Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 30, 2024, 9:26 a.m.	Sept. 30, 2024, 9:36 a.m.

Size	19.0KB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`dc66a0481a259a5c8820880822ff0b3a`
SHA256	`a8a1a9e80fd7d0ce85227bafd2ec004d2cb52d7e37744cd37bd3641c946822ef`
CRC32	`692B5C27`
ssdeep	`192:bV7qaCF6Op1t2dobVXujRDcBaXWQjwOT/2OcJWF8qa1Dojjgi:1qaCF31cix+Dc4zjbjFF46gi`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description)

update.exe "C:\Users\test22\AppData\Local\Temp\update.exe"
2552

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
47.239.242.141	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49165 -> 47.239.242.141:9999	2033713	ET MALWARE Cobalt Strike Beacon Observed	Targeted Malicious Activity was Detected
TCP 47.239.242.141:9999 -> 192.168.56.101:49162	2035442	ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 47.239.242.141:9999	2033713	ET MALWARE Cobalt Strike Beacon Observed	Targeted Malicious Activity was Detected

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Sept. 30, 2024, 9:26 a.m.	computer_name: TEST22-PC	1	1	0

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 30, 2024, 9:26 a.m.	process_identifier: 2552 region_size: 4194304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:26 a.m.	process_identifier: 2552 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000029d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:26 a.m.	process_identifier: 2552 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002720000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

update.exe tried to sleep 171 seconds, actually delayed analysis time by 171 seconds

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 30, 2024, 9:26 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000000550000 process_handle: 0xffffffffffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

47.239.242.141

Network activity contains more than one unique useragent (2 events)

process	update.exe				useragent
process	update.exe				useragent	Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; MAARJS)

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Bkav	W64.AIDetectMalware
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win64.Trojan.lm
ALYac	Dump:Generic.ShellCode.Marte.2.4EB8D909
Cylance	Unsafe
VIPRE	Dump:Generic.ShellCode.Marte.2.4EB8D909
Sangfor	Trojan.Win32.CobaltStrike
CrowdStrike	win/malicious_confidence_100% (D)
BitDefender	Dump:Generic.ShellCode.Marte.2.4EB8D909
K7GW	Trojan ( 00580b4c1 )
K7AntiVirus	Trojan ( 00580b4c1 )
Arcabit	Dump:Generic.ShellCode.Marte.2.4EB8D909
VirIT	Trojan.Win64.Genus.BRF
Symantec	Backdoor.Cobalt
Elastic	Windows.Trojan.CobaltStrike
ESET-NOD32	a variant of Win64/CobaltStrike.Artifact.A
APEX	Malicious
Avast	Win64:Evo-gen [Trj]
ClamAV	Win.Trojan.CobaltStrike-9044898-1
Kaspersky	HEUR:Trojan.Win32.Generic
MicroWorld-eScan	Dump:Generic.ShellCode.Marte.2.4EB8D909
Rising	Backdoor.CobaltStrike/x64!1.E382 (CLASSIC)
Emsisoft	Dump:Generic.ShellCode.Marte.2.4EB8D909 (B)
F-Secure	Heuristic.HEUR/AGEN.1345031
DrWeb	BackDoor.CobaltStrike.46
TrendMicro	Backdoor.Win64.COBEACON.SMA
McAfeeD	ti!A8A1A9E80FD7
CTX	exe.unknown.dump
Sophos	ATK/Cobalt-A
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.dc66a0481a259a5c
Jiangmin	Trojan.CozyDuke.dk
Google	Detected
Avira	HEUR/AGEN.1345031
Antiy-AVL	RiskWare/Win64.Artifact
Kingsoft	malware.kb.a.890
Gridinsoft	Trojan.Win64.Kryptik.oa!s1
Microsoft	Backdoor:Win64/CobaltStrike!pz
ZoneAlarm	HEUR:Trojan.Win64.CobaltStrike.gen
GData	Dump:Generic.ShellCode.Marte.2.4EB8D909
Varist	W64/Kryptik.GRO
AhnLab-V3	Malware/Win64.RL_Backdoor.R363496
McAfee	CobaltStrike-so!DC66A0481A25
TACHYON	Trojan/W64.CobaltStrike.19456
DeepInstinct	MALICIOUS
VBA32	Backdoor.Win64.CobaltStrike
Malwarebytes	Generic.Malware.AI.DDS
Ikarus	Trojan.Win64.Cobaltstrike
Panda	Trj/GdSda.A
TrendMicro-HouseCall	Backdoor.Win64.COBEACON.SMA

update.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All