Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 12, 2025, 2:29 p.m.	Jan. 12, 2025, 2:32 p.m.

Size	151.1KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`800dcb9f93715f5ed7189be2e35aebd9`
SHA256	`cff151ab7a8c0d221278758e76f71fc6c120d22bc39bf98daabfe1f450642a6f`
CRC32	`99EADE23`
ssdeep	`1536:/LtDu076JchveHZHAsFXGDDkDNsJQ337Tcxg3cXf3NsMpphw6p0HP94Y8udRivy:TtD9+dHNAe2v8Ns67wg3af9skh4eS/i6`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description)

cbot.exe "C:\Users\test22\AppData\Local\Temp\cbot.exe"
2544

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
154.213.192.42	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (38 events)

Time & API	Arguments	Status	Return
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: smss.exe process_identifier: 224	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: csrss.exe process_identifier: 304	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: wininit.exe process_identifier: 352	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: csrss.exe process_identifier: 360	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: winlogon.exe process_identifier: 400	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: services.exe process_identifier: 444	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: lsm.exe process_identifier: 468	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: svchost.exe process_identifier: 572	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: svchost.exe process_identifier: 652	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: svchost.exe process_identifier: 724	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: svchost.exe process_identifier: 784	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: svchost.exe process_identifier: 832	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: audiodg.exe process_identifier: 900	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: svchost.exe process_identifier: 992	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: svchost.exe process_identifier: 292	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: spoolsv.exe process_identifier: 324	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: svchost.exe process_identifier: 1048	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: srvany.exe process_identifier: 1284	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: KMService.exe process_identifier: 1436	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: conhost.exe process_identifier: 1448	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: taskhost.exe process_identifier: 1600	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: sppsvc.exe process_identifier: 1820	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: svchost.exe process_identifier: 1896	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: dwm.exe process_identifier: 1260	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: explorer.exe process_identifier: 1452	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: pw.exe process_identifier: 988	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: SearchIndexer.exe process_identifier: 1160	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: SearchProtocolHost.exe process_identifier: 936	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: SearchFilterHost.exe process_identifier: 2000	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: mobsync.exe process_identifier: 2280	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: pw.exe process_identifier: 2324	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: wsqmcons.exe process_identifier: 2356	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: taskhost.exe process_identifier: 2368	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: sdclt.exe process_identifier: 2376	1	1
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: cbot.exe process_identifier: 2544	1	1
Process32NextW Jan. 12, 2025, 2:23 p.m.	snapshot_handle: 0x00000000000000c0 process_name: taskhost.exe process_identifier: 2920	1	1
Process32NextW Jan. 12, 2025, 2:23 p.m.	snapshot_handle: 0x00000000000000c0 process_name: svchost.exe process_identifier: 3068	1	1
Process32NextW Jan. 12, 2025, 2:24 p.m.	snapshot_handle: 0x00000000000000c0 process_name: WmiPrvSE.exe process_identifier: 2516	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00018a00', u'virtual_address': u'0x00068000', u'entropy': 7.988732441146595, u'name': u'UPX1', u'virtual_size': u'0x00019000'}

entropy

7.98873244115

description

A section with a high entropy has been found

entropy

0.994949494949

description

Overall entropy of this PE file is high

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 464 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x0000000000000098 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0
Process32NextW Jan. 12, 2025, 2:22 p.m.	snapshot_handle: 0x00000000000000c0 process_name: cbot.exe process_identifier: 2544		0	0

The executable is compressed using UPX (3 events)

section	UPX0	description	Section name indicates UPX
section	UPX1	description	Section name indicates UPX
section	UPX2	description	Section name indicates UPX

Communicates with host for which no DNS query was performed (1 event)

host

154.213.192.42

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

192.168.56.101:49161

File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 events)

Lionic	Trojan.Win32.Reconyc.4!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Ghanarava.17365985005aebd9
Skyhigh	BehavesLike.Win64.Generic.cc
Cylance	Unsafe
VIPRE	Trojan.GenericKD.75326791
Sangfor	Trojan.Win32.Reconyc.V9h8
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.GenericKD.75324933
Arcabit	Trojan.Generic.D47D5E05
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
APEX	Malicious
Avast	FileRepMalware [Misc]
Kaspersky	Trojan.Win32.Reconyc.prwm
Alibaba	Trojan:Win32/Reconyc.23088aa2
MicroWorld-eScan	Trojan.GenericKD.75324933
Rising	Trojan.Agent!8.B1E (TFE:5:vUMVo8tikvP)
Emsisoft	Trojan.GenericKD.75324933 (B)
F-Secure	Trojan.TR/Reconyc.kmzcd
McAfeeD	Real Protect-LS!800DCB9F9371
Trapmine	malicious.high.ml.score
CTX	exe.trojan.reconyc
Sophos	Mal/Generic-S
FireEye	Generic.mg.800dcb9f93715f5e
Google	Detected
Avira	TR/Reconyc.kmzcd
Antiy-AVL	Trojan/Win32.Etset
Kingsoft	malware.kb.b.953
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Trojan.GenericKD.75324933
Varist	W64/ABTrojan.WMHZ-5076
McAfee	Artemis!800DCB9F9371
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
Panda	Trj/Chgt.AD
huorong	Trojan/Agent.cau
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	PossibleThreat.MU
AVG	FileRepMalware [Misc]
Paloalto	generic.ml
alibabacloud	Trojan:Win/Phonzy.B9nj

cbot.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All