Windows Analysis Report
17300326279186e286d8011f3b538be5fe09fea96cf622736b029b36a16f125b2e18b135f5130.dat-decoded.exe

Overview

General Information

Sample name: 17300326279186e286d8011f3b538be5fe09fea96cf622736b029b36a16f125b2e18b135f5130.dat-decoded.exe
Analysis ID: 1543228
MD5: f4ee3982121972780a4666680cf24fa5
SHA1: a894dfc5474469226cef8f660f9f4a2b0e4b0cd5
SHA256: 60e3c682298d5a701939cf96defd2329d1fbb2dfb1209496a05058eb669ed983
Tags: base64-decodedexeuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

RedLine
Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected RedLine Stealer
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Binary contains a suspicious time stamp
PE file does not import any functions
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Found malware configuration
Source: 17300326279186e286d8011f3b538be5fe09fea96cf622736b029b36a16f125b2e18b135f5130.dat-decoded.exe Malware Configuration Extractor: RedLine {"C2 url": "185.216.71.25:31668", "Authorization Header": "5e2f20f6ca9c091fa0ae9c44b7109e34"}
Machine Learning detection for sample
Source: 17300326279186e286d8011f3b538be5fe09fea96cf622736b029b36a16f125b2e18b135f5130.dat-decoded.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 17300326279186e286d8011f3b538be5fe09fea96cf622736b029b36a16f125b2e18b135f5130.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 17300326279186e286d8011f3b538be5fe09fea96cf622736b029b36a16f125b2e18b135f5130.dat-decoded.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 185.216.71.25:31668
Source: 17300326279186e286d8011f3b538be5fe09fea96cf622736b029b36a16f125b2e18b135f5130.dat-decoded.exe String found in binary or memory: https://api.ip.sb/ip
PE file does not import any functions
Source: 17300326279186e286d8011f3b538be5fe09fea96cf622736b029b36a16f125b2e18b135f5130.dat-decoded.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: 17300326279186e286d8011f3b538be5fe09fea96cf622736b029b36a16f125b2e18b135f5130.dat-decoded.exe Binary or memory string: OriginalFilenameRudderless.exe8 vs 17300326279186e286d8011f3b538be5fe09fea96cf622736b029b36a16f125b2e18b135f5130.dat-decoded.exe
Uses 32bit PE files
Source: 17300326279186e286d8011f3b538be5fe09fea96cf622736b029b36a16f125b2e18b135f5130.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal64.troj.winEXE@0/0@0/0
Source: 17300326279186e286d8011f3b538be5fe09fea96cf622736b029b36a16f125b2e18b135f5130.dat-decoded.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 17300326279186e286d8011f3b538be5fe09fea96cf622736b029b36a16f125b2e18b135f5130.dat-decoded.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: 17300326279186e286d8011f3b538be5fe09fea96cf622736b029b36a16f125b2e18b135f5130.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 17300326279186e286d8011f3b538be5fe09fea96cf622736b029b36a16f125b2e18b135f5130.dat-decoded.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: 17300326279186e286d8011f3b538be5fe09fea96cf622736b029b36a16f125b2e18b135f5130.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains a suspicious time stamp
Source: 17300326279186e286d8011f3b538be5fe09fea96cf622736b029b36a16f125b2e18b135f5130.dat-decoded.exe Static PE information: 0x811F5984 [Wed Aug 25 02:16:36 2038 UTC]

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 17300326279186e286d8011f3b538be5fe09fea96cf622736b029b36a16f125b2e18b135f5130.dat-decoded.exe, type: SAMPLE

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 17300326279186e286d8011f3b538be5fe09fea96cf622736b029b36a16f125b2e18b135f5130.dat-decoded.exe, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543228 Sample: 17300326279186e286d8011f3b5... Startdate: 27/10/2024 Architecture: WINDOWS Score: 64 5 Found malware configuration 2->5 7 Yara detected RedLine Stealer 2->7 9 C2 URLs / IPs found in malware configuration 2->9 11 Machine Learning detection for sample 2->11
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
185.216.71.25:31668 true
    		unknown