Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 5, 2024, 10:36 a.m.	Aug. 5, 2024, 10:44 a.m.

Size	17.5KB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`4c6421a1802b81596b4a5c1f67261826`
SHA256	`8cd83a22ebbbc021182c81b790334c41b1cc94550ccbba07ee2f6b94fa9976b4`
CRC32	`E6D64294`
ssdeep	`192:ODMAe4Ckj19RZZ6wpSfu1bKcq5uHj7khBDSeKNH46jpbwwZ3JBUbOj6kxiY:ODMAoKz6WtKEj7aBDi/bwwjbAY`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description)

rundll.exe "C:\Users\test22\AppData\Local\Temp\rundll.exe"
880

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
147.78.47.15	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 5, 2024, 10:29 a.m.	process_identifier: 880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000000860000 process_handle: 0xffffffffffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

147.78.47.15

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

147.78.47.15:58255

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 events)

Bkav	W64.AIDetectMalware
Elastic	Windows.Trojan.CobaltStrike
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.CobaltStr.S17675256
Skyhigh	BehavesLike.Win64.Trojan.lm
ALYac	Trojan.GenericKDZ.107133
Cylance	Unsafe
VIPRE	Trojan.GenericKDZ.107133
Sangfor	Trojan.Win32.CobaltStrike
K7AntiVirus	Trojan ( 0058fadf1 )
BitDefender	Trojan.GenericKDZ.107133
K7GW	Trojan ( 0058fadf1 )
Cybereason	malicious.1802b8
Arcabit	Trojan.Generic.D1A27D
VirIT	Trojan.Win32.Genus.DDA
Symantec	Backdoor.Cobalt!gen1
ESET-NOD32	a variant of Win64/CobaltStrike.Artifact.A
APEX	Malicious
McAfee	Cobalt-EVTS!4C6421A1802B
Avast	Win64:Evo-gen [Trj]
ClamAV	Win.Trojan.CobaltStrike-9044898-1
Kaspersky	HEUR:Trojan.Win32.Generic
MicroWorld-eScan	Trojan.GenericKDZ.107133
Rising	Backdoor.CobaltStrike/x64!1.D04A (CLASSIC)
Emsisoft	Trojan.CobaltStrike (A)
DrWeb	BackDoor.CobaltStrike.86
Zillya	Tool.CobaltStrike.Win64.273
TrendMicro	Backdoor.Win64.COBEACON.SMA
McAfeeD	ti!8CD83A22EBBB
FireEye	Generic.mg.4c6421a1802b8159
Sophos	ATK/Cobalt-CC
Ikarus	Trojan.Win64.Cobaltstrike
Jiangmin	Trojan.Generic.fsibr
Webroot	W32.Trojan.Cobaltstrike
Google	Detected
MAX	malware (ai score=83)
Antiy-AVL	RiskWare/Win64.Artifact.a
Kingsoft	malware.kb.a.837
Gridinsoft	Trojan.Win64.Agent.oa!s1
Microsoft	Trojan:Win64/Bulz.SPVV!MTB
ZoneAlarm	HEUR:Trojan.Win64.CobaltStrike.gen
GData	Trojan.GenericKDZ.107133
Varist	W64/Agent.NDUP
AhnLab-V3	Backdoor/Win.CobaltStrike.R360995
TACHYON	Trojan/W64.Agent.17920.C
DeepInstinct	MALICIOUS
VBA32	Trojan.Win64.CobaltStrike
Malwarebytes	Generic.Malware.AI.DDS
TrendMicro-HouseCall	Backdoor.Win64.COBEACON.SMA
Tencent	Trojan.Win64.CobaltStrike.hb

rundll.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All