ScreenShot
Created | 2023.09.16 14:05 | Machine | s1_win7_x6403 |
Filename | promot_s.msi | ||
Type | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 14:06:51 2020, Security: 0, Code page: 1252, Revision Number: {712FA1FF-5EDD-4B8A-A341-2 | ||
AI Score | Not founds | Behavior Score |
|
ZERO API | file : mailcious | ||
VT API (file) | 4 detected (Generic@AI, RDML, 4BSI7VQWrlAjlQ6ssGNUhA, Artemis, Detected, WjexjofuRAT) | ||
md5 | 96d99e6c2e7c358b9d663595d3af5f27 | ||
sha256 | 301432e6053a0f092e8f5137a97ef3543934e0f8e200bd0c7844886e4c72e7e9 | ||
ssdeep | 393216:bQcblwAxiRsytVOtSOuySa3/B5Qw0a4/AlwZnb87:lbys0MSOuySuLQPa7gA | ||
imphash | |||
impfuzzy |
Network IP location
Signature (11cnts)
Level | Description |
---|---|
watch | Attempts to create or modify system certificates |
watch | One or more of the buffers contains an embedded PE file |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | File has been identified by 4 AntiVirus engines on VirusTotal as malicious |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | Queries for the computername |
Rules (5cnts)
Level | Name | Description | Collection |
---|---|---|---|
warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
info | CAB_file_format | CAB archive file | binaries (upload) |
info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
Network (9cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)