Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 25, 2024, 6:37 p.m.	Aug. 25, 2024, 6:39 p.m.

Size	19.0KB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`06acac40f95b938cc52dd263fd39f631`
SHA256	`2210845f0274e605766418df2a9f81c15d8e1f383e445a5b01a385fbfecc9fa3`
CRC32	`AC7FFA8A`
ssdeep	`192:EV7qaCF6Op1t2dobVXujRDcBaXWQjwOT/20OdNYqMgWF8qa1Dojjgi:2qaCF31cix+Dc4zjeNkFF46gi`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description)

a.exe "C:\Users\test22\AppData\Local\Temp\a.exe"
1668

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
106.15.67.102	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 25, 2024, 6:37 p.m.	stacktrace: 0x4f0030 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c exception.instruction_r: ac 3c 61 7c 02 2c 20 41 c1 c9 0d 41 01 c1 e2 ed exception.instruction: lodsb al, byte ptr [rsi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4f0030 registers.r14: 1453503984 registers.r15: 0 registers.rcx: 110 registers.rsi: 110 registers.r10: 0 registers.rbx: 5177814 registers.rsp: 9763944 registers.r11: 514 registers.r8: 8791744913672 registers.r9: 0 registers.rdx: 2004821600 registers.r12: 0 registers.rbp: 5177354 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 25, 2024, 6:37 p.m.	process_identifier: 1668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00000000004f0000 process_handle: 0xffffffffffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

106.15.67.102

File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.CobaltStrike.4!c
Elastic	Windows.Trojan.CobaltStrike
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win64.Generic.lm
ALYac	Dump:Generic.ShellCode.Marte.2.511A6FE6
Cylance	Unsafe
VIPRE	Dump:Generic.ShellCode.Marte.2.511A6FE6
Sangfor	Trojan.Win32.CobaltStrike
K7AntiVirus	Trojan ( 0058fadf1 )
BitDefender	Dump:Generic.ShellCode.Marte.2.511A6FE6
K7GW	Riskware ( abcd70071 )
Cybereason	malicious.0f95b9
Arcabit	Dump:Generic.ShellCode.Marte.2.511A6FE6
VirIT	Trojan.Win64.Genus.BRF
Symantec	Backdoor.Cobalt
ESET-NOD32	a variant of Win64/CobaltStrike.Artifact.A
APEX	Malicious
McAfee	CobaltStrike-so!06ACAC40F95B
Avast	Win64:Evo-gen [Trj]
ClamAV	Win.Trojan.CobaltStrike-9044898-1
Kaspersky	HEUR:Trojan.Win32.Generic
Alibaba	Backdoor:Win64/Artifact.e63ff466
MicroWorld-eScan	Dump:Generic.ShellCode.Marte.2.511A6FE6
Rising	Backdoor.CobaltStrike/x64!1.E382 (CLASSIC)
Emsisoft	Dump:Generic.ShellCode.Marte.2.511A6FE6 (B)
F-Secure	Heuristic.HEUR/AGEN.1345031
DrWeb	BackDoor.CobaltStrike.46
TrendMicro	Backdoor.Win64.COBEACON.SMA
McAfeeD	ti!2210845F0274
FireEye	Generic.mg.06acac40f95b938c
Sophos	ATK/Cobalt-A
SentinelOne	Static AI - Malicious PE
Jiangmin	Trojan.CozyDuke.dk
Google	Detected
Avira	HEUR/AGEN.1345031
MAX	malware (ai score=82)
Antiy-AVL	RiskWare/Win64.Artifact
Kingsoft	malware.kb.a.913
Gridinsoft	Trojan.Win64.CobaltStrike.tr
Microsoft	Backdoor:Win64/CobaltStrike!pz
ZoneAlarm	HEUR:Trojan.Win64.CobaltStrike.gen
GData	MSIL.Backdoor.Rozena.L48MBL
Varist	W64/Kryptik.GRO
AhnLab-V3	Malware/Win64.RL_Backdoor.R363496
TACHYON	Trojan/W64.CobaltStrike.19456
DeepInstinct	MALICIOUS
VBA32	Backdoor.Win64.CobaltStrike
Malwarebytes	Generic.Malware.AI.DDS
Ikarus	Trojan.Win64.Cobaltstrike

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (11 events)

dead_host	192.168.56.103:49171
dead_host	192.168.56.103:49170
dead_host	192.168.56.103:49163
dead_host	192.168.56.103:49162
dead_host	192.168.56.103:49172
dead_host	192.168.56.103:49165
dead_host	106.15.67.102:80
dead_host	192.168.56.103:49164
dead_host	192.168.56.103:49169
dead_host	192.168.56.103:49167
dead_host	192.168.56.103:49168

a.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All