Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
gRo3W1D3VU.exe

Overview

General Information

Sample Name:gRo3W1D3VU.exe
Original Sample Name:159be70701e7fe1d7d41ae092f1892f87d0cc615c829b16aa78a333e6a7aa923.exe
Analysis ID:1287047
MD5:99ca96aad19f9b58bfaa026e8b3e40da
SHA1:11bfab7bc400bbeaec6a46eacbcdbcd490dd4640
SHA256:159be70701e7fe1d7d41ae092f1892f87d0cc615c829b16aa78a333e6a7aa923
Tags:exe
Infos:

Detection

Customer Loader
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected Customer Loader
C2 URLs / IPs found in malware configuration
Sample uses string decryption to hide its real strings
.NET source code contains potential unpacker
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
May sleep (evasive loops) to hinder dynamic analysis
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

  • System is w10x64
  • gRo3W1D3VU.exe (PID: 7508 cmdline: C:\Users\user\Desktop\gRo3W1D3VU.exe MD5: 99CA96AAD19F9B58BFAA026E8B3E40DA)
  • cleanup
{"C2 url": "https://kyliansuperm92139124.shop/customer/914"}
SourceRuleDescriptionAuthorStrings
Process Memory Space: gRo3W1D3VU.exe PID: 7508JoeSecurity_CustomerLoaderYara detected Customer LoaderJoe Security
    No Sigma rule has matched
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: gRo3W1D3VU.exeMalware Configuration Extractor: Customer Loader {"C2 url": "https://kyliansuperm92139124.shop/customer/914"}
    Source: gRo3W1D3VU.exeVirustotal: Detection: 50%Perma Link
    Source: gRo3W1D3VU.exeReversingLabs: Detection: 50%
    Source: https://kyliansuperm92139124.shop/customer/914Avira URL Cloud: Label: malware
    Source: https://kyliansuperm92139124.shopAvira URL Cloud: Label: phishing
    Source: kyliansuperm92139124.shopVirustotal: Detection: 17%Perma Link
    Source: https://kyliansuperm92139124.shopVirustotal: Detection: 11%Perma Link
    Source: https://kyliansuperm92139124.shop/customer/914Virustotal: Detection: 20%Perma Link
    Source: gRo3W1D3VU.exeString decryptor: VirtualProtect
    Source: gRo3W1D3VU.exeString decryptor: amsi.dll
    Source: gRo3W1D3VU.exeString decryptor: AmsiScanBuffer
    Source: gRo3W1D3VU.exeString decryptor: https://kyliansuperm92139124.shop/customer/914
    Source: gRo3W1D3VU.exeString decryptor: !!!(.*?)!!!
    Source: gRo3W1D3VU.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

    Networking

    barindex
    Source: Malware configuration extractorURLs: https://kyliansuperm92139124.shop/customer/914
    Source: unknownDNS traffic detected: query: kyliansuperm92139124.shop replaycode: Server failure (2)
    Source: gRo3W1D3VU.exe, 00000000.00000002.368434168.0000016E64249000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: gRo3W1D3VU.exe, 00000000.00000002.368434168.0000016E64249000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://kyliansuperm92139124.shop
    Source: gRo3W1D3VU.exe, 00000000.00000002.368434168.0000016E641D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://kyliansuperm92139124.shop/customer/914
    Source: gRo3W1D3VU.exe, 00000000.00000002.368434168.0000016E64256000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://kyliansuperm92139124.shopx
    Source: unknownDNS traffic detected: queries for: kyliansuperm92139124.shop
    Source: gRo3W1D3VU.exeStatic PE information: No import functions for PE file found
    Source: gRo3W1D3VU.exeBinary or memory string: OriginalFilename vs gRo3W1D3VU.exe
    Source: gRo3W1D3VU.exe, 00000000.00000002.368211617.0000016E62432000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename vs gRo3W1D3VU.exe
    Source: gRo3W1D3VU.exe, 00000000.00000002.368233230.0000016E625E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs gRo3W1D3VU.exe
    Source: gRo3W1D3VU.exeBinary or memory string: OriginalFilename vs gRo3W1D3VU.exe
    Source: gRo3W1D3VU.exeVirustotal: Detection: 50%
    Source: gRo3W1D3VU.exeReversingLabs: Detection: 50%
    Source: gRo3W1D3VU.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
    Source: gRo3W1D3VU.exe, .csBase64 encoded string: 'mQ/DK6Sa9sDTlXe4IA2CbdDNyPolTdFsIZKsK+9E84ic4hIGDN9u4sAlXAikHcB6'
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\gRo3W1D3VU.exe.logJump to behavior
    Source: classification engineClassification label: mal92.troj.evad.winEXE@1/1@3/0
    Source: gRo3W1D3VU.exe, .csCryptographic APIs: 'CreateDecryptor'
    Source: gRo3W1D3VU.exe, .csCryptographic APIs: 'TransformFinalBlock'
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: gRo3W1D3VU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: gRo3W1D3VU.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

    Data Obfuscation

    barindex
    Source: Yara matchFile source: Process Memory Space: gRo3W1D3VU.exe PID: 7508, type: MEMORYSTR
    Source: gRo3W1D3VU.exe, .cs.Net Code: System.AppDomain.Load(byte[])
    Source: gRo3W1D3VU.exeStatic PE information: real checksum: 0xffb5 should be: 0x2a65
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exe TID: 7540Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exe TID: 7532Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: gRo3W1D3VU.exe, 00000000.00000002.368334749.0000016E62692000.00000004.00000020.00020000.00000000.sdmp, gRo3W1D3VU.exe, 00000000.00000003.368035080.0000016E62691000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllgg
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeMemory allocated: page read and write | page guardJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeQueries volume information: C:\Users\user\Desktop\gRo3W1D3VU.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\gRo3W1D3VU.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
    Masquerading
    OS Credential Dumping1
    Security Software Discovery
    Remote Services1
    Archive Collected Data
    Exfiltration Over Other Network Medium1
    Non-Application Layer Protocol
    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    Disable or Modify Tools
    LSASS Memory21
    Virtualization/Sandbox Evasion
    Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth11
    Application Layer Protocol
    Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
    Virtualization/Sandbox Evasion
    Security Account Manager12
    System Information Discovery
    SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
    Software Packing
    NTDS1
    Remote System Discovery
    Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
    Deobfuscate/Decode Files or Information
    LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common1
    Obfuscated Files or Information
    Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.