MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4608c3c211744ce283dac6c36cb7a2c0fd584ee440fa4f671bc270f1bc737ff0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4608c3c211744ce283dac6c36cb7a2c0fd584ee440fa4f671bc270f1bc737ff0
SHA3-384 hash: 98bcf918512c327719f3bb330dd48b3dd5ce7039898b9817fe2279edadb9c8759d59bf0d73d6d3ee63c6313894b8118b
SHA1 hash: 1ecb95b56b91dcae0e7477dded6fe2a0a9df8999
MD5 hash: 0c0b5fabe420813fe629aa06aba89c3a
humanhash: mars-uncle-nitrogen-blue
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'511'872 bytes
First seen:2022-12-13 21:30:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9222d372923baed7aa9dfa28449a94ea (11 x AsyncRAT, 10 x RedLineStealer, 9 x NanoCore)
ssdeep 49152:mXuwLFNCFe99quL2SVHtaTKnY/o5cZachVoEnYf9+DwPKFZ7tq:mX9hNF9XLxVgKAo5rchVhEQPhq
Threatray 4'143 similar samples on MalwareBazaar
TLSH T12AC5231077F8CE31E47B1A7F5832A100427BA8126922F6D77ACB27DC1E76780B927657
TrID 53.5% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
19.8% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
8.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
4.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
2.8% (.EXE) Win64 Executable (generic) (10523/12/4)
Reporter jstrosch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-12-13 21:31:54 UTC
Tags:
trojan rat redline miner
Link:
https://app.any.run/tasks/2ad97f60-e06d-44d4-9408-ee26bccfc70c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Neshta
Create hunting rule
Link:
https://www.capesandbox.com/analysis/346030/
Detection(s):
PUA.Win.Packer.Pequake-4
Create hunting rule

Win.Virus.Neshta-7101689-0
Create hunting rule

Win.Tool.Binder-9794371-0
Create hunting rule

Win.Trojan.Generic-9933689-0
Create hunting rule

Win.Trojan.Redline-9938775-1
Create hunting rule

Win.Packed.Lazy-9958163-0
Create hunting rule

Win.Trojan.Binder-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a file in the Windows directory
Modifying an executable file
Sending a custom TCP request
Creating a file in the Program Files subdirectories
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a process with a hidden window
Creating a window
Unauthorized injection to a recently created process
Enabling autorun with the shell\open\command registry branches
Stealing user critical data
Infecting executable files
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware neshta packed shell32.dll stealer
Link:
https://www.filescan.io/uploads/6398ef180c6473d1671aec15/reports/bf448fc7-1a3e-4634-9860-f66332b7af8f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cc2d326a-a1fe-4f58-943c-7438dcf8a8e7
Result
Threat name:
Neshta, RedLine, Xmrig
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1133818
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found strings related to Crypto-Mining
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: Xmrig
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Neshta
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 766542 Sample: file.exe Startdate: 13/12/2022 Architecture: WINDOWS Score: 100 120 xmr.2miners.com 2->120 126 Snort IDS alert for network traffic 2->126 128 Sigma detected: Xmrig 2->128 130 Malicious sample detected (through community Yara rule) 2->130 132 11 other signatures 2->132 15 file.exe 3 2->15         started        18 services64.exe 2->18         started        signatures3 process4 file5 116 C:\Users\user\AppData\...\XMR MINER BUILT.EXE, PE32 15->116 dropped 118 C:\Users\user\AppData\Local\...\REDLINE.EXE, PE32 15->118 dropped 21 XMR MINER BUILT.EXE 4 15->21         started        25 REDLINE.EXE 4 15->25         started        124 Multi AV Scanner detection for dropped file 18->124 28 conhost.exe 18->28         started        signatures6 process7 dnsIp8 94 C:\Windows\svchost.com, PE32 21->94 dropped 96 C:\Users\user\Downloads\ChromeSetup.exe, PE32 21->96 dropped 98 C:\Users\user\Desktop\file.exe, PE32 21->98 dropped 100 78 other malicious files 21->100 dropped 140 Creates an undocumented autostart registry key 21->140 142 Drops executable to a common third party application directory 21->142 144 Infects executable files (exe, dll, sys, html) 21->144 30 XMR MINER BUILT.EXE 21->30         started        122 141.255.164.98, 15050, 49700 PLI-ASCH Switzerland 25->122 146 Multi AV Scanner detection for dropped file 25->146 148 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 25->148 150 Adds a directory exclusion to Windows Defender 28->150 33 cmd.exe 28->33         started        35 cmd.exe 28->35         started        file9 signatures10 process11 signatures12 172 Writes to foreign memory regions 30->172 174 Allocates memory in foreign processes 30->174 176 Creates a thread in another existing process (thread injection) 30->176 37 conhost.exe 4 30->37         started        178 Adds a directory exclusion to Windows Defender 33->178 41 conhost.exe 33->41         started        43 powershell.exe 33->43         started        45 powershell.exe 33->45         started        47 conhost.exe 35->47         started        process13 file14 102 C:\Users\user\AppData\...\services64.exe, PE32+ 37->102 dropped 152 Adds a directory exclusion to Windows Defender 37->152 49 cmd.exe 1 37->49         started        51 cmd.exe 1 37->51         started        54 cmd.exe 1 37->54         started        signatures15 process16 signatures17 56 services64.exe 49->56         started        59 conhost.exe 49->59         started        134 Uses schtasks.exe or at.exe to add and modify task schedules 51->134 136 Adds a directory exclusion to Windows Defender 51->136 61 powershell.exe 17 51->61         started        63 powershell.exe 19 51->63         started        65 conhost.exe 51->65         started        67 conhost.exe 54->67         started        69 schtasks.exe 1 54->69         started        process18 signatures19 154 Writes to foreign memory regions 56->154 156 Allocates memory in foreign processes 56->156 158 Creates a thread in another existing process (thread injection) 56->158 71 conhost.exe 56->71         started        process20 file21 104 C:\Users\user\AppData\...\sihost64.exe, PE32+ 71->104 dropped 106 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 71->106 dropped 160 Drops executables to the windows directory (C:\Windows) and starts them 71->160 162 Adds a directory exclusion to Windows Defender 71->162 164 Sample is not signed and drops a device driver 71->164 75 svchost.com 71->75         started        79 cmd.exe 71->79         started        81 conhost.exe 71->81         started        signatures22 process23 file24 108 C:\...\protocolhandler.exe, PE32 75->108 dropped 110 C:\Program Files (x86)\...\misc.exe, PE32 75->110 dropped 112 C:\Program Files (x86)\...\XLICONS.EXE, PE32 75->112 dropped 114 30 other malicious files 75->114 dropped 166 Multi AV Scanner detection for dropped file 75->166 168 Sample is not signed and drops a device driver 75->168 83 sihost64.exe 75->83         started        170 Adds a directory exclusion to Windows Defender 79->170 86 conhost.exe 79->86         started        88 powershell.exe 79->88         started        90 powershell.exe 79->90         started        signatures25 process26 signatures27 138 Multi AV Scanner detection for dropped file 83->138 92 conhost.exe 83->92         started        process28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4608c3c211744ce283dac6c36cb7a2c0fd584ee440fa4f671bc270f1bc737ff0/
Threat name:
Win32.Virus.Neshta
Create hunting rule
Status:
Malicious
First seen:
2022-12-13 21:31:11 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
25 of 26 (96.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iyemhqqrorgofa62y3bwzn5cyd6vqtxeid5e6zy3yjypdpdtp7ya._file
Verdict:
malicious
Similar samples:
48eee6e4eedb7291e09cd68d3ff4f1608df7fb538be806d785a4e99cb77a9da2
RedLineStealer
529043b5fcef43623835319764499b2a4ddbae2477697f22aada0e09352b83c5
RedLineStealer
640315d3ee04d383d4b8702b0d29a11846139cb9505078440f2e67b2d9bc3cce
RedLineStealer
81fe52e70e3f0562d02591313a49d2b353bedc557fcc09d3d6093160de68f3d0
RedLineStealer
8c7068ecf9168d899f1e67971f0f20b590ece3c4e60d45bc0a90100eb111868a
RedLineStealer
ba7a55b17174de39cb44b553a52de3d0b3c979d37104a5ad1580cb97a8acc800
RedLineStealer
c8b8445f2852e90f152f6f469e61af5562850ae1814d8b93f7d7f3df0cb0b114
RedLineStealer
c8bb8271adc398661a408fc99b14a7d3797bd546b0b836f68a059c2f72948937
RedLineStealer
e103c29f6e8365d4ca9f843839556faadbb907060dbd711fa3119fe12944a635
RedLineStealer
+ 4'133 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:neshta family:redline family:xmrig discovery infostealer miner persistence spyware stealer
Link:
https://tria.ge/reports/221213-1c14wsga53/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
XMRig Miner payload
Detect Neshta payload
Modifies system executable filetype association
Neshta
RedLine
xmrig
Malware Config
C2 Extraction:
141.255.164.98:15050
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/12bdfa6c-4759-4416-b0f6-eae9316f0490
Unpacked files
SH256 hash:
d5ece52a71f0de749b31eb99c506c8b9147f2b690b1f85a88c1ad0357540a6a9
MD5 hash:
b01db2780c5a1bbeb3b76e97eb5ea754
SHA1 hash:
c75b2d4e0c81fb42ccf8b6d7da6e3134b480c7dc
Detections:
win_neshta_g0
Create hunting rule
win_neshta_auto
Create hunting rule
Link:
https://www.unpac.me/results/a5064e57-4d4d-436e-ae67-a433a0466665/
Parent samples :
811d169ec93c76795798353e6fdf509271d61d3424acb7d709c34cc83511b0f9
cb15585aac621fef5710d7c2b6cc714d7d3283576717cd7738a0898d5b63a470
4dcd84003dc7b4d627193ce18034c71a3ee35980495d755d9bcf80a672eb544e
2e5b9ebfb2b81c5e512248e2e9224d1054defc4b027c0108fc10d268312ce290
68652defc71770065997b7d60a64a3959446a114a2ee17a443a15ae8b767f150
640315d3ee04d383d4b8702b0d29a11846139cb9505078440f2e67b2d9bc3cce
4608c3c211744ce283dac6c36cb7a2c0fd584ee440fa4f671bc270f1bc737ff0
c8bb8271adc398661a408fc99b14a7d3797bd546b0b836f68a059c2f72948937
cd23680ab97a8fa8c459690061e90ea0d48d19975900f1a0ee41ffcd76bbb311
313cabf464e7edf69744f94c3ea234fbb5d7b99daf2aff5492131a4ca9d08e00
60292e6be9d0d5e5f82a3382e4b69fcd19362b4c30a1829787dfc6ea5462a117
ec2ec99d719ccde3972abb4db0ef83eae6462f4697861529ead23d304c527d29
a8df709495ab9ea938880b1ebe744b33bc163b2fe576ce7e585caef7c846b718
a6077288d1353daaab0bf9092c357cd7f0712537def3ff3be60fa68da4e436ac
SH256 hash:
4608c3c211744ce283dac6c36cb7a2c0fd584ee440fa4f671bc270f1bc737ff0
MD5 hash:
0c0b5fabe420813fe629aa06aba89c3a
SHA1 hash:
1ecb95b56b91dcae0e7477dded6fe2a0a9df8999
Link:
https://www.unpac.me/results/a5064e57-4d4d-436e-ae67-a433a0466665/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4608c3c21174/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4608c3c211744ce283dac6c36cb7a2c0fd584ee440fa4f671bc270f1bc737ff0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Malware_QA_update
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:Malware_QA_update_RID2DAD
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:MALWARE_Win_Neshta
Create hunting rule
Author:ditekSHen
Description:Detects Neshta
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_Neshta_Generic_RID2DC9
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 4608c3c211744ce283dac6c36cb7a2c0fd584ee440fa4f671bc270f1bc737ff0

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/346030/

Comments