popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

svch0st.exe

Malicious Library PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Aug. 11, 2024, 2:25 p.m. Aug. 11, 2024, 3:10 p.m.
Size 278.0KB
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5 5575d0030528b163ac14ebe51ebd7da9
SHA256 0ae85148ff06520ba2e8e3b55c121fcf1ca1a1897b9a4443fc0830753053f06a
CRC32 696CF83F
ssdeep 3072:NRKgFrkR7kqxM6rKnpHfn1oYBgX0dydjc6wmKRkHYE/D+hFSoIJclhPetHvWFadI:NRKgc7/Gp9WuSjc6mRo+hFNjKO0T
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
103.143.248.179 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 103.143.248.179:80 -> 192.168.56.103:49165 2400016 ET DROP Spamhaus DROP Listed Traffic Inbound group 17 Misc Attack
TCP 192.168.56.103:49165 -> 103.143.248.179:80 2033713 ET MALWARE Cobalt Strike Beacon Observed Targeted Malicious Activity was Detected
TCP 192.168.56.103:49163 -> 103.143.248.179:80 2033713 ET MALWARE Cobalt Strike Beacon Observed Targeted Malicious Activity was Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
suspicious_features Connection to IP address suspicious_request GET http://103.143.248.179/push
request GET http://103.143.248.179/push
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1932
region_size: 249856
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00700000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
description svch0st.exe tried to sleep 171 seconds, actually delayed analysis time by 171 seconds
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1932
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 208896
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x006b0000
process_handle: 0xffffffff
1 0 0
host 103.143.248.179
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.CobaltStrike.4!c
MicroWorld-eScan Trojan.CobaltStrike.AS
CAT-QuickHeal TrojanAPT.Cobalt.A7
ALYac Trojan.CobaltStrike.AS
Cylance Unsafe
VIPRE Trojan.CobaltStrike.AS
Sangfor Trojan.Win32.CobaltStrike
K7AntiVirus Trojan ( 005622831 )
K7GW Trojan ( 005622831 )
Cybereason malicious.30528b
BitDefenderTheta AI:Packer.026E06981B
VirIT Trojan.Win32.Rozena.AB
Symantec Backdoor.Cobalt
Elastic Windows.Trojan.CobaltStrike
ESET-NOD32 a variant of Win32/CobaltStrike.Artifact.A
APEX Malicious
Paloalto generic.ml
Cynet Malicious (score: 100)
Kaspersky HEUR:Trojan.Win32.CobaltStrike.gen
Alibaba Trojan:Win32/CozyDuke.1011
NANO-Antivirus Trojan.Win32.Rozena.faqakq
Rising Backdoor.CobaltStrike!1.D049 (CLASSIC)
Emsisoft Trojan.Rozena (A)
F-Secure Trojan.TR/Crypt.XPACK.Gen7
DrWeb BackDoor.Meterpreter.92
Zillya Trojan.Rozena.Win32.223792
TrendMicro Trojan.Win32.COBALT.SM
McAfeeD ti!0AE85148FF06
Trapmine malicious.high.ml.score
FireEye Generic.mg.5575d0030528b163
Sophos ATK/Cobalt-A
SentinelOne Static AI - Malicious PE
Jiangmin Trojan.Generic.ccimf
Webroot W32.Malware.Gen
Google Detected
Avira TR/Crypt.XPACK.Gen7
MAX malware (ai score=82)
Antiy-AVL Trojan/Win32.AGeneric
Kingsoft malware.kb.a.1000
Gridinsoft Trojan.Win32.Agent.vb!s1
Arcabit Trojan.CobaltStrike.AS
ViRobot Trojan.Win32.Agent.284672.R
ZoneAlarm HEUR:Trojan.Win32.CobaltStrike.gen
Varist W32/Trojan.FACY-5566
AhnLab-V3 Trojan/Win32.CobaltStrike.R329694
VBA32 Backdoor.Meterpreter
TACHYON Trojan/W32.Agent.284672.IM
DeepInstinct MALICIOUS
Malwarebytes Generic.Malware.AI.DDS