Gruvvin.exe

Gruvvin

Motion Apps

The application Gruvvin.exe by Motion Apps has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Gruvvin’. This file is typically installed with the program Gruvvin by Motion Apps. While running, it connects to the Internet address server-54-230-78-74.cdg50.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
Motion Apps  (signed and verified)

Product:
Gruvvin

Version:
1.0.0.2

MD5:
03b7d0d9d155114c7628c6764b0fc3e6

SHA-1:
89ab9a287f603297ae9009d79dd7468559b41878

SHA-256:
d4de7b5e74eed7b8467f552863fbfb1d93552f4b67bf35f21e11744ee2e08549

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
10/17/2018 1:20:18 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.MotionApps.MIXXEN.Meta (L)
16.1.27.18

File size:
1.3 MB (1,343,960 bytes)

Product version:
1.0.0.2

Copyright:
Copyright © Motion Apps 2015

Original file name:
Gruvvin.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\gruvvin\gruvvin.exe

Digital Signature
Signed by:

Authority:
Symantec Corporation

Valid from:
1/15/2015 4:00:00 PM

Valid to:
1/16/2016 3:59:59 PM

Subject:
CN=Motion Apps, O=Motion Apps, L=St. Michael, S=St. Michael, C=BB

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
4D5A323507E2F1C319C9951AE49D855E

File PE Metadata
Compilation timestamp:
5/9/2015 9:14:08 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
12288:Nk+YAZdqkk6D0qTJ0bzDIAmkxsMpm/1z7iADFN1aU4mkLHggcdR/YS8fmaZ:/4kFTJ0bzDIAmDqmtauF39NC/aRYdmE

Entry address:
0x147BFE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
6.6890

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
1.3 MB (1,334,784 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Gruvvin

Command:
C:\users\{user}\appdata\local\gruvvin\gruvvin.exe -ros


The file Gruvvin.exe has been discovered within the following program.

Gruvvin  by Motion Apps
About 9% of users remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to vps148.123-webhost.net  (83.172.180.207:8066)

TCP (HTTP):
Connects to ec2-54-171-226-204.eu-west-1.compute.amazonaws.com  (54.171.226.204:80)

TCP (HTTP):
Connects to ec2-52-209-247-83.eu-west-1.compute.amazonaws.com  (52.209.247.83:80)

TCP (HTTP):
Connects to ec2-52-16-46-192.eu-west-1.compute.amazonaws.com  (52.16.46.192:80)

TCP (HTTP):
Connects to ec2-52-214-152-154.eu-west-1.compute.amazonaws.com  (52.214.152.154:80)

TCP (HTTP):
Connects to static.205.227.201.138.clients.your-server.de  (138.201.227.205:80)

TCP (HTTP SSL):
Connects to www.archive.org  (207.241.224.2:443)

TCP (HTTP SSL):
Connects to upload-lb.eqiad.wikimedia.org  (208.80.154.240:443)

TCP (HTTP):
Connects to static.134.113.9.5.clients.your-server.de  (5.9.113.134:80)

TCP (HTTP):
Connects to ec2-34-250-194-62.eu-west-1.compute.amazonaws.com  (34.250.194.62:80)

TCP (HTTP):
Connects to cache.google.com  (181.199.154.53:80)

TCP (HTTP):
Connects to server-52-85-89-28.jfk6.r.cloudfront.net  (52.85.89.28:80)

TCP (HTTP):
Connects to server-52-85-89-164.jfk6.r.cloudfront.net  (52.85.89.164:80)

TCP (HTTP):
Connects to server-52-84-133-232.atl52.r.cloudfront.net  (52.84.133.232:80)

TCP (HTTP):
Connects to puchidj.es  (5.135.230.104:80)

TCP (HTTP):
Connects to p3nlhg284c1284.shr.prod.phx3.secureserver.net  (184.168.39.1:80)

TCP (HTTP):
Connects to ia800304.us.archive.org  (207.241.228.14:80)

TCP (HTTP):
Connects to ec2-54-246-181-97.eu-west-1.compute.amazonaws.com  (54.246.181.97:80)

TCP (HTTP):
Connects to server-54-230-82-60.mia50.r.cloudfront.net  (54.230.82.60:80)

TCP (HTTP):
Connects to server-54-230-78-82.cdg50.r.cloudfront.net  (54.230.78.82:80)

Remove Gruvvin.exe - Powered by Reason Core Security