Windows Analysis Report
1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe

Overview

General Information

Sample name: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe
Analysis ID: 1543222
MD5: 10d36a1eb6b362367b88ffceebbf6574
SHA1: a9a27d0b1bc825e505c9c47bd7a8f1979e89e0c5
SHA256: 941ad066a2159ee0d3c8438970298af2c08694f636071cde3cc5f323903ebdf9
Tags: base64-decodedexeuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Blackshades
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected Blackshades RAT
AI detected suspicious sample
Deletes shadow drive data (may be related to ransomware)
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
May infect USB drives
PE file does not import any functions
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

AV Detection
barindex
Yara detected Blackshades RAT
Source: Yara match File source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 88.1% probability
Machine Learning detection for sample
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
May infect USB drives
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe Binary or memory string: autorun.inf.exe
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe Binary or memory string: [AutoRun]
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe String found in binary or memory: http://api.ipify.org/
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe String found in binary or memory: http://freegeoip.net/xml/
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe String found in binary or memory: http://ip-api.com/json/

E-Banking Fraud
barindex
Yara detected Blackshades RAT
Source: Yara match File source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE

Spam, unwanted Advertisements and Ransom Demands
barindex
Deletes shadow drive data (may be related to ransomware)
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe Binary or memory string: cmd.exeU/C vssadmin.exe Delete Shadows /All /Quiet

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE Matched rule: QuasarRAT payload Author: ditekSHen
PE file does not import any functions
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe Binary or memory string: OriginalFilenameClient.exe" vs 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe
Uses 32bit PE files
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
Source: classification engine Classification label: mal72.rans.troj.evad.winEXE@0/0@0/0
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe Binary or memory string: SBIEDLL.DLL[SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe Binary or memory string: vboxtray
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe Binary or memory string: VMwareService
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe Binary or memory string: VMwareTray
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe Binary or memory string: vboxservice
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe Binary or memory string: vmtoolsd
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe Binary or memory string: Program Manager
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe Binary or memory string: Shell_TrayWnd
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe Binary or memory string: Progman

Stealing of Sensitive Information
barindex
Yara detected Blackshades RAT
Source: Yara match File source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE

Remote Access Functionality
barindex
Yara detected Blackshades RAT
Source: Yara match File source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE

No Screenshots

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543222 Sample: 1730032629d03288421fce5e7d9... Startdate: 27/10/2024 Architecture: WINDOWS Score: 72 5 Malicious sample detected (through community Yara rule) 2->5 7 Yara detected Blackshades RAT 2->7 9 Machine Learning detection for sample 2->9 11 3 other signatures 2->11
No contacted IP infos

Contacted Domains

Name IP Active
s-part-0017.t-0009.t-msedge.net 13.107.246.45 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true