Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 4, 2024, 5:10 p.m.	July 4, 2024, 5:14 p.m.

Size	321.0KB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`771b79f619f789921ac9d720d16323ed`
SHA256	`0247fb7d1e15bc321913cd2554319bf31c138cd607fd90919dc79f7f7f01cc77`
CRC32	`60296B35`
ssdeep	`6144:xO0rlYhfWe6tXMd1/Iq4JTTy6JG2H5ik2/dBUEBHVrGh+dTYbgX5395EgXyzQhIV:cYlyfWbXEmq4JXTEDBHH4Ass53hIF7`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description)

UtilityP.exe "C:\Users\test22\AppData\Local\Temp\UtilityP.exe"
2564

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
89.197.154.116	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA July 4, 2024, 5:03 p.m.	computer_name: TEST22-PC	1	1	0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 4, 2024, 5:03 p.m.	process_identifier: 2564 region_size: 360448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000970000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0

A process attempted to delay the analysis task. (1 event)

description

UtilityP.exe tried to sleep 171 seconds, actually delayed analysis time by 171 seconds

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 4, 2024, 5:03 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 307200 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00000000006c0000 process_handle: 0xffffffffffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0004be00', u'virtual_address': u'0x00004000', u'entropy': 7.298540570536035, u'name': u'.data', u'virtual_size': u'0x0004bcf0'}

entropy

7.29854057054

description

A section with a high entropy has been found

entropy

0.9484375

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

89.197.154.116

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Bkav	W64.AIDetectMalware
Elastic	Windows.Trojan.CobaltStrike
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win64.Backdoor.fc
ALYac	Gen:Variant.Tedy.458603
Cylance	Unsafe
VIPRE	Gen:Variant.Tedy.458603
Sangfor	Trojan.Win32.CobaltStrike
K7AntiVirus	Trojan ( 0058fadf1 )
BitDefender	Gen:Variant.Tedy.458603
K7GW	Trojan ( 0058fadf1 )
Cybereason	malicious.619f78
Arcabit	Trojan.Tedy.D6FF6B
VirIT	Trojan.Win64.CobalStrike
Symantec	Backdoor.Cobalt
ESET-NOD32	a variant of Win64/CobaltStrike.Artifact.A
APEX	Malicious
Avast	Win64:Evo-gen [Trj]
ClamAV	Win.Trojan.CobaltStrike-9044898-1
Kaspersky	HEUR:Trojan.Win64.CobaltStrike.gen
MicroWorld-eScan	Gen:Variant.Tedy.458603
Rising	Backdoor.CobaltStrike/x64!1.E382 (CLASSIC)
Emsisoft	Gen:Variant.Tedy.458603 (B)
F-Secure	Heuristic.HEUR/AGEN.1344321
DrWeb	BackDoor.Meterpreter.157
TrendMicro	Backdoor.Win64.COBEACON.SMA
McAfeeD	ti!0247FB7D1E15
Trapmine	suspicious.low.ml.score
FireEye	Generic.mg.771b79f619f78992
Sophos	ATK/Cobalt-A
Ikarus	Trojan.Win64.Cobaltstrike
Jiangmin	Trojan.CobaltStrike.qz
Google	Detected
Avira	HEUR/AGEN.1344321
MAX	malware (ai score=87)
Antiy-AVL	Trojan/Win64.Kryptik
Kingsoft	malware.kb.a.998
Gridinsoft	Trojan.Win64.Kryptik.oa!s1
Microsoft	Backdoor:Win64/CobaltStrike.NP!dha
ZoneAlarm	HEUR:Trojan.Win32.Cometer.gen
GData	Gen:Variant.Tedy.458603
Varist	W64/Cobalt.M.gen!Eldorado
AhnLab-V3	Backdoor/Win.COBEACON.R611870
TACHYON	Trojan/W64.CobaltStrike.328704
DeepInstinct	MALICIOUS
VBA32	Trojan.Win64.CobaltStrike
Malwarebytes	Generic.Malware.AI.DDS
Panda	Trj/GdSda.A
TrendMicro-HouseCall	Backdoor.Win64.COBEACON.SMA
Tencent	Trojan.Win64.Cobalstrike.ya

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 events)

dead_host	192.168.56.101:49162
dead_host	89.197.154.116:7810
dead_host	192.168.56.101:49166

UtilityP.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All