popup

Report - adob024.msi

Generic Malware Malicious Library MSOffice File CAB OS Processor Check
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.08.16 17:49 Machine s1_win7_x6403
Filename adob024.msi
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the l
AI Score Not founds Behavior Score
4.8
ZERO API file : mailcious
VT API (file) 12 detected (RemAdm, Atera, RemoteAdmin, RemoteAdminNET, Detected, ApplicUnwnt@#2s9re1zdfn0go, KNVS)
md5 acd50da7436621368061abc2ca6193fe
sha256 2ba7c24b984423bda7b4982b3b6e230a6c0f2dae44b580c6f02d133e625fd3bb
ssdeep 49152:U+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:U+lUlz9FKbsodq0YaH7ZPxMb8tT
imphash
impfuzzy
  Network IP location

Signature (12cnts)

Level Description
watch Attempts to create or modify system certificates
watch File has been identified by 12 AntiVirus engines on VirusTotal as malicious
watch One or more of the buffers contains an embedded PE file
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Queries for the computername

Rules (5cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
info CAB_file_format CAB archive file binaries (upload)
info Microsoft_Office_File_Zero Microsoft Office File binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)

Network (24cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
whois
US EDGECAST 152.195.38.76 clean
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAooSZl45YmN9AojjrilUug%3D
whois
US EDGECAST 152.195.38.76 clean
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
whois
US EDGECAST 152.195.38.76 clean
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
whois
US EDGECAST 152.195.38.76 clean
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
whois
US EDGECAST 152.195.38.76 clean
https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/e00905d4-3856-4887-b595-3b102a6ce467/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=12d00e9f-90ed-42bb-bf8d-a4cee20a83cf&tr=34&tt=17237979717852454&uuid=e00905d4-3856-4887-b5
whois
JP AMAZON-02 18.179.18.153 clean
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c09e2018-679b-4892-8c17-f018f66a11f3&uuid=e00905d4-3856-4887-b595-3b102a6ce467
whois
JP AMAZON-02 18.179.18.153 clean
https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/e00905d4-3856-4887-b595-3b102a6ce467/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=33bc53d7-b38d-4443-ad4c-fe2237b03869&uuid=e00905d4-3856-4887-b595-3
whois
JP AMAZON-02 18.179.18.153 clean
https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/37.2/AgentPackageAgentInformation.zip?kHE0a4AHPD06sRT5dNr8CEGDDgxItT/NNHjAvqtYD5Vp1AfUa8Y22WAUqOM87JT+
whois
Unknown 18.67.51.98 clean
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=cd541e6a-2ba4-4a03-a00f-094ee2b67135&uuid=e00905d4-3856-4887-b595-3b102a6ce467
whois
JP AMAZON-02 18.179.18.153 clean
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=37d5c33a-d873-4f9c-819f-519051737e0b&uuid=e00905d4-3856-4887-b595-3b102a6ce467
whois
JP AMAZON-02 18.179.18.153 clean
https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/e00905d4-3856-4887-b595-3b102a6ce467/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=08d6e7fe-8c3c-4170-8f89-6cd210f9977f&tr=34&tt=17237979729901531&uuid=e00905d4-3856-4887-b5
whois
JP AMAZON-02 18.179.18.153 clean
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=00bd05cc-8d26-4ad1-94e7-04ee06e4e9a6&uuid=e00905d4-3856-4887-b595-3b102a6ce467
whois
JP AMAZON-02 18.179.18.153 clean
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=af4be7e1-0f14-4a01-ac83-33610d59f4ff&uuid=e00905d4-3856-4887-b595-3b102a6ce467
whois
JP AMAZON-02 18.179.18.153 clean
https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/e00905d4-3856-4887-b595-3b102a6ce467/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=b153a57e-499b-4ae8-b169-598fc179a7f6&tt=0&uuid=e00905d4-3856-4887-b595-3b102a6ce467
whois
JP AMAZON-02 18.179.18.153 clean
ocsp.digicert.com
whois
US EDGECAST 152.195.38.76 clean
ps.pndsn.com
whois
JP AMAZON-02 18.179.18.155 clean
cacerts.digicert.com
whois
US EDGECAST 152.195.38.76 clean
ps.atera.com
whois
Unknown 18.67.51.59 clean
agent-api.atera.com
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 20.37.139.187 clean
18.67.51.98
whois
Unknown 18.67.51.98 clean
20.37.139.187
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 20.37.139.187 clean
18.179.18.153
whois
JP AMAZON-02 18.179.18.153 clean
152.195.38.76
whois
US EDGECAST 152.195.38.76 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

Similarity measure (PE file only) - Checking for service failure