popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

artifact.exe

Malicious Library PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 May 17, 2024, 10:44 a.m. May 17, 2024, 10:46 a.m.
Size 14.0KB
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5 242ffae14d520fa9b735110f360555fe
SHA256 5a2c66fd7246b0438cd763593b909cbadf782407afa384bd27bc7bc8ff84edab
CRC32 416D82F4
ssdeep 192:A/H+DgGK83SxHn2OQ/dmBI4KBfTgir+xzoOZQgn8PbqUqV/Qjo7AGa:Av+kGKqbOCdWIVBff+xzN6g8jfCXAn
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
3.208.96.244 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
suspicious_features Connection to IP address suspicious_request GET http://3.208.96.244/Meeting/32251817/
suspicious_features Connection to IP address suspicious_request GET http://3.208.96.244/functionalStatus?_=akHJt5kS0V1vD1MLEl37ga-62Onbn5iab85VnN79WGQdX1okABKjVc-2arUDYJU2m2hYIMBWlkFdp3nFm87GgyDD2HnGoXHOC4KG2FE-ZQv2sB23pRr3VmS-SFmS75oLazFuDGyXNR2PjZmU9f3JKlWVrezmIhrFxXtTNOUZtzU
request GET http://3.208.96.244/Meeting/32251817/
request GET http://3.208.96.244/functionalStatus?_=akHJt5kS0V1vD1MLEl37ga-62Onbn5iab85VnN79WGQdX1okABKjVc-2arUDYJU2m2hYIMBWlkFdp3nFm87GgyDD2HnGoXHOC4KG2FE-ZQv2sB23pRr3VmS-SFmS75oLazFuDGyXNR2PjZmU9f3JKlWVrezmIhrFxXtTNOUZtzU
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4194304
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03500000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
description artifact.exe tried to sleep 202 seconds, actually delayed analysis time by 202 seconds
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x00490000
process_handle: 0xffffffff
1 0 0
host 3.208.96.244
process artifact.exe useragent
process artifact.exe useragent Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Sheljector.trJD
Cynet Malicious (score: 100)
CAT-QuickHeal Trojan.GenericPMF.S22096310
Skyhigh BehavesLike.Win32.TrojanCobalt.lm
ALYac Trojan.GenericKDZ.80482
Cylance unsafe
VIPRE Trojan.GenericKDZ.80482
Sangfor Trojan.Win32.CobaltStrike
K7AntiVirus Trojan ( 005622831 )
BitDefender Trojan.GenericKDZ.80482
K7GW Trojan ( 005622831 )
VirIT Trojan.Win32.Inject3.DZW
Symantec Backdoor.Cobalt
Elastic Windows.Trojan.CobaltStrike
ESET-NOD32 a variant of Win32/Rozena.AMZ
APEX Malicious
McAfee GenericRXMO-OO!242FFAE14D52
Avast Win32:HacktoolX-gen [Trj]
ClamAV Win.Trojan.CobaltStrike-7899872-1
Kaspersky HEUR:Trojan.Win32.CobaltStrike.gen
Alibaba Trojan:Win32/Rozena.12cc
NANO-Antivirus Trojan.Win32.Inject3.horsiq
MicroWorld-eScan Trojan.GenericKDZ.80482
Rising Backdoor.CobaltStrike!1.D049 (CLASSIC)
Emsisoft Trojan.Rozena (A)
F-Secure Trojan.TR/Crypt.XPACK.Gen7
DrWeb Trojan.Inject3.2700
Zillya Trojan.Rozena.Win32.99309
TrendMicro Trojan.Win32.COBALT.SM
FireEye Generic.mg.242ffae14d520fa9
Sophos ATK/Cobalt-A
Ikarus Trojan.Win32.CobaltStrike
Jiangmin Trojan.Generic.ftawl
Webroot
Google Detected
Avira TR/Crypt.XPACK.Gen7
MAX malware (ai score=85)
Antiy-AVL Trojan/Win32.Wacatac
Kingsoft malware.kb.a.994
Gridinsoft Trojan.Win32.Heur.oa!s1
Arcabit Trojan.Generic.D13A62
ViRobot Trojan.Win32.Cobalt.14336.J
ZoneAlarm HEUR:Trojan.Win32.CobaltStrike.gen
GData Win32.Trojan.PSE.PHVAWJ
Varist W32/Diple.G.gen!Eldorado
AhnLab-V3 Trojan/Win32.CobaltStrike.R329694
DeepInstinct MALICIOUS
VBA32 TScope.Malware-Cryptor.SB
Malwarebytes Generic.Malware.AI.DDS