Edit tour

Windows Analysis Report
1742779744db24e1ffc5992156b451594c630d6727655b5a1fdf9aa26be2bd711053e4f4ba103.dat-decoded.exe

Overview

General Information

Sample name:1742779744db24e1ffc5992156b451594c630d6727655b5a1fdf9aa26be2bd711053e4f4ba103.dat-decoded.exe
Analysis ID:1646452
MD5:cea87fcb4cb28b8717fa57ce174baf89
SHA1:1704af30ae986f403ba3b9cfefe56cc2e9021320
SHA256:b8aedabe16b7d21a53e6168e3ebf2e522927983bc7118f14514653455ba8fb55
Tags:base64-decodedexeuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

RedLine
Score:64
Range:0 - 100
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
PE file does not import any functions
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Credential Stealer
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
No configs have been found
SourceRuleDescriptionAuthorStrings
1742779744db24e1ffc5992156b451594c630d6727655b5a1fdf9aa26be2bd711053e4f4ba103.dat-decoded.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    1742779744db24e1ffc5992156b451594c630d6727655b5a1fdf9aa26be2bd711053e4f4ba103.dat-decoded.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      1742779744db24e1ffc5992156b451594c630d6727655b5a1fdf9aa26be2bd711053e4f4ba103.dat-decoded.exeMALWARE_Win_Arechclient2Detects Arechclient2 RATditekSHen
      • 0xcd74c:$s14: keybd_event
      • 0xd4a70:$v1_1: grabber@
      • 0xce2bc:$v1_2: <BrowserProfile>k__
      • 0xced5c:$v1_3: <SystemHardwares>k__
      • 0xcee21:$v1_5: <ScannedWallets>k__
      • 0xcf266:$v1_8: <ScanBrowsers>k__BackingField
      • 0xcf2b8:$v1_8: <ScanWallets>k__BackingField
      • 0xcf2d5:$v1_8: <ScanScreen>k__BackingField
      • 0xbfef1:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost
      • 0xbf7fd:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
      No Sigma rule has matched
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: 1742779744db24e1ffc5992156b451594c630d6727655b5a1fdf9aa26be2bd711053e4f4ba103.dat-decoded.exeReversingLabs: Detection: 22%
      Source: 1742779744db24e1ffc5992156b451594c630d6727655b5a1fdf9aa26be2bd711053e4f4ba103.dat-decoded.exeVirustotal: Detection: 27%Perma Link
      Source: 1742779744db24e1ffc5992156b451594c630d6727655b5a1fdf9aa26be2bd711053e4f4ba103.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

      System Summary

      barindex
      Source: 1742779744db24e1ffc5992156b451594c630d6727655b5a1fdf9aa26be2bd711053e4f4ba103.dat-decoded.exe, type: SAMPLEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
      Source: 1742779744db24e1ffc5992156b451594c630d6727655b5a1fdf9aa26be2bd711053e4f4ba103.dat-decoded.exeStatic PE information: No import functions for PE file found
      Source: 1742779744db24e1ffc5992156b451594c630d6727655b5a1fdf9aa26be2bd711053e4f4ba103.dat-decoded.exeBinary or memory string: OriginalFilenamedfgfghfghfghfghfgh.exe" vs 1742779744db24e1ffc5992156b451594c630d6727655b5a1fdf9aa26be2bd711053e4f4ba103.dat-decoded.exe
      Source: 1742779744db24e1ffc5992156b451594c630d6727655b5a1fdf9aa26be2bd711053e4f4ba103.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 1742779744db24e1ffc5992156b451594c630d6727655b5a1fdf9aa26be2bd711053e4f4ba103.dat-decoded.exe, type: SAMPLEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
      Source: classification engineClassification label: mal64.troj.winEXE@0/0@0/0
      Source: 1742779744db24e1ffc5992156b451594c630d6727655b5a1fdf9aa26be2bd711053e4f4ba103.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: 1742779744db24e1ffc5992156b451594c630d6727655b5a1fdf9aa26be2bd711053e4f4ba103.dat-decoded.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
      Source: 1742779744db24e1ffc5992156b451594c630d6727655b5a1fdf9aa26be2bd711053e4f4ba103.dat-decoded.exeReversingLabs: Detection: 22%
      Source: 1742779744db24e1ffc5992156b451594c630d6727655b5a1fdf9aa26be2bd711053e4f4ba103.dat-decoded.exeVirustotal: Detection: 27%
      Source: 1742779744db24e1ffc5992156b451594c630d6727655b5a1fdf9aa26be2bd711053e4f4ba103.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: 1742779744db24e1ffc5992156b451594c630d6727655b5a1fdf9aa26be2bd711053e4f4ba103.dat-decoded.exeStatic PE information: section name: .text entropy: 6.863036007404867

