popup

Report - setup0324_or.msi

Generic Malware Malicious Library CAB MSOffice File OS Processor Check
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2025.04.03 17:57 Machine s1_win7_x6403
Filename setup0324_or.msi
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Docusign Edit 2.7.3.39, Subject: Docusign Edit, Author: DocuSign, Keywords: Installer, Template: Intel;1033, Revision Number: {7ED0E642-88
AI Score Not founds Behavior Score
3.0
ZERO API file : clean
VT API (file) 17 detected (heavy, Babar, Kryptik, HTMF, Nemucod, dzzhbf, THREAT, TYPE, ARCHBOMB, GenInflated, Detected, ABTrojan, SHBQ, Azlw)
md5 d7f7fab6a91f6b2db5d9a3e95a7a679d
sha256 c646bcca5046a575acde3510dd03a5fe26d0b4aae36da41cd76f00b0cff49793
ssdeep 98304:XpoG6mSbsua9OIScdIa/OrkDqhfPx40oBjY02ftdJ6:YfWWcl2YD64/BjY7fHJ
imphash
impfuzzy
  Network IP location

Signature (8cnts)

Level Description
watch File has been identified by 17 AntiVirus engines on VirusTotal as malicious
watch Rovnix Trojan
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Queries for the computername

Rules (5cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
info CAB_file_format CAB archive file binaries (upload)
info Microsoft_Office_File_Zero Microsoft Office File binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)

Network (7cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://sysoieaosgwoeesa.xyz:443/api/client_hello
whois
RU Gudaev Maxim Amrakhovich 92.118.112.155 43783 mailcious
http://sysoieaosgwoeesa.xyz:443/api/client/new
whois
RU Gudaev Maxim Amrakhovich 92.118.112.155 44067 mailcious
http://sysoieaosgwoeesa.xyz:443/tasks/collect
whois
RU Gudaev Maxim Amrakhovich 92.118.112.155 44068 mailcious
http://sysoieaosgwoeesa.xyz:443/avast_update
whois
RU Gudaev Maxim Amrakhovich 92.118.112.155 44069 mailcious
http://sysoieaosgwoeesa.xyz:443/tasks/get_worker
whois
RU Gudaev Maxim Amrakhovich 92.118.112.155 44070 mailcious
sysoieaosgwoeesa.xyz
whois
RU Gudaev Maxim Amrakhovich 92.118.112.155 mailcious
92.118.112.155
whois
RU Gudaev Maxim Amrakhovich 92.118.112.155 mailcious

Suricata ids

ET HUNTING EXE Base64 Encoded potential malware
ET POLICY HTTP traffic on port 443 (POST)

Similarity measure (PE file only) - Checking for service failure