49e2d38242e314cb72ff7a297dbf132f`
SHA256	`0f913c7a1e8a8d7321a63595d16d181d59a4fd7ad6f25bf3b46f93ab60846959`
CRC32	`16DE9007`
ssdeep	`6144:XFp4b/RC+NKy11QUJslQCTUjcjQErjR6Usf2cackwReskk3v1/1IVghjn6:XFpSzQ2syCTCcjQErjRPgTRf3D3R6`
Yara	IsPE64 - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature

flash.cn.exe "C:\Users\test22\AppData\Local\Temp\flash.cn.exe"
2572

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
152.136.35.240	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA May 3, 2024, 7:32 a.m.	computer_name: TEST22-PC	1	1	0

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 3, 2024, 7:32 a.m.	process_identifier: 2572 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000700000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0
NtAllocateVirtualMemory May 3, 2024, 7:32 a.m.	process_identifier: 2572 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000023d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0

A process attempted to delay the analysis task. (1 event)

description

flash.cn.exe tried to sleep 171 seconds, actually delayed analysis time by 171 seconds

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 3, 2024, 7:32 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 278528 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00000000005b0000 process_handle: 0xffffffffffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00043e00', u'virtual_address': u'0x00004000', u'entropy': 7.12818930337651, u'name': u'.data', u'virtual_size': u'0x00043cf0'}

entropy

7.12818930338

description

A section with a high entropy has been found

entropy

0.942708333333

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

152.136.35.240

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.CobaltStrike.4!c
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win64.Generic.dc
ALYac	Gen:Variant.Bulz.940609
Cylance	unsafe
Zillya	Trojan.CobaltStrike.Win64.8356
Sangfor	Trojan.Win32.CobaltStrike
BitDefender	Gen:Variant.Bulz.940609
K7GW	Trojan ( 0058fadf1 )
K7AntiVirus	Trojan ( 0058fadf1 )
Arcabit	Trojan.Bulz.DE5A41
Symantec	Backdoor.Cobalt
Elastic	Windows.Trojan.CobaltStrike
ESET-NOD32	a variant of Win64/CobaltStrike.Artifact.A
APEX	Malicious
Avast	Win64:HacktoolX-gen [Trj]
ClamAV	Win.Trojan.CobaltStrike-9044898-1
Kaspersky	HEUR:Trojan.Win64.CobaltStrike.gen
Alibaba	Backdoor:Win64/Artifact.1692a50b
MicroWorld-eScan	Gen:Variant.Bulz.940609
Rising	Backdoor.CobaltStrike/x64!1.E382 (CLASSIC)
Emsisoft	Gen:Variant.Bulz.940609 (B)
F-Secure	Heuristic.HEUR/AGEN.1369949
DrWeb	BackDoor.Meterpreter.157
TrendMicro	Backdoor.Win64.COBEACON.SMA
FireEye	Generic.mg.49e2d38242e314cb
Sophos	ATK/Cobalt-A
Ikarus	Trojan.Win64.Cobaltstrike
Jiangmin	Trojan.CobaltStrike.ih
Google	Detected
Avira	HEUR/AGEN.1369949
MAX	malware (ai score=85)
Antiy-AVL	RiskWare/Win64.Artifact
Kingsoft	malware.kb.a.999
Gridinsoft	Trojan.Win64.Kryptik.oa!s1
Microsoft	Backdoor:Win64/CobaltStrike.NP!dha
ZoneAlarm	HEUR:Trojan.Win32.CobaltStrike.gen
GData	Gen:Variant.Bulz.940609
Varist	W64/Kryptik.GRP
AhnLab-V3	Backdoor/Win.COBEACON.R521642
McAfee	Artemis!49E2D38242E3
TACHYON	Trojan/W64.CobaltStrike.295936
DeepInstinct	MALICIOUS
VBA32	Trojan.Win64.CobaltStrike
Malwarebytes	Generic.Malware.AI.DDS
Panda	Trj/CI.A
TrendMicro-HouseCall	Backdoor.Win64.COBEACON.SMA
Tencent	Trojan.Win64.Cobaltstrike.ka
SentinelOne	Static AI - Malicious PE

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 events)

dead_host	152.136.35.240:1122
dead_host	192.168.56.101:49166
dead_host	192.168.56.101:49162

flash.cn.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All