File name:

Grimoire.exe

Full analysis: https://app.any.run/tasks/aa634083-8dad-4a1d-b32b-1a2a052fb43c
Verdict: Malicious activity
Analysis date: June 05, 2024, 15:56:00
OS: Ubuntu 22.04.2
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

5A13C1D1CDC62A53CADD1766FBBDBEAE

SHA1:

969621C9EA19A9265C40364A7F1623998E454BEB

SHA256:

BA56CAEF6DC6F01435232A689BF44BB37AEF36F36DAA3A4ACAD161CB41B3C6F5

SSDEEP:

196608:TKDYkzDDYkzrDYkznDYkz4DYkzgDYkzaDYkzcDYkz4DYkz:TKDYkzDDYkzrDYkznDYkz4DYkzgDYkze

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Checks DMI information (probably VM detection)

      • systemd-hostnamed (PID: 12464)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (41)
.exe | Win64 Executable (generic) (36.3)
.dll | Win32 Dynamic Link Library (generic) (8.6)
.exe | Win32 Executable (generic) (5.9)
.exe | Win16/32 Executable Delphi generic (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:02:20 19:10:15+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 3957760
InitializedDataSize: 500736
UninitializedDataSize: -
EntryPoint: 0x44600a
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.3.3.0
ProductVersionNumber: 1.3.3.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: An AQW bot client.
CompanyName: Ganku
FileDescription: Grimlite Rev
FileVersion: 1.3.3.0
InternalName: Grimoire.exe
LegalCopyright: Copyright © Ganku
LegalTrademarks: -
OriginalFileName: Grimoire.exe
ProductName: Grimlite Rev
ProductVersion: 1.3.3.0
AssemblyVersion: 1.3.3.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
225
Monitored processes
12
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
systemctl no specs systemctl no specs sh no specs file no specs sh no specs sudo no specs nautilus no specs locale-check no specs systemd-hostnamed no specs nautilus no specs file-roller no specs 7z no specs

Process information

PID
CMD
Path
Indicators
Parent process
12443systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
12444systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
12445sh -c "file --mime-type /tmp/Grimoire\.exe"/bin/shany-guest-agent
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
12446file --mime-type /tmp/Grimoire.exe/usr/bin/filesh
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
12447/bin/sh -c "DISPLAY=:0 sudo -iu user nautilus /tmp/Grimoire\.exe "/bin/shany-guest-agent
User:
user
Integrity Level:
UNKNOWN
12448sudo -iu user nautilus /tmp/Grimoire.exe/usr/bin/sudosh
User:
user
Integrity Level:
UNKNOWN
12449nautilus /tmp/Grimoire.exe/usr/bin/nautilussudo
User:
user
Integrity Level:
UNKNOWN
12450/usr/bin/locale-check C.UTF-8/usr/bin/locale-checknautilus
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
12464/lib/systemd/systemd-hostnamed/lib/systemd/systemd-hostnamedsystemd
User:
root
Integrity Level:
UNKNOWN
Exit code:
12449
12471nautilus /tmp/Grimoire.exe/usr/bin/nautilusnautilus
User:
user
Integrity Level:
UNKNOWN
Exit code:
482
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
12449nautilus/home/user/.local/share/recently-used.xbelxml
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
12
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
91.189.91.49:80
http://connectivity-check.ubuntu.com/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
470
avahi-daemon
224.0.0.251:5353
unknown
91.189.91.49:80
Canonical Group Limited
US
unknown
185.125.190.97:80
Canonical Group Limited
GB
unknown
212.102.56.181:443
odrs.gnome.org
Datacamp Limited
DE
unknown
185.125.188.55:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
unknown

DNS requests

Domain
IP
Reputation
odrs.gnome.org
  • 212.102.56.181
  • 195.181.175.15
  • 195.181.170.18
  • 156.146.33.15
  • 156.146.33.141
  • 212.102.56.179
  • 156.146.33.137
  • 195.181.175.40
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::17
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::10
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::22
  • 2a02:6ea0:c700::101
unknown
api.snapcraft.io
  • 185.125.188.55
  • 185.125.188.54
  • 185.125.188.59
  • 185.125.188.58
unknown
193.100.168.192.in-addr.arpa
unknown
connectivity-check.ubuntu.com
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::97
  • 2001:67c:1562::23
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::22
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::2b
  • 2620:2d:4002:1::197
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::98
  • 2001:67c:1562::24
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Grimoire.exe