Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Launcher.exe

Overview

General Information

Sample Name:Launcher.exe
Analysis ID:753414
MD5:ac30d9ee77f4a6e23dea621727579dc5
SHA1:9dc851e691a4af49882138ee7c5bac1dc126becd
SHA256:d8f1870f30298302fce860d7c56257f6a11e4689642c3d5367d2392db5356bed
Tags:185-206-213-32CosmicWayexeFakeGaliXCityRedLineStealerUniverseCity
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Binary contains a suspicious time stamp
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • Launcher.exe (PID: 5948 cmdline: C:\Users\user\Desktop\Launcher.exe MD5: AC30D9EE77F4A6E23DEA621727579DC5)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Machine Learning detection for sample
Source: Launcher.exeJoe Sandbox ML: detected
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49702 version: TLS 1.2
Source: Launcher.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\Dima\Desktop\Ogooo\CosmicWay\obj\Release\UniverseCity.pdb source: Launcher.exe
Source: Binary string: C:\Users\Dima\Desktop\Ogooo\CosmicWay\obj\Release\UniverseCity.pdb+G source: Launcher.exe

Networking

barindex
Uses the Telegram API (likely for C&C communication)
Source: unknownDNS query: name: api.telegram.org
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: GET /bot5802716616:AAH_P81FtM2pxxnBzX9bl8iFQfHnI4qwKEs/sendMessage?chat_id=-1001729137879&text=5.0%20NEW%2020.11.2022%0A%E2%9C%85%D0%A3%D1%81%D0%BF%D0%B5%D1%88%D0%BD%D1%8B%D0%B9%20%D0%B7%D0%B0%D0%BF%D1%83%D1%81%D0%BA%20%D0%BB%D0%B0%D1%83%D0%BD%D1%87%D0%B5%D1%80%D0%B0:%20user%0A%D0%A1%D0%B0%D0%B9%D1%82:%20universecity%0A%D0%94%D0%B0%D1%82%D0%B0%2011/24/2022%207:35:59%20PM&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
Source: Launcher.exe, 00000000.00000002.505090337.0000000002C24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
Source: Launcher.exe, 00000000.00000002.508132544.0000000005AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Launcher.exe, 00000000.00000002.505158901.0000000002C45000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000002.504845482.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000002.506057740.0000000002E88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/UniverseCity;component/Fonts/dosis.ttf
Source: Launcher.exe, 00000000.00000002.505158901.0000000002C45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/UniverseCity;component/Fonts/montserrat-variablefont_wght.ttf
Source: Launcher.exe, 00000000.00000002.504845482.0000000002B94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/UniverseCity;component/Images/img_downloadWhite.png
Source: Launcher.exe, 00000000.00000002.505158901.0000000002C45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Fonts/dosis.ttf
Source: Launcher.exe, 00000000.00000002.505158901.0000000002C45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Fonts/montserrat-variablefont_wght.ttf
Source: Launcher.exe, 00000000.00000002.504845482.0000000002B94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Images/img_downloadWhite.png
Source: Launcher.exe, 00000000.00000002.505158901.0000000002C45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/fonts/dosis.ttf
Source: Launcher.exe, 00000000.00000002.505158901.0000000002C45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/fonts/montserrat-variablefont_wght.ttf
Source: Launcher.exe, 00000000.00000002.504845482.0000000002B94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/images/img_downloadwhite.png
Source: Launcher.exe, 00000000.00000002.505046797.0000000002C16000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000002.504730568.0000000002B26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Launcher.exe, 00000000.00000003.245277692.0000000005A0C000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000002.508004314.00000000059FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://scripts.sil.org/OFL
Source: Launcher.exeString found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLDosisExtraLightWeightLightMediumSemiBoldBoldExtr
Source: Launcher.exeString found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLMontserratThinMontserratRomanWeightExtraLightLig
Source: Launcher.exe, 00000000.00000002.509592350.0000000009CA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.impallari.com
Source: Launcher.exeString found in binary or memory: http://www.impallari.comThis
Source: Launcher.exe, 00000000.00000002.509592350.0000000009CA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zkysky.com.ar/
Source: Launcher.exeString found in binary or memory: http://www.zkysky.com.ar/This
Source: Launcher.exe, 00000000.00000002.504845482.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000002.505046797.0000000002C16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram
Source: Launcher.exe, 00000000.00000002.505046797.0000000002C16000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000002.504730568.0000000002B26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
Source: Launcher.exeString found in binary or memory: https://api.telegram.org/bot
Source: Launcher.exe, 00000000.00000002.504845482.0000000002B94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5802716616:AAH_P81FtM2pxxnBzX9bl8iFQfHnI4qwKEs/sendMessage
Source: Launcher.exe, 00000000.00000002.504730568.0000000002B26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5802716616:AAH_P81FtM2pxxnBzX9bl8iFQfHnI4qwKEs/sendMessage?chat_id=-1001
Source: Launcher.exe, 00000000.00000002.504547372.0000000002A81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/invite/universecity
Source: Launcher.exeString found in binary or memory: https://discord.com/invite/universecityGhttps://twitter.com/UniverseCityP2E3https://universe-city.io
Source: Launcher.exe, 00000000.00000002.509592350.0000000009CA2000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.245316162.0000000005A3B000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.245301155.0000000005A3B000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.245327352.0000000005A3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/JulietaUla/Montserrat)
Source: Launcher.exeString found in binary or memory: https://github.com/JulietaUla/Montserrat)Montserrat
Source: Launcher.exe, 00000000.00000002.504547372.0000000002A81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/UniverseCityP2E
Source: Launcher.exe, 00000000.00000002.504547372.0000000002A81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://universe-city.io/
Source: Launcher.exeString found in binary or memory: https://universe-city.io/download/UniverseCity.zip
Source: unknownDNS traffic detected: queries for: api.telegram.org
Source: global trafficHTTP traffic detected: GET /bot5802716616:AAH_P81FtM2pxxnBzX9bl8iFQfHnI4qwKEs/sendMessage?chat_id=-1001729137879&text=5.0%20NEW%2020.11.2022%0A%E2%9C%85%D0%A3%D1%81%D0%BF%D0%B5%D1%88%D0%BD%D1%8B%D0%B9%20%D0%B7%D0%B0%D0%BF%D1%83%D1%81%D0%BA%20%D0%BB%D0%B0%D1%83%D0%BD%D1%87%D0%B5%D1%80%D0%B0:%20user%0A%D0%A1%D0%B0%D0%B9%D1%82:%20universecity%0A%D0%94%D0%B0%D1%82%D0%B0%2011/24/2022%207:35:59%20PM&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49702 version: TLS 1.2