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: 1742779744db24e1ffc5992156b451594c630d6727655b5a1fdf9aa26be2bd711053e4f4ba103.dat-decoded.exe, type: SAMPLE
      Source: Yara matchFile source: 1742779744db24e1ffc5992156b451594c630d6727655b5a1fdf9aa26be2bd711053e4f4ba103.dat-decoded.exe, type: SAMPLE

      Remote Access Functionality

      barindex
      Source: Yara matchFile source: 1742779744db24e1ffc5992156b451594c630d6727655b5a1fdf9aa26be2bd711053e4f4ba103.dat-decoded.exe, type: SAMPLE
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
      Software Packing
      OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
      Obfuscated Files or Information
      LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1646452 Sample: 1742779744db24e1ffc5992156b... Startdate: 24/03/2025 Architecture: WINDOWS Score: 64 5 Malicious sample detected (through community Yara rule) 2->5 7 Multi AV Scanner detection for submitted file 2->7 9 Yara detected RedLine Stealer 2->9

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      1742779744db24e1ffc5992156b451594c630d6727655b5a1fdf9aa26be2bd711053e4f4ba103.dat-decoded.exe22%ReversingLabs
      1742779744db24e1ffc5992156b451594c630d6727655b5a1fdf9aa26be2bd711053e4f4ba103.dat-decoded.exe27%VirustotalBrowse
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      No contacted domains info
      No contacted IP infos
      Joe Sandbox version:42.0.0 Malachite
      Analysis ID:1646452
      Start date and time:2025-03-24 02:46:16 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 1m 36s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:6
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:1742779744db24e1ffc5992156b451594c630d6727655b5a1fdf9aa26be2bd711053e4f4ba103.dat-decoded.exe
      Detection:MAL
      Classification:mal64.troj.winEXE@0/0@0/0
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Unable to launch sample, stop analysis
      • No process behavior to analyse as no analysis process or sample was found
      • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.
      • Exclude process from analysis (whitelisted): dllhost.exe, SgrmBroker.exe, svchost.exe
      • Excluded IPs from analysis (whitelisted): 184.31.69.3
      • Excluded domains from analysis (whitelisted): fs.microsoft.com
      No simulations
      No context
      No context
      No context
      No context
      No context
      No created / dropped files found
      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
      Entropy (8bit):6.862408863716844
      TrID:
      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
      • Win32 Executable (generic) a (10002005/4) 49.75%
      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
      • Windows Screen Saver (13104/52) 0.07%
      • Generic Win/DOS Executable (2004/3) 0.01%
      File name:1742779744db24e1ffc5992156b451594c630d6727655b5a1fdf9aa26be2bd711053e4f4ba103.dat-decoded.exe
      File size:874'934 bytes
      MD5:cea87fcb4cb28b8717fa57ce174baf89
      SHA1:1704af30ae986f403ba3b9cfefe56cc2e9021320
      SHA256:b8aedabe16b7d21a53e6168e3ebf2e522927983bc7118f14514653455ba8fb55
      SHA512:7dc7d9a7533cea14ff8beb3a394c61983e7bceaaa158c71c9f1b6449cdb6a0bc2a1a528fbfd59f7daeaf6e1d2bdf46c62f1f0a70f6ff20b59f5d9f485d691e6d
      SSDEEP:12288:Z3J1Kkyfg+sxNJXMHPvqsE79SrAeWNmTs3O0ixOzh2tIA37d89j:xKNgXePXrA209Mt9S
