Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 16, 2024, 2:23 p.m.	Oct. 16, 2024, 2:30 p.m.

Size	14.0KB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`ac32f23e9c96c392ceed9e6c5ee5857d`
SHA256	`e68b138b56ec7235cc745aaf4489265a33665e811a3250b6668a29ea36790e89`
CRC32	`F4176C17`
ssdeep	`192:AeH+DgGK83SxHn2OQ/dmBI4KBfTgir+xz2afbqUqV/Qjo7AGa:A6+kGKqbOCdWIVBff+xzvTfCXAn`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

qet-test.exe "C:\Users\test22\AppData\Local\Temp\qet-test.exe"
1836

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
62.204.41.45	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 16, 2024, 2:23 p.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x004f0000 process_handle: 0xffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

62.204.41.45

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

62.204.41.45:8091

File has been identified by 65 AntiVirus engines on VirusTotal as malicious (50 out of 65 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Sheljector.trJD
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.GenericPMF.S22096310
Skyhigh	BehavesLike.Win32.Trojan.lm
ALYac	Trojan.GenericKDZ.80482
Cylance	Unsafe
VIPRE	Trojan.GenericKDZ.80482
Sangfor	Trojan.Win32.CobaltStrike
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.GenericKDZ.80482
K7GW	Trojan ( 005622831 )
K7AntiVirus	Trojan ( 005622831 )
Arcabit	Trojan.Generic.D13A62
VirIT	Trojan.Win32.Inject3.DZW
Symantec	Backdoor.Cobalt
Elastic	Windows.Trojan.CobaltStrike
ESET-NOD32	a variant of Win32/CobaltStrike.Artifact.A
APEX	Malicious
Avast	Win32:HacktoolX-gen [Trj]
ClamAV	Win.Trojan.CobaltStrike-7899872-1
Kaspersky	HEUR:Trojan.Win32.CobaltStrike.gen
Alibaba	Trojan:Win32/Rozena.12cc
NANO-Antivirus	Trojan.Win32.Inject3.horsiq
MicroWorld-eScan	Trojan.GenericKDZ.80482
Rising	Backdoor.CobaltStrike!1.D049 (CLASSIC)
Emsisoft	Trojan.Rozena (A)
F-Secure	Trojan.TR/Crypt.XPACK.Gen7
DrWeb	Trojan.Inject3.2700
Zillya	Trojan.Rozena.Win32.99309
TrendMicro	Trojan.Win32.COBALT.SM
McAfeeD	ti!E68B138B56EC
CTX	exe.trojan.cobaltstrike
Sophos	ATK/Cobalt-A
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.ac32f23e9c96c392
Jiangmin	Trojan.Generic.ftawl
Webroot
Google	Detected
Avira	TR/Crypt.XPACK.Gen7
Antiy-AVL	Trojan/Win32.Wacatac
Kingsoft	malware.kb.a.998
Gridinsoft	Trojan.Win32.Heur.oa!s1
Microsoft	Backdoor:Win64/CobaltStrike!pz
ViRobot	Trojan.Win32.Cobalt.14336.J
ZoneAlarm	HEUR:Trojan.Win32.CobaltStrike.gen
GData	Win32.Trojan.PSE.PHVAWJ
Varist	W32/CobaltStrike.RAUR-3469
AhnLab-V3	Trojan/Win32.CobaltStrike.R329694
McAfee	Trojan-Cobalt!AC32F23E9C96

qet-test.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All