Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 28, 2024, 12:43 p.m.	June 28, 2024, 12:46 p.m.

Size	17.5KB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`d0e72468c01cf13b48c0a5ee2a310cb2`
SHA256	`6419aa3ff941635038f6ed18b64b59c413076d33e59782154fa59c65936e3915`
CRC32	`65675223`
ssdeep	`192:aDMAe4Ckj19RZZ6wpSfu1bKcq5uHj7khBDSeKNH4+mrCyBUbOj6kxiY:aDMAoKz6WtKEj7aBDiKmybAY`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description)

%E5%9B%BD%E5%BA%86%E5%BB%B6%E8%BF%9F%E6%94%BE%E5%81%87%E9%80%9A%E7%9F%A5.exe "C:\Users\test22\AppData\Local\Temp\%E5%9B%BD%E5%BA%86%E5%BB%B6%E8%BF%9F%E6%94%BE%E5%81%87%E9%80%9A%E7%9F%A5.exe"
1028

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
110.41.14.58	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 28, 2024, 12:43 p.m.	stacktrace: 0x5f0030 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c exception.instruction_r: ac 3c 61 7c 02 2c 20 41 c1 c9 0d 41 01 c1 e2 ed exception.instruction: lodsb al, byte ptr [rsi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5f0030 registers.r14: 1453503984 registers.r15: 0 registers.rcx: 110 registers.rsi: 110 registers.r10: 0 registers.rbx: 6226390 registers.rsp: 11140200 registers.r11: 514 registers.r8: 8791744913672 registers.r9: 0 registers.rdx: 2004821600 registers.r12: 0 registers.rbp: 6225930 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 28, 2024, 12:43 p.m.	process_identifier: 1028 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00000000005f0000 process_handle: 0xffffffffffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

110.41.14.58

File has been identified by 63 AntiVirus engines on VirusTotal as malicious (50 out of 63 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win64.Shelma.tsgG
Elastic	Windows.Trojan.CobaltStrike
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.CobaltStr.S17675256
Skyhigh	BehavesLike.Win64.Trojan.lm
ALYac	Trojan.GenericKDZ.107133
Cylance	Unsafe
VIPRE	Trojan.GenericKDZ.107133
Sangfor	Trojan.Win32.CobaltStrike
K7AntiVirus	Trojan ( 0058fadf1 )
BitDefender	Trojan.GenericKDZ.107133
K7GW	Trojan ( 0058fadf1 )
Cybereason	malicious.8c01cf
Arcabit	Trojan.Generic.D1A27D
VirIT	Trojan.Win32.Genus.DDA
Symantec	Backdoor.Cobalt!gen1
ESET-NOD32	a variant of Win64/CobaltStrike.Artifact.A
APEX	Malicious
McAfee	Cobalt-EVTS!D0E72468C01C
Avast	Win64:Evo-gen [Trj]
ClamAV	Win.Trojan.CobaltStrike-9044898-1
Kaspersky	HEUR:Trojan.Win32.Generic
Alibaba	Trojan:Win32/CozyDuke.1012
MicroWorld-eScan	Trojan.GenericKDZ.107133
Rising	Backdoor.CobaltStrike/x64!1.D04A (CLASSIC)
Emsisoft	Trojan.CobaltStrike (A)
F-Secure	Trojan.TR/AVI.CobaltStrike.lhumd
DrWeb	BackDoor.CobaltStrike.86
Zillya	Tool.CobaltStrike.Win64.273
TrendMicro	Backdoor.Win64.COBEACON.SMA
McAfeeD	ti!6419AA3FF941
FireEye	Generic.mg.d0e72468c01cf13b
Sophos	ATK/Cobalt-CC
Ikarus	Trojan.Win64.Cobaltstrike
Jiangmin	Trojan.Generic.fsibr
Webroot	W32.Trojan.Cobaltstrike
Google	Detected
Avira	TR/AVI.CobaltStrike.lhumd
MAX	malware (ai score=81)
Antiy-AVL	RiskWare/Win64.Artifact.a
Kingsoft	malware.kb.a.843
Gridinsoft	Trojan.Win64.CobaltStrike.tr
Microsoft	Trojan:Win64/Bulz.SPVV!MTB
ViRobot	Trojan.Win.Z.Cobaltstrike.17920.BMX
ZoneAlarm	HEUR:Trojan.Win64.CobaltStrike.gen
GData	Trojan.GenericKDZ.107133
Varist	W64/Agent.NDUP
AhnLab-V3	Backdoor/Win.CobaltStrike.R360995
TACHYON	Trojan/W64.Agent.17920.C

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (11 events)

dead_host	192.168.56.103:49171
dead_host	192.168.56.103:49170
dead_host	192.168.56.103:49163
dead_host	110.41.14.58:7931
dead_host	192.168.56.103:49162
dead_host	192.168.56.103:49172
dead_host	192.168.56.103:49165
dead_host	192.168.56.103:49164
dead_host	192.168.56.103:49169
dead_host	192.168.56.103:49167
dead_host	192.168.56.103:49166

%E5%9B%BD%E5%BA%86%E5%BB%B6%E8%BF%9F%E6%94%BE%E5%81%87%E9%80%9A%E7%9F%A5.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All