Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 16, 2024, 6:12 p.m.	Dec. 16, 2024, 6:23 p.m.

Size	354.5KB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`e9289cac82968862715653ae5eb5d2a4`
SHA256	`e2f0800a6b674891005a97942ff0cf8ab7082c2ecfc072d5c29cd87ecb1f09f6`
CRC32	`B0EE659C`
ssdeep	`6144:MBDGJ0RkoDaBH4Uv+XAlM2OU8sxxJn54uW1IxmMnmO2o+hZpPGiqStw:MQC3mpWwlM2OUV1LW1IVmOmZpPhtw`
Yara	Malicious_Library_Zero - Malicious_Library IsPE64 - (no description) PE_Header_Zero - PE File Signature

test30.exe "C:\Users\test22\AppData\Local\Temp\test30.exe"
2024

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
20.83.148.22	Active	Moloch
213.238.177.46	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Dec. 16, 2024, 6:05 p.m.	computer_name: TEST22-PC	1	1	0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Dec. 16, 2024, 6:05 p.m.	process_identifier: 2024 region_size: 397312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000720000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0

A process attempted to delay the analysis task. (1 event)

description

test30.exe tried to sleep 215 seconds, actually delayed analysis time by 215 seconds

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Dec. 16, 2024, 6:05 p.m.	process_identifier: 2024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 344064 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00000000006c0000 process_handle: 0xffffffffffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00054400', u'virtual_address': u'0x00004000', u'entropy': 7.3180728322348125, u'name': u'.data', u'virtual_size': u'0x000542c0'}

entropy

7.31807283223

description

A section with a high entropy has been found

entropy

0.953323903819

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (2 events)

host	20.83.148.22
host	213.238.177.46

File has been identified by 63 AntiVirus engines on VirusTotal as malicious (50 out of 63 events)

Bkav	W32.Common.0CA24CB2
Lionic	Trojan.Win32.CobaltStrike.4!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Ghanarava.1734162297b5d2a4
Skyhigh	BehavesLike.Win64.Generic.fc
ALYac	Trojan.GenericKD.74959049
Cylance	Unsafe
VIPRE	Trojan.GenericKD.74959049
Sangfor	Trojan.Win32.CobaltStrike
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.GenericKD.74959049
K7GW	Trojan ( 0058fadf1 )
K7AntiVirus	Trojan ( 0058fadf1 )
Arcabit	Trojan.Generic.D477C8C9
Symantec	Backdoor.Cobalt
Elastic	Windows.Trojan.CobaltStrike
ESET-NOD32	a variant of Win64/CobaltStrike.Artifact.A
APEX	Malicious
Avast	Win64:HacktoolX-gen [Trj]
ClamAV	Win.Countermeasure.LoaderWinGeneric-9804845-2
Kaspersky	HEUR:Trojan.Win32.Generic
Alibaba	Backdoor:Win64/Artifact.9e2d40ba
NANO-Antivirus	Trojan.Win64.Meterpreter.ktsnbb
MicroWorld-eScan	Trojan.GenericKD.74959049
Rising	Trojan.CobaltStrike!8.EDF2 (CLOUD)
Emsisoft	Trojan.GenericKD.74959049 (B)
F-Secure	Trojan.TR/AVI.Hack.dngqg
DrWeb	BackDoor.Meterpreter.157
Zillya	Trojan.CobaltStrike.Win64.17548
TrendMicro	Backdoor.Win64.COBEACON.SMA
McAfeeD	ti!E2F0800A6B67
Trapmine	suspicious.low.ml.score
CTX	exe.trojan.cobaltstrike
Sophos	ATK/Cobalt-A
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.e9289cac82968862
Jiangmin	Trojan.Generic.hsrro
Webroot	Win.Trojan.Cobaltstrike
Google	Detected
Avira	TR/AVI.Hack.dngqg
Antiy-AVL	Trojan/Win32.Cometer
Kingsoft	malware.kb.a.989
Gridinsoft	Trojan.Win64.Kryptik.sa
Xcitium	Malware@#desvsfhx26e7
Microsoft	Backdoor:Win64/CobaltStrike.NP!dha
GData	Trojan.GenericKD.74959049
Varist	W64/Cobaltstrike.Q.gen!Eldorado
AhnLab-V3	Backdoor/Win.CobaltStrike.C4668748
McAfee	Artemis!E9289CAC8296
DeepInstinct	MALICIOUS

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (6 events)

dead_host	192.168.56.103:49162
dead_host	20.83.148.22:80
dead_host	192.168.56.103:49165
dead_host	192.168.56.103:49164
dead_host	192.168.56.103:49167
dead_host	192.168.56.103:49166

test30.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All