popup

Report - promot_s.msi

Generic Malware Malicious Library CAB MSOffice File OS Processor Check
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.09.15 19:12 Machine s1_win7_x6403
Filename promot_s.msi
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 14:06:51 2020, Security: 0, Code page: 1252, Revision Number: {712FA1FF-5EDD-4B8A-A341-2
AI Score Not founds Behavior Score
4.2
ZERO API file : clean
VT API (file) 3 detected (WjexjofuRAT, Detected, Generic@AI, RDML, 4BSI7VQWrlAjlQ6ssGNUhA)
md5 96d99e6c2e7c358b9d663595d3af5f27
sha256 301432e6053a0f092e8f5137a97ef3543934e0f8e200bd0c7844886e4c72e7e9
ssdeep 393216:bQcblwAxiRsytVOtSOuySa3/B5Qw0a4/AlwZnb87:lbys0MSOuySuLQPa7gA
imphash
impfuzzy
  Network IP location

Signature (11cnts)

Level Description
watch Attempts to create or modify system certificates
watch One or more of the buffers contains an embedded PE file
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice File has been identified by 3 AntiVirus engines on VirusTotal as malicious
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Queries for the computername

Rules (5cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
info CAB_file_format CAB archive file binaries (upload)
info Microsoft_Office_File_Zero Microsoft Office File binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)

Network (9cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US Akamai International B.V. 23.67.53.17 clean
https://www.google-analytics.com/collect?v=1&tid=UA-380480-23&cid=%7B8A15A8BB-1D80-42A0-9E54-76E6BF4346F8%7D&t=event&ec=Session&ea=Start&an=ImBatch&av=7.6.0&ul=en-GB&sr=1024x768&sc=start&z=88081
whois
US GOOGLE 172.217.27.46 clean
www.bolidesoft.com
whois
US PRIVATESYSTEMS 104.193.111.117 clean
www.google-analytics.com
whois
US GOOGLE 142.250.76.142 clean
www.highmotionsoftware.com
whois
US PRIVATESYSTEMS 104.193.111.101 clean
23.32.56.72
whois
US AKAMAI-AS 23.32.56.72 clean
104.193.111.101
whois
US PRIVATESYSTEMS 104.193.111.101 clean
172.217.27.46
whois
US GOOGLE 172.217.27.46 clean
104.193.111.117
whois
US PRIVATESYSTEMS 104.193.111.117 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

Similarity measure (PE file only) - Checking for service failure