      TLSH:97155AED3F039E23C9E8677A88EF2C05A2A12697DD40796DC96C94C05E9134DB7D9EC0
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f.g............................>.... ........@.. .......................@.............................................
      Icon Hash:90cececece8e8eb0
      Entrypoint:0x4cee3e
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
      DLL Characteristics:
      Time Stamp:0x67D166AD [Wed Mar 12 10:49:17 2025 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:
      Instruction
      jo 00007F9C68B02292h
      dec ecx
      push eax
      inc edi
      insb
      outsd
      bound esp, dword ptr [ecx+6Ch]
      push eax
      jc 00007F9C68B02301h
      jo 00007F9C68B022F7h
      jc 00007F9C68B02306h
      imul esp, dword ptr [ebp+73h], 74654700h
      dec ecx
      push eax
      inc edi
      insb
      outsd
      bound esp, dword ptr [ecx+6Ch]
      push eax
      jc 00007F9C68B02301h
      jo 00007F9C68B022F7h
      jc 00007F9C68B02306h
      imul esp, dword ptr [ebp+73h], 426F5400h
      jns 00007F9C68B02306h
      add byte ptr [edi+65h], ah
      je 00007F9C68B022F1h
      inc esp
      popa
      jne 00007F9C68B022FEh
      je 00007F9C68B02292h
      inc ebx
      popad
      jo 00007F9C68B02306h
      jne 00007F9C68B02304h
      add byte ptr [edi+65h], ah
      je 00007F9C68B022F1h
      push esi
      popad
      insb
      jne 00007F9C68B022F7h
      add byte ptr [edx+61h], dl
      outsb
      outsd
      insd
      dec esi
      jne 00007F9C68B022FFh
      bound esp, dword ptr [ebp+72h]
      inc edi
      outsb
      jc 00007F9C68B022F4h
      je 00007F9C68B02301h
      jc 00007F9C68B02292h
      inc ecx
      jnc 00007F9C68B02293h
      dec ecx
      jnc 00007F9C68B022DEh
      je 00007F9C68B02307h
      jc 00007F9C68B022E2h
      jc 00007F9C68B022D6h
      imul esp, dword ptr [edi+69h], 65670074h
      je 00007F9C68B022F1h
      inc ebx
      insb
      imul esp, dword ptr [ebp+6Eh], 65730074h
      je 00007F9C68B022F1h
      push edx
      arpl word ptr [ebp+69h], sp
      jbe 00007F9C68B022F7h
      inc edx
      jne 00007F9C68B022F8h
      jc 000022E7h
      imul edi, dword ptr [edx+65h], 74657300h
      pop edi
      push ebx
      outsb
      inc edx
      jne 00007F9C68B022F8h
      jc 000022E7h
      imul edi, dword ptr [edx+65h], 74656700h
      pop edi
      push ebx
      outsd
      arpl word ptr [ebx+65h], bp
      je 00007F9C68B022D7h
      jc 00007F9C68B02304h
      outsd
      jc 00007F9C68B02292h
      push ebx
      outsd
      arpl word ptr [ebx+65h], bp
      je 00007F9C68B022D7h
      jc 00007F9C68B02304h
      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0xcede40x57.text
      IMAGE_DIRECTORY_ENTRY_RESOURCE0xd00000x600.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0xd20000xc.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x20000xcce440xcd0005e70700af2340f2f07c26df36cbc9a5dFalse0.5564750857469513data6.863036007404867IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rsrc0xd00000x6000x6008e7c1e49b10e6605e1b3e718992e49a3False0.56640625data4.846053308928435IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0xd20000xc0x200e5995c98c94dc4abac14e19059f89196False0.587890625data4.665568559516476IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
      No network behavior found
      No statistics
      No system behavior
      No disassembly