Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 14, 2025, 9:54 a.m.	Jan. 14, 2025, 9:58 a.m.

Size	289.0KB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`ad4ad1de86b6965b256a84ad14b38c59`
SHA256	`8bcd638706d2dc6e6c1b86473b2d2000b185c5137468aee2538e4414671be56a`
CRC32	`0BDD7F85`
ssdeep	`6144:kxZkkMJ3ADNnwrqFWHWKQS0dC8NXa1CLJ+NVDS:q5O3ABnwrqdvS0dDc1CU`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description)

beacon.exe "C:\Users\test22\AppData\Local\Temp\beacon.exe"
1712

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
106.53.83.169	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Jan. 14, 2025, 9:46 a.m.	computer_name: TEST22-PC	1	1	0

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Jan. 14, 2025, 9:46 a.m.	process_identifier: 1712 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000910000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0
NtAllocateVirtualMemory Jan. 14, 2025, 9:46 a.m.	process_identifier: 1712 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002700000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0

A process attempted to delay the analysis task. (1 event)

description

beacon.exe tried to sleep 171 seconds, actually delayed analysis time by 171 seconds

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 14, 2025, 9:46 a.m.	process_identifier: 1712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 278528 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00000000008c0000 process_handle: 0xffffffffffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00043e00', u'virtual_address': u'0x00004000', u'entropy': 7.049168822228546, u'name': u'.data', u'virtual_size': u'0x00043cf0'}

entropy

7.04916882223

description

A section with a high entropy has been found

entropy

0.942708333333

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

106.53.83.169

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.CobaltStrike.4!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Ghanarava.1736797474b38c59
Skyhigh	BehavesLike.Win64.Backdoor.dc
ALYac	Dump:Generic.Beacon.Marte.B.B1B44825
Cylance	Unsafe
VIPRE	Dump:Generic.Beacon.Marte.B.B1B44825
Sangfor	Trojan.Win32.CobaltStrike
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Dump:Generic.Beacon.Marte.B.B1B44825
K7GW	Trojan ( 00580b4c1 )
K7AntiVirus	Trojan ( 00580b4c1 )
Arcabit	Dump:Generic.Beacon.Marte.B.B1B44825
Symantec	Backdoor.Cobalt
Elastic	Windows.Trojan.CobaltStrike
ESET-NOD32	a variant of Win64/CobaltStrike.Artifact.A
APEX	Malicious
Avast	Win64:HacktoolX-gen [Trj]
ClamAV	Win.Trojan.CobaltStrike-9044898-1
Kaspersky	HEUR:Trojan.Win64.CobaltStrike.gen
Alibaba	Backdoor:Win64/Artifact.cba73e7e
MicroWorld-eScan	Dump:Generic.Beacon.Marte.B.B1B44825
Rising	Backdoor.CobaltStrike/x64!1.E382 (CLASSIC)
Emsisoft	Dump:Generic.Beacon.Marte.B.B1B44825 (B)
F-Secure	Heuristic.HEUR/AGEN.1377194
DrWeb	BackDoor.Meterpreter.157
TrendMicro	Backdoor.Win64.COBEACON.SMA
McAfeeD	ti!8BCD638706D2
CTX	exe.trojan.cobaltstrike
Sophos	ATK/Cobalt-JW
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.ad4ad1de86b6965b
Jiangmin	Trojan.CobaltStrike.ih
Webroot	W32.Malware.gen
Google	Detected
Avira	HEUR/AGEN.1377194
Antiy-AVL	RiskWare/Win64.Artifact
Kingsoft	Win64.Trojan.CobaltStrike.gen
Gridinsoft	Trojan.Win64.CobaltStrike.tr
Microsoft	Backdoor:Win64/CobaltStrike.NP!dha
GData	Dump:Generic.Beacon.Marte.B.B1B44825
Varist	W64/Kryptik.GRP
McAfee	Trojan-FWTM!AD4AD1DE86B6
TACHYON	Trojan/W64.CobaltStrike.295936
DeepInstinct	MALICIOUS
VBA32	Trojan.Win64.CobaltStrike
Malwarebytes	Generic.Malware.AI.DDS
Ikarus	Trojan.Win64.Cobaltstrike
Panda	Trj/CI.A

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 events)

dead_host	192.168.56.103:49164
dead_host	192.168.56.103:49162
dead_host	106.53.83.169:60127

beacon.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All