Edit tour

Windows Analysis Report
1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe

Overview

General Information

Sample name:	1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe
Analysis ID:	1543222
MD5:	10d36a1eb6b362367b88ffceebbf6574
SHA1:	a9a27d0b1bc825e505c9c47bd7a8f1979e89e0c5
SHA256:	941ad066a2159ee0d3c8438970298af2c08694f636071cde3cc5f323903ebdf9
Tags:	base64-decodedexeuser-abuse_ch
Infos:
Errors No process behavior to analyse as no analysis process or sample was found Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Blackshades

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Yara detected Blackshades RAT

AI detected suspicious sample

Deletes shadow drive data (may be related to ransomware)

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

May infect USB drives

PE file does not import any functions

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
BlackShades		No Attribution	http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html https://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/ https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/ https://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/ https://www.secureworks.com/research/threat-profiles/aluminum-saratoga	https://malpedia.caad.fkie.fraunhofer.de/details/win.blackshades

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe	JoeSecurity_Blackshades	Yara detected Blackshades RAT	Joe Security
1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe	Windows_Trojan_Quasarrat_e52df647	unknown	unknown	0x376f7:$a1: GetKeyloggerLogsResponse 0x36e47:$a2: DoDownloadAndExecute 0x41ffb:$a3: http://api.ipify.org/ 0x3fb6f:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x40ebd:$a5: " /sc ONLOGON /tr "
1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x36c2d:$s1: DoUploadAndExecute 0x36e47:$s2: DoDownloadAndExecute 0x36a2e:$s3: DoShellExecute 0x36e0c:$s4: set_Processname 0x6e26:$op1: 04 1E FE 02 04 16 FE 01 60 0x6d47:$op2: 00 17 03 1F 20 17 19 15 28 0x77c5:$op3: 00 04 03 69 91 1B 40 0x8024:$op3: 00 04 03 69 91 1B 40
1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x376f7:$x1: GetKeyloggerLogsResponse 0x37943:$s1: DoShellExecuteResponse 0x372a4:$s2: GetPasswordsResponse 0x37810:$s3: GetStartupItemsResponse 0x36c41:$s5: RunHidden 0x36c62:$s5: RunHidden 0x36c70:$s5: RunHidden 0x36c84:$s5: RunHidden
1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x40e83:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 2F 00 74 00 6E 00 20 00 22 00 00 27 22 00 20 00 2F 00 ...
1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x376f7:$x3: GetKeyloggerLogsResponse 0x369a4:$x4: GetKeyloggerLogs 0x378cb:$s2: set_SystemInfos 0x36c6c:$s3: set_RunHidden 0x367f3:$s4: set_RemotePath 0x4887a:$s6: Client.exe 0x4890e:$s6: Client.exe 0x3165e:$s7: xClient.Core.ReverseProxy.Packets
1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe	xRAT_1	Detects Patchwork malware	Florian Roth	0x30461:$x4: xClient.Properties.Resources.resources 0x302ff:$s4: Client.exe 0x36c6c:$s7: set_RunHidden
1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x4334e:$x2: Process already elevated. 0x34fc9:$x4: get_encryptedPassword 0x36e47:$x5: DoDownloadAndExecute
1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe	Quasar	detect Remcos in memory	JPCERT/CC Incident Response Group	0x4087c:$quasarstr1: [PRIVATE KEY LOCATION: "{0}"] 0x40490:$quasarstr2: User: {0}{3}Pass: {1}{3}Host: {2} 0x32277:$class: Core.MouseKeyHook.WinApi
1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x40740:$f1: FileZilla\recentservers.xml 0x40780:$f2: FileZilla\sitemanager.xml 0x407b4:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x3fd2b:$b1: Chrome\User Data\ 0x3fd8f:$b1: Chrome\User Data\ 0x40122:$b2: Mozilla\Firefox\Profiles 0x404f6:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x45437:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x40586:$b4: Opera Software\Opera Stable\Login Data 0x40636:$b5: YandexBrowser\User Data\ 0x406a8:$b5: YandexBrowser\User Data\ 0x3fed6:$s4: logins.json 0x3ff22:$s4: logins.json 0x40210:$s4: logins.json 0x3fa44:$a1: username_value 0x3fa62:$a2: password_value 0x34dfb:$a3: encryptedUsername 0x34fa1:$a3: encryptedUsername 0x34fb7:$a3: encryptedUsername 0x350ed:$a3: encryptedUsername 0x34e1e:$a4: encryptedPassword
1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe	MALWARE_Win_QuasarRAT	QuasarRAT payload	ditekSHen	0x376f7:$s1: GetKeyloggerLogsResponse 0x369a4:$s2: GetKeyloggerLogs 0x3f358:$s3: />Log created on 0x40490:$s4: User: {0}{3}Pass: {1}{3}Host: {2} 0x3fb6f:$s5: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x43ab3:$s6: grabber_ 0x43acf:$s6: grabber_ 0x32022:$s7: <virtualKeyCode> 0x32057:$s9: <keyboardHookStruct> 0x33076:$s10: add_OnHotKeysDown 0x330c8:$s10: add_OnHotKeysDown 0x41e63:$ua1: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 0x42978:$us2: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
Click to see the 6 entries

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Yara detected Blackshades RAT

Source: Yara match

File source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 88.1% probability

Machine Learning detection for sample

Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe

Joe Sandbox ML: detected

Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe	Binary or memory string: autorun.inf.exe
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe	Binary or memory string: [AutoRun]

Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe	String found in binary or memory: http://api.ipify.org/
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe	String found in binary or memory: http://freegeoip.net/xml/
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe	String found in binary or memory: http://ip-api.com/json/

E-Banking Fraud

Yara detected Blackshades RAT

Source: Yara match

File source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE

Spam, unwanted Advertisements and Ransom Demands

Deletes shadow drive data (may be related to ransomware)

Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe

Binary or memory string: cmd.exeU/C vssadmin.exe Delete Shadows /All /Quiet

System Summary

Malicious sample detected (through community Yara rule)

Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE	Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE	Matched rule: QuasarRAT payload Author: ditekSHen

Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe

Static PE information: No import functions for PE file found

Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe

Binary or memory string: OriginalFilenameClient.exe" vs 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe

Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE	Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE	Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE	Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload

Source: classification engine

Classification label: mal72.rans.troj.evad.winEXE@0/0@0/0

Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe

Binary or memory string: SBIEDLL.DLL[SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe	Binary or memory string: vboxtray
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe	Binary or memory string: VMwareService
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe	Binary or memory string: VMwareTray
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe	Binary or memory string: vboxservice
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe	Binary or memory string: vmtoolsd

Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe	Binary or memory string: Program Manager
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe	Binary or memory string: Shell_TrayWnd
Source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe	Binary or memory string: Progman

Stealing of Sensitive Information

Yara detected Blackshades RAT

Source: Yara match

File source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE

Remote Access Functionality

Yara detected Blackshades RAT

Source: Yara match

File source: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe, type: SAMPLE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 File Deletion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 Peripheral Device Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://api.ipify.org/	1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe	false	unknown
http://freegeoip.net/xml/	1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe	false	unknown
http://ip-api.com/json/	1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe	false	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543222
Start date and time:	2024-10-27 13:38:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe
Detection:	MAL
Classification:	mal72.rans.troj.evad.winEXE@0/0@0/0
Cookbook Comments:	Found application associated with file extension: .exe Unable to launch sample, stop analysis

Errors

No process behavior to analyse as no analysis process or sample was found
Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 20.190.160.14, 40.126.32.74, 40.126.32.138, 40.126.32.76, 20.190.160.17, 40.126.32.140, 40.126.32.72, 40.126.32.68, 93.184.221.240
Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, otelrules.afd.azureedge.net, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu.azureedge.net, login.msa.msidentity.com, ocsp.digicert.com, login.live.com, ocsp.edge.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, azureedge-t-prod.trafficmanager.net, wu-b-net.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
VT rate limit hit for: 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	R40XD2LfcZ.exe	Get hash	malicious	Clipboard Hijacker	Browse	13.107.246.45
	LkCinYWgNh.exe	Get hash	malicious	Clipboard Hijacker	Browse	13.107.246.45
	https://duy38.r.ag.d.sendibm3.com/mk/cl/f/sh/1t6Af4OiGsF30wT9TF4ckLf3fAzx5z/28D7HenRXzOU	Get hash	malicious	LummaC	Browse	13.107.246.45
	VLOlHUwbRz.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://cio.krqe.com/gtdhffgjghfj3081868fB16927453Xe78849729yB17367Xb25vBr206268IG	Get hash	malicious	Unknown	Browse	13.107.246.45
	PWm04huq4U.ps1	Get hash	malicious	Unknown	Browse	13.107.246.45
	Tm02HnH2GG.ps1	Get hash	malicious	Unknown	Browse	13.107.246.45
	ODiEVZql8l.ps1	Get hash	malicious	Metasploit	Browse	13.107.246.45
	zFfvj25vqp.exe	Get hash	malicious	Metasploit, Meterpreter	Browse	13.107.246.45
	6GUgc6JYS1.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	13.107.246.45
fp2e7a.wpc.phicdn.net	v9dVG4fAGa.exe	Get hash	malicious	Clipboard Hijacker	Browse	192.229.221.95
	https://duy38.r.ag.d.sendibm3.com/mk/cl/f/sh/1t6Af4OiGsF30wT9TF4ckLf3fAzx5z/28D7HenRXzOU	Get hash	malicious	LummaC	Browse	192.229.221.95
	https://link.edgepilot.com/s/e9b35021/KNsrNVGwOUukNjaKm_560w?u=https://publicidadnicaragua.com/	Get hash	malicious	Unknown	Browse	192.229.221.95
	fd5P4igezR.exe	Get hash	malicious	Stealc	Browse	192.229.221.95
	http://cio.krqe.com/gtdhffgjghfj3081868fB16927453Xe78849729yB17367Xb25vBr206268IG	Get hash	malicious	Unknown	Browse	192.229.221.95
	loader.exe	Get hash	malicious	DCRat	Browse	192.229.221.95
	uIBGhwqEUB.ps1	Get hash	malicious	Meterpreter	Browse	192.229.221.95
	https://www.google.co.uk/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp/taxigiarebienhoa.vn/nini/ybmex/captcha/Z3VsYW1yYXN1bC5jaGVwdXdhbGFAY2V2YWxvZ2lzdGljcy5jb20	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	192.229.221.95
	receipt folder.lnk	Get hash	malicious	Unknown	Browse	192.229.221.95
	thcdVit1dX.exe	Get hash	malicious	Phorpiex	Browse	192.229.221.95

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.037357298782756
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe
File size:	299'114 bytes
MD5:	10d36a1eb6b362367b88ffceebbf6574
SHA1:	a9a27d0b1bc825e505c9c47bd7a8f1979e89e0c5
SHA256:	941ad066a2159ee0d3c8438970298af2c08694f636071cde3cc5f323903ebdf9
SHA512:	a727eb678ac4fa63cfda01d8d5dfe903e7b49066620a434ae812b75693996925d770fb6cf694222b044fdf99d69883bd6471d7185c477f09adc59b4d918c7975
SSDEEP:	6144:42Ut0t25Tdc9+WMFR5DLs5pNNMeFUheb/ekCFbkS8o:Au8TdwOFfspFU7bFbkSP
TLSH:	FC545A2527F8A93BD9AE1774F43142094F76FC07B516F38E6A5C19B82C2A34894937E3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................v............... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x44940e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x671BA1EB [Fri Oct 25 13:49:31 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
push ebp
or dword ptr [eax], eax
add al, byte ptr [ecx]
adc al, byte ptr [edx-6F7CED70h]
add eax, 12080207h
push ebp
or dword ptr [eax], eax
add al, byte ptr [ecx]
adc al, byte ptr [edx-6F7CED38h]
pop es
pop es
add edx, dword ptr [edx]
test byte ptr [ebp+00050E0Eh], bl
add byte ptr [edx], dl
test byte ptr [ebp+01020009h], bl
adc al, byte ptr [edx-6F7CED44h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x493c0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4a000	0x800	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x47414	0x47600	5a8fa2250f6130ba701aaa7fc22c44f2	False	0.42326031633099825	data	6.04194693164615	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4a000	0x800	0x800	047491daa131f75e390b66b0e96e160d	False	0.533203125	data	5.571100057968862	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4c000	0xc	0x200	fba407d7a0c0e85763270a990f5e213c	False	0.572265625	data	5.081496601975842	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 27, 2024 13:39:22.009994984 CET	1.1.1.1	192.168.2.5	0xd659	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 13:39:22.009994984 CET	1.1.1.1	192.168.2.5	0xd659	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Oct 27, 2024 13:39:22.070885897 CET	1.1.1.1	192.168.2.5	0x1689	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 13:39:22.070885897 CET	1.1.1.1	192.168.2.5	0x1689	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Errors

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

DNS Answers

Statistics

System Behavior

Disassembly

Windows Analysis Report
1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe