Windows
Analysis Report
Fizzy Loader.exe
Overview
General Information
Detection
Blank Grabber, Umbral Stealer
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Blank Grabber
Yara detected Umbral Stealer
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Modifies the hosts file
Self deletion via cmd or bat file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses attrib.exe to hide files
Uses ping.exe to check the status of other devices and networks
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Screensaver Binary File Creation
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
Fizzy Loader.exe (PID: 1708 cmdline:
"C:\Users\ user\Deskt op\Fizzy L oader.exe" MD5: B56AF795F8B7EDC6F35A9E905921ED0E) WMIC.exe (PID: 1996 cmdline:
"wmic.exe" csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785) conhost.exe (PID: 1440 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) attrib.exe (PID: 5080 cmdline:
"attrib.ex e" +h +s " C:\Users\u ser\Deskto p\Fizzy Lo ader.exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD) conhost.exe (PID: 6656 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 5688 cmdline:
"powershel l.exe" Add -MpPrefere nce -Exclu sionPath ' C:\Users\u ser\Deskto p\Fizzy Lo ader.exe' MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 3876 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) WmiPrvSE.exe (PID: 4568 cmdline:
C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) powershell.exe (PID: 6156 cmdline:
"powershel l.exe" Set -MpPrefere nce -Disab leIntrusio nPreventio nSystem $t rue -Disab leIOAVProt ection $tr ue -Disabl eRealtimeM onitoring $true -Dis ableScript Scanning $ true -Enab leControll edFolderAc cess Disab led -Enabl eNetworkPr otection A uditMode - Force -MAP SReporting Disabled -SubmitSam plesConsen t NeverSen d && power shell Set- MpPreferen ce -Submit SamplesCon sent 2 MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 6504 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 1892 cmdline:
"powershel l.exe" Get -ItemPrope rtyValue - Path HKCU: SOFTWARE\R oblox\Robl oxStudioBr owser\robl ox.com -Na me .ROBLOS ECURITY MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 4308 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 428 cmdline:
"powershel l.exe" Get -ItemPrope rtyValue - Path HKLN: SOFTWARE\R oblox\Robl oxStudioBr owser\robl ox.com -Na me .ROBLOS ECURITY MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 4820 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) WMIC.exe (PID: 6552 cmdline:
"wmic.exe" os get Ca ption MD5: C37F2F4F4B3CD128BDABCAEB2266A785) conhost.exe (PID: 3136 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) WMIC.exe (PID: 4308 cmdline:
"wmic.exe" computers ystem get totalphysi calmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785) conhost.exe (PID: 3720 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) WMIC.exe (PID: 7156 cmdline:
"wmic.exe" csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785) conhost.exe (PID: 5000 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 1308 cmdline:
"powershel l.exe" Get -ItemPrope rtyValue - Path 'HKLM :System\Cu rrentContr olSet\Cont rol\Sessio n Manager\ Environmen t' -Name P ROCESSOR_I DENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 7124 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) WMIC.exe (PID: 432 cmdline:
"wmic" pat h win32_Vi deoControl ler get na me MD5: C37F2F4F4B3CD128BDABCAEB2266A785) conhost.exe (PID: 6428 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) cmd.exe (PID: 3560 cmdline:
"cmd.exe" /c ping lo calhost && del /F /A h "C:\Use rs\user\De sktop\Fizz y Loader.e xe" && pau se MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) conhost.exe (PID: 3836 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) PING.EXE (PID: 5656 cmdline:
ping local host MD5: 2F46799D79D22AC72C241EC0322B011D)
- cleanup
{"C2 url": "https://discord.com/api/webhooks/1323224754576166912/ngAQr5IRg8PVqlg_GePwPe46g-WcVmFR7-gQu1RH44lVF1JX9hv6jSy8rNgxBAU6LxYx", "Version": "v1.3"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_BlankGrabber | Yara detected Blank Grabber | Joe Security | ||
JoeSecurity_UmbralStealer | Yara detected Umbral Stealer | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice | Detects executables attemping to enumerate video devices using WMI | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_BlankGrabber | Yara detected Blank Grabber | Joe Security | ||
JoeSecurity_UmbralStealer | Yara detected Umbral Stealer | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice | Detects executables attemping to enumerate video devices using WMI | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_BlankGrabber | Yara detected Blank Grabber | Joe Security | ||
JoeSecurity_UmbralStealer | Yara detected Umbral Stealer | Joe Security | ||
JoeSecurity_BlankGrabber | Yara detected Blank Grabber | Joe Security | ||
JoeSecurity_BlankGrabber | Yara detected Blank Grabber | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Click to see the 3 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_BlankGrabber | Yara detected Blank Grabber | Joe Security | ||
JoeSecurity_UmbralStealer | Yara detected Umbral Stealer | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice | Detects executables attemping to enumerate video devices using WMI | ditekSHen |
|
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |