Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 30, 2024, 11:26 a.m.	Sept. 30, 2024, 11:33 a.m.

Size	19.0KB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`370dcc1d0729d93d08255de011febaa4`
SHA256	`722359ebd46ace2d25802959791ae3f6af433451d81b915cdb72890cbba357ef`
CRC32	`9160D192`
ssdeep	`192:yV7qaCF6Op1t2dobVXujRDcBaXWQjwOT/28pZkEtNx/WF8qa1Dojjgi:8qaCF31cix+Dc4zjPwFFF46gi`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description)

Session.exe "C:\Users\test22\AppData\Local\Temp\Session.exe"
2552

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
89.197.154.115	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 30, 2024, 11:16 a.m.	stacktrace: 0x560030 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c 0xcc000c exception.instruction_r: ac 3c 61 7c 02 2c 20 41 c1 c9 0d 41 01 c1 e2 ed exception.instruction: lodsb al, byte ptr [rsi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x560030 registers.r14: 1453503984 registers.r15: 0 registers.rcx: 110 registers.rsi: 110 registers.r10: 0 registers.rbx: 5636566 registers.rsp: 11336808 registers.r11: 514 registers.r8: 8791748268556 registers.r9: 0 registers.rdx: 1994794592 registers.r12: 0 registers.rbp: 5636106 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 30, 2024, 11:15 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000000560000 process_handle: 0xffffffffffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

89.197.154.115

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.CobaltStrike.4!c
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win64.Trojan.lm
ALYac	Dump:Generic.ShellCode.Marte.2.37C295C5
Cylance	Unsafe
VIPRE	Dump:Generic.ShellCode.Marte.2.37C295C5
Sangfor	Trojan.Win32.CobaltStrike
CrowdStrike	win/malicious_confidence_100% (D)
BitDefender	Dump:Generic.ShellCode.Marte.2.37C295C5
K7GW	Trojan ( 00580b4c1 )
K7AntiVirus	Trojan ( 00580b4c1 )
Arcabit	Dump:Generic.ShellCode.Marte.2.37C295C5
VirIT	Trojan.Win64.Genus.BRF
Symantec	Backdoor.Cobalt
Elastic	Windows.Trojan.CobaltStrike
ESET-NOD32	a variant of Win64/CobaltStrike.Artifact.A
APEX	Malicious
Avast	Win64:Evo-gen [Trj]
ClamAV	Win.Trojan.CobaltStrike-9044898-1
Kaspersky	HEUR:Trojan.Win32.Generic
MicroWorld-eScan	Dump:Generic.ShellCode.Marte.2.37C295C5
Rising	Backdoor.CobaltStrike/x64!1.E382 (CLASSIC)
Emsisoft	Dump:Generic.ShellCode.Marte.2.37C295C5 (B)
F-Secure	Heuristic.HEUR/AGEN.1345031
DrWeb	BackDoor.CobaltStrike.46
TrendMicro	Backdoor.Win64.COBEACON.SMA
McAfeeD	ti!722359EBD46A
CTX	exe.trojan.cobaltstrike
Sophos	ATK/Cobalt-A
Ikarus	Trojan.Win64.Cobaltstrike
FireEye	Generic.mg.370dcc1d0729d93d
Jiangmin	Trojan.CozyDuke.dk
Google	Detected
Avira	HEUR/AGEN.1345031
Antiy-AVL	RiskWare/Win64.Artifact
Kingsoft	Win64.Trojan.CobaltStrike.gen
Gridinsoft	Trojan.Win64.Kryptik.oa!s1
Microsoft	Backdoor:Win64/CobaltStrike!pz
ZoneAlarm	HEUR:Trojan.Win64.CobaltStrike.gen
GData	Dump:Generic.ShellCode.Marte.2.37C295C5
Varist	W64/Kryptik.GRO
AhnLab-V3	Malware/Win64.RL_Backdoor.R363496
McAfee	CobaltStrike-so!370DCC1D0729
TACHYON	Trojan/W64.CobaltStrike.19456
DeepInstinct	MALICIOUS
VBA32	Backdoor.Win64.CobaltStrike
Malwarebytes	Generic.Malware.AI.DDS
Panda	Trj/GdSda.A
TrendMicro-HouseCall	Backdoor.Win64.COBEACON.SMA

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (11 events)

dead_host	192.168.56.101:49162
dead_host	192.168.56.101:49171
dead_host	192.168.56.101:49170
dead_host	192.168.56.101:49167
dead_host	192.168.56.101:49169
dead_host	192.168.56.101:49166
dead_host	192.168.56.101:49168
dead_host	192.168.56.101:49165
dead_host	192.168.56.101:49164
dead_host	89.197.154.115:7700
dead_host	192.168.56.101:49172

Session.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All