Windows Analysis Report
173003262823b6cc165a3419f0fd6ed6638587bb7a63d217987710ec1ca75bd8d0099ba446878.dat-decoded.exe

Overview

General Information

Sample name: 173003262823b6cc165a3419f0fd6ed6638587bb7a63d217987710ec1ca75bd8d0099ba446878.dat-decoded.exe
Analysis ID: 1543227
MD5: 09afce20ac058ca516a2d99e20859c9a
SHA1: 4d83532c0c0d6da05f7319afd12b9984fec50f19
SHA256: 5cb3ab7507474cb16223f03f56c7fb773456d7f40fe32dc8062bdcb972dd7ef7
Tags: base64-decodedexeuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

RedLine
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Yara detected RedLine Stealer
AI detected suspicious sample
Machine Learning detection for sample
PE file contains section with special chars
PE file contains sections with non-standard names
PE file does not import any functions
PE file overlay found
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 173003262823b6cc165a3419f0fd6ed6638587bb7a63d217987710ec1ca75bd8d0099ba446878.dat-decoded.exe Avira: detected
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 90.4% probability
Machine Learning detection for sample
Source: 173003262823b6cc165a3419f0fd6ed6638587bb7a63d217987710ec1ca75bd8d0099ba446878.dat-decoded.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 173003262823b6cc165a3419f0fd6ed6638587bb7a63d217987710ec1ca75bd8d0099ba446878.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 173003262823b6cc165a3419f0fd6ed6638587bb7a63d217987710ec1ca75bd8d0099ba446878.dat-decoded.exe, type: SAMPLE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
PE file contains section with special chars
Source: 173003262823b6cc165a3419f0fd6ed6638587bb7a63d217987710ec1ca75bd8d0099ba446878.dat-decoded.exe Static PE information: section name: @.relo
Source: 173003262823b6cc165a3419f0fd6ed6638587bb7a63d217987710ec1ca75bd8d0099ba446878.dat-decoded.exe Static PE information: section name: `.rsrc
PE file does not import any functions
Source: 173003262823b6cc165a3419f0fd6ed6638587bb7a63d217987710ec1ca75bd8d0099ba446878.dat-decoded.exe Static PE information: No import functions for PE file found
PE file overlay found
Source: 173003262823b6cc165a3419f0fd6ed6638587bb7a63d217987710ec1ca75bd8d0099ba446878.dat-decoded.exe Static PE information: Data appended to the last section found
Sample file is different than original file name gathered from version info
Source: 173003262823b6cc165a3419f0fd6ed6638587bb7a63d217987710ec1ca75bd8d0099ba446878.dat-decoded.exe Binary or memory string: OriginalFilenamebluefin.exe" vs 173003262823b6cc165a3419f0fd6ed6638587bb7a63d217987710ec1ca75bd8d0099ba446878.dat-decoded.exe
Uses 32bit PE files
Source: 173003262823b6cc165a3419f0fd6ed6638587bb7a63d217987710ec1ca75bd8d0099ba446878.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 173003262823b6cc165a3419f0fd6ed6638587bb7a63d217987710ec1ca75bd8d0099ba446878.dat-decoded.exe, type: SAMPLE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: classification engine Classification label: mal76.troj.winEXE@0/0@0/0
Source: 173003262823b6cc165a3419f0fd6ed6638587bb7a63d217987710ec1ca75bd8d0099ba446878.dat-decoded.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE
Source: 173003262823b6cc165a3419f0fd6ed6638587bb7a63d217987710ec1ca75bd8d0099ba446878.dat-decoded.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: 173003262823b6cc165a3419f0fd6ed6638587bb7a63d217987710ec1ca75bd8d0099ba446878.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 173003262823b6cc165a3419f0fd6ed6638587bb7a63d217987710ec1ca75bd8d0099ba446878.dat-decoded.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0xeb040e00
PE file contains sections with non-standard names
Source: 173003262823b6cc165a3419f0fd6ed6638587bb7a63d217987710ec1ca75bd8d0099ba446878.dat-decoded.exe Static PE information: section name: @.relo
Source: 173003262823b6cc165a3419f0fd6ed6638587bb7a63d217987710ec1ca75bd8d0099ba446878.dat-decoded.exe Static PE information: section name: `.rsrc
Source: 173003262823b6cc165a3419f0fd6ed6638587bb7a63d217987710ec1ca75bd8d0099ba446878.dat-decoded.exe Static PE information: section name: .text entropy: 6.848027103927844

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 173003262823b6cc165a3419f0fd6ed6638587bb7a63d217987710ec1ca75bd8d0099ba446878.dat-decoded.exe, type: SAMPLE
Yara detected Credential Stealer
Source: Yara match File source: 173003262823b6cc165a3419f0fd6ed6638587bb7a63d217987710ec1ca75bd8d0099ba446878.dat-decoded.exe, type: SAMPLE

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 173003262823b6cc165a3419f0fd6ed6638587bb7a63d217987710ec1ca75bd8d0099ba446878.dat-decoded.exe, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543227 Sample: 173003262823b6cc165a3419f0f... Startdate: 27/10/2024 Architecture: WINDOWS Score: 76 5 Malicious sample detected (through community Yara rule) 2->5 7 Antivirus / Scanner detection for submitted sample 2->7 9 Yara detected RedLine Stealer 2->9 11 3 other signatures 2->11
No contacted IP infos