Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 8, 2024, 2:23 p.m.	Aug. 8, 2024, 2:25 p.m.

Size	19.0KB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`f40919d4beadd501ea89202a719ab940`
SHA256	`3dbe98f96a66db6aea698017cdf01b911347dfba0d4eaf9078d43a4188d40ee6`
CRC32	`98EE1E28`
ssdeep	`192:EV7qaCF6Op1t2dobVXujRDcBaXWQjwOT/2BR45iSWF8qa1Dojjgi:2qaCF31cix+Dc4zjgLrFF46gi`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description)

like.exe "C:\Users\test22\AppData\Local\Temp\like.exe"
2548

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
23.94.247.40	Active	Moloch
45.33.6.223	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49165 -> 23.94.247.40:7890	2033713	ET MALWARE Cobalt Strike Beacon Observed	Targeted Malicious Activity was Detected
TCP 23.94.247.40:7890 -> 192.168.56.101:49162	2035442	ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 23.94.247.40:7890	2033713	ET MALWARE Cobalt Strike Beacon Observed	Targeted Malicious Activity was Detected

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Aug. 8, 2024, 2:23 p.m.	computer_name: TEST22-PC	1	1	0

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 8, 2024, 2:23 p.m.	process_identifier: 2548 region_size: 4194304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0
NtAllocateVirtualMemory Aug. 8, 2024, 2:23 p.m.	process_identifier: 2548 region_size: 352256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002a10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0

A process attempted to delay the analysis task. (1 event)

description

like.exe tried to sleep 171 seconds, actually delayed analysis time by 171 seconds

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 8, 2024, 2:23 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000000660000 process_handle: 0xffffffffffffffff	1	0	0

Communicates with host for which no DNS query was performed (2 events)

host	23.94.247.40
host	45.33.6.223

Network activity contains more than one unique useragent (2 events)

process	like.exe				useragent
process	like.exe				useragent	Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; MASAJS)

File has been identified by 61 AntiVirus engines on VirusTotal as malicious (50 out of 61 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.CobaltStrike.4!c
Elastic	Windows.Trojan.CobaltStrike
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Generic
Skyhigh	BehavesLike.Win64.Generic.lm
ALYac	Gen:Variant.Bulz.262606
Cylance	Unsafe
VIPRE	Gen:Variant.Bulz.262606
Sangfor	Trojan.Win32.CobaltStrike
K7AntiVirus	Trojan ( 0058fadf1 )
BitDefender	Gen:Variant.Bulz.262606
K7GW	Trojan ( 0058fadf1 )
Cybereason	malicious.4beadd
Arcabit	Trojan.Bulz.D401CE
VirIT	Trojan.Win64.Genus.BRF
Symantec	Backdoor.Cobalt
ESET-NOD32	a variant of Win64/CobaltStrike.Artifact.A
APEX	Malicious
McAfee	CobaltStrike-so!F40919D4BEAD
Avast	Win64:Evo-gen [Trj]
ClamAV	Win.Trojan.CobaltStrike-9044898-1
Kaspersky	HEUR:Trojan.Win64.CobaltStrike.gen
Alibaba	Backdoor:Win64/Artifact.096336bf
MicroWorld-eScan	Gen:Variant.Bulz.262606
Rising	Backdoor.CobaltStrike/x64!1.E382 (CLASSIC)
Emsisoft	Gen:Variant.Bulz.262606 (B)
F-Secure	Heuristic.HEUR/AGEN.1345031
DrWeb	BackDoor.CobaltStrike.46
TrendMicro	Backdoor.Win64.COBEACON.SMA
McAfeeD	ti!3DBE98F96A66
FireEye	Generic.mg.f40919d4beadd501
Sophos	ATK/Cobalt-A
SentinelOne	Static AI - Malicious PE
Jiangmin	Trojan.CozyDuke.dk
Google	Detected
Avira	HEUR/AGEN.1345031
MAX	malware (ai score=87)
Antiy-AVL	RiskWare/Win64.Artifact
Kingsoft	malware.kb.a.897
Gridinsoft	Trojan.Win64.CobaltStrike.tr
Microsoft	Backdoor:Win64/CobaltStrike!pz
ViRobot	Trojan.Win.Z.Cobaltstrike.19456.CJB
ZoneAlarm	HEUR:Trojan.Win64.CobaltStrike.gen
GData	Gen:Variant.Bulz.262606
Varist	W64/Kryptik.GRO
AhnLab-V3	Malware/Win64.RL_Backdoor.R363496
TACHYON	Trojan/W64.CobaltStrike.19456
DeepInstinct	MALICIOUS
VBA32	Backdoor.Win64.CobaltStrike

like.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All