Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 28, 2025, 8:59 a.m.	April 28, 2025, 9:12 a.m.

Size	300.0KB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`b24faa9c6e485219f062a61daa9b205d`
SHA256	`28f7f21d0ea33eff355cae889af64e37ae51252b5e345c3b98c95caae883bad0`
CRC32	`54666988`
ssdeep	`6144:Gj/7Qsrm8pU99tkS1eTbqreronvFPedimOY:GvLPw9tZU+vFPeMNY`
Yara	PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE64 - (no description) IsDLL - (no description) CobaltStrike_IN - CobaltStrike HKTL_CobaltStrike_Beacon_Strings - Identifies strings used in Cobalt Strike Beacon DLL Malicious_Library_Zero - Malicious_Library Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\beacon.bin.dll,ReflectiveLoader
2548
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\beacon.bin.dll,ReflectiveLoader
  2692
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\beacon.bin.dll,
2632

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 28, 2025, 8:59 a.m.			0	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 28, 2025, 8:59 a.m.	stacktrace: ReflectiveLoader+0xe81 beacon+0x1a355 @ 0x7fef42da355 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 0x3000 exception.instruction_r: f3 a4 44 8b 84 24 a0 00 00 00 ba 40 00 00 00 48 exception.instruction: movsb byte ptr [rdi], byte ptr [rsi] exception.exception_code: 0xc0000005 exception.symbol: ReflectiveLoader+0xe81 beacon+0x1a355 exception.address: 0x7fef42da355 registers.r14: 0 registers.r15: 0 registers.rcx: 64 registers.rsi: 1915142162 registers.r10: 0 registers.rbx: 524664 registers.rsp: 2161112 registers.r11: 514 registers.r8: 8791599612160 registers.r9: 8791599611904 registers.rdx: 34996224 registers.r12: 10 registers.rbp: 3850304 registers.rdi: 35356608 registers.rax: 1915142162 registers.r13: 0	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 28, 2025, 8:59 a.m.	process_identifier: 2692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1	0	0
NtAllocateVirtualMemory April 28, 2025, 8:59 a.m.	process_identifier: 2692 region_size: 360448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002160000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00007600', u'virtual_address': u'0x00042000', u'entropy': 7.0078066294454855, u'name': u'.data', u'virtual_size': u'0x00011848'}

entropy

7.00780662945

description

A section with a high entropy has been found

File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 events)

Bkav	W64.AIDetectMalware
Cynet	Malicious (score: 100)
CAT-QuickHeal	cld.trojan.cometer
Skyhigh	BehavesLike.Win64.Trojan.fh
ALYac	Gen:Trojan.Beacon.Shellcode.Marte.1
Cylance	Unsafe
VIPRE	Gen:Trojan.Beacon.Shellcode.Marte.1
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Gen:Trojan.Beacon.Shellcode.Marte.1
K7GW	Trojan ( 00580dca1 )
K7AntiVirus	Trojan ( 00580dca1 )
Arcabit	Trojan.Beacon.Shellcode.Marte.1
VirIT	Trojan.Win32.CbltStrkT.DZHC
Symantec	Trojan Horse
Elastic	Windows.Trojan.CobaltStrike
ESET-NOD32	a variant of Win64/CobaltStrike.Beacon.A
APEX	Malicious
Avast	Win32:CobalStrike-A [Hack]
ClamAV	Win.Trojan.CobaltStrike-8091534-0
Kaspersky	HEUR:Trojan.Win32.Cometer.gen
Alibaba	Trojan:Win32/Cometer.0ce85f78
MicroWorld-eScan	Gen:Trojan.Beacon.Shellcode.Marte.1
Rising	Backdoor.CobaltStrike/x64!1.EA41 (CLASSIC)
Emsisoft	Gen:Trojan.Beacon.Shellcode.Marte.1 (B)
F-Secure	Heuristic.HEUR/AGEN.1364561
DrWeb	BackDoor.Meterpreter.157
Zillya	Trojan.CobaltStrike.Win64.7888
TrendMicro	Backdoor.Win64.COBEACON.SMAC.stg
McAfeeD	Real Protect-LS!B24FAA9C6E48
Trapmine	malicious.moderate.ml.score
CTX	dll.trojan.cobaltstrike
Sophos	ATK/Cobalt-FV
SentinelOne	Static AI - Malicious PE
Jiangmin	Trojan.Cometer.cvo
Webroot	W32.Trojan.Gen
Google	Detected
Avira	HEUR/AGEN.1364561
Antiy-AVL	Trojan[Spy]/Win64.Beacon.a
Kingsoft	malware.kb.a.999
Gridinsoft	Susp.U.XOREncoded.sd!yf
Microsoft	Trojan:Win32/CobaltStrike.SD!MTB
ZoneAlarm	ATK/Cobalt-FV
GData	Gen:Trojan.Beacon.Shellcode.Marte.1
Varist	W64/Cobaltstrike.R.gen!Eldorado
AhnLab-V3	Trojan/Win32.RL_Cometer.R325811
McAfee	Artemis!B24FAA9C6E48
TACHYON	Trojan/W64.Cometer.307200
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware.AI.DDS

beacon.bin

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All