popup

Report - Report6.msi

DarkGate Malicious Library MSOffice File CAB OS Processor Check
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.10.11 11:27 Machine s1_win7_x6401
Filename Report6.msi
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Microsoft Windows Operating System - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 10.0.19041.685, Subject: Microsoft Wind
AI Score Not founds Behavior Score
5.2
ZERO API file : clean
VT API (file) 11 detected (Artemis, GenCBL, R002V01JA23, Yakes, ccnc, Generic@AI, RDML, Fm+zk+yb+huDxibjOxRirg, Outbreak, DarkGate)
md5 08b7acfc53290cda3cc74fcef70f6e65
sha256 4325d78175a803fb6a1d235e8255816a07283501087e1b115f28c38b6b542856
ssdeep 12288:ItvRQ+gjpjegGdo8pcQrxugH8KiWhK6nPnf2bWGTHAQCuWI:ItncpVGPWixurKiWhKSf2lhCD
imphash
impfuzzy
  Network IP location

Signature (12cnts)

Level Description
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
watch File has been identified by 11 AntiVirus engines on VirusTotal as malicious
watch One or more of the buffers contains an embedded PE file
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Queries for the computername

Rules (4cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
info CAB_file_format CAB archive file binaries (upload)
info Microsoft_Office_File_Zero Microsoft Office File binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)

Network (10cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://prestige-castom.com:2351/hnbidn
whois
Unknown 162.33.179.65 37159 mailcious
http://prestige-castom.com:2351/dflqow
whois
Unknown 162.33.179.65 37159 mailcious
http://prestige-castom.com:2351/
whois
Unknown 162.33.179.65 37159 mailcious
http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt
whois
US AMAZON-AES 54.174.96.153 clean
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt
whois
US AMAZON-AES 54.174.96.153 clean
www.ssl.com
whois
US AMAZON-AES 54.174.96.153 clean
vintagecarsforlife.com
whois
Unknown 162.33.179.65 clean
prestige-castom.com
whois
Unknown 162.33.179.65 mailcious
162.33.179.65
whois
Unknown 162.33.179.65 mailcious
54.236.82.84
whois
US AMAZON-AES 54.236.82.84 clean

Suricata ids

ET POLICY curl User-Agent Outbound
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP

Similarity measure (PE file only) - Checking for service failure