popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Session-https.exe

Malicious Library PE64 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 13, 2024, 12:05 p.m. Oct. 13, 2024, 12:15 p.m.
Size 321.0KB
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5 f05982b55c7a85b9e71a941fe2295848
SHA256 5462b422de6d759e45cc0269d564acbf0805c4441aba38bd28133c98d1187888
CRC32 71A8FBDF
ssdeep 6144:ClFf2d3xRiZ6/32f1RYhG1saU1LQsFtyWHSntMC6pP98WknVyH9RqL84/:qF6BkZWU1RRs/gSU
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE64 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
89.197.154.116 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 89.197.154.116:7810 -> 192.168.56.103:49165 2260001 SURICATA Applayer Wrong direction first Data Generic Protocol Command Decode
TCP 89.197.154.116:7810 -> 192.168.56.103:49170 2260001 SURICATA Applayer Wrong direction first Data Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1836
region_size: 360448
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000960000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0
description Session-https.exe tried to sleep 171 seconds, actually delayed analysis time by 171 seconds
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 307200
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x0000000000910000
process_handle: 0xffffffffffffffff
1 0 0
section {u'size_of_data': u'0x0004be00', u'virtual_address': u'0x00004000', u'entropy': 7.29157043302336, u'name': u'.data', u'virtual_size': u'0x0004bcf0'} entropy 7.29157043302 description A section with a high entropy has been found
entropy 0.9484375 description Overall entropy of this PE file is high
host 89.197.154.116
Bkav W64.AIDetectMalware
Cynet Malicious (score: 100)
Skyhigh BehavesLike.Win64.Trojan.fc
ALYac Dump:Generic.Beacon.Marte.B.CE1733DB
Cylance Unsafe
VIPRE Dump:Generic.Beacon.Marte.B.CE1733DB
Sangfor Trojan.Win32.CobaltStrike
CrowdStrike win/malicious_confidence_100% (D)
BitDefender Dump:Generic.Beacon.Marte.B.CE1733DB
K7GW Trojan ( 0058fadf1 )
K7AntiVirus Trojan ( 0058fadf1 )
Arcabit Dump:Generic.Beacon.Marte.B.CED6C5DB
VirIT Trojan.Win64.CobalStrike
Symantec Backdoor.Cobalt
Elastic Windows.Trojan.CobaltStrike
ESET-NOD32 a variant of Win64/CobaltStrike.Artifact.A
APEX Malicious
Avast Win64:Evo-gen [Trj]
ClamAV Win.Trojan.CobaltStrike-9044898-1
Kaspersky HEUR:Trojan.Win32.Cometer.gen
MicroWorld-eScan Dump:Generic.Beacon.Marte.B.CE1733DB
Rising Backdoor.CobaltStrike/x64!1.E382 (CLASSIC)
Emsisoft Dump:Generic.Beacon.Marte.B.CE1733DB (B)
F-Secure Heuristic.HEUR/AGEN.1344321
DrWeb BackDoor.Meterpreter.157
TrendMicro Backdoor.Win64.COBEACON.SMA
McAfeeD ti!5462B422DE6D
Trapmine suspicious.low.ml.score
CTX exe.unknown.beacon
Sophos ATK/Cobalt-A
SentinelOne Static AI - Malicious PE
FireEye Generic.mg.f05982b55c7a85b9
Jiangmin Trojan.CobaltStrike.qz
Google Detected
Avira HEUR/AGEN.1344321
Antiy-AVL Trojan/Win64.Kryptik
Kingsoft malware.kb.a.1000
Gridinsoft Trojan.Win64.Kryptik.oa!s1
Microsoft Backdoor:Win64/CobaltStrike.NP!dha
ZoneAlarm HEUR:Trojan.Win32.Cometer.gen
GData Dump:Generic.Beacon.Marte.B.CE1733DB
Varist W64/Cobalt.M.gen!Eldorado
AhnLab-V3 Backdoor/Win.COBEACON.R611870
Acronis suspicious
McAfee Trojan-FWTM!F05982B55C7A
TACHYON Trojan/W64.CobaltStrike.328704
DeepInstinct MALICIOUS
VBA32 Trojan.Win64.CobaltStrike
Ikarus Trojan.Win64.Cobaltstrike
Panda Trj/GdSda.A