MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 640315d3ee04d383d4b8702b0d29a11846139cb9505078440f2e67b2d9bc3cce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 640315d3ee04d383d4b8702b0d29a11846139cb9505078440f2e67b2d9bc3cce
SHA3-384 hash: 9e3b7c569773154e3fb96fc06a68ecc46c014031adc6dfd1951b447fabac67090ee307d5faff97af1e0c9f2b09c4fa5c
SHA1 hash: ca8ed668e3a085a139d0556432c4952bc92465dd
MD5 hash: 6116ee354179f3ec68a629da23323a3b
humanhash: bulldog-oxygen-four-india
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'511'872 bytes
First seen:2022-12-13 21:30:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9222d372923baed7aa9dfa28449a94ea (11 x AsyncRAT, 10 x RedLineStealer, 9 x NanoCore)
ssdeep 49152:2OuwLFNCFe99quL2SVHtaTKnY/o5cZachVoEnYf9+DwPKFZ7tq:2O9hNF9XLxVgKAo5rchVhEQPhq
Threatray 4'142 similar samples on MalwareBazaar
TLSH T12EC5231077F8CE31E47B1A7F5872A100427BA8126922F6D77ACB27DC1E76780B827657
TrID 53.5% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
19.8% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
8.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
4.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
2.8% (.EXE) Win64 Executable (generic) (10523/12/4)
Reporter jstrosch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-12-13 21:31:54 UTC
Tags:
redline
Link:
https://app.any.run/tasks/5c3f50c1-f872-45eb-8ce6-b5523ef2b90d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CoinMiner02
Create hunting rule
Link:
https://www.capesandbox.com/analysis/346029/
Detection(s):
PUA.Win.Packer.Pequake-4
Create hunting rule

Win.Virus.Neshta-7101689-0
Create hunting rule

Win.Tool.Binder-9794371-0
Create hunting rule

Win.Trojan.Generic-9933689-0
Create hunting rule

Win.Trojan.Redline-9938775-1
Create hunting rule

Win.Packed.Lazy-9958163-0
Create hunting rule

Win.Trojan.Binder-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a file in the Windows directory
Modifying an executable file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file in the Program Files subdirectories
Reading critical registry keys
Creating a window
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Enabling autorun with the shell\open\command registry branches
Stealing user critical data
Infecting executable files
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coinminer greyware neshta packed redline shell32.dll stealer swisyn virus winlock
Link:
https://www.filescan.io/uploads/6398ef16a2c2485912c82688/reports/ea3843e8-2f68-4799-ae0a-3dcc9521732d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6ce752d9-2be8-47f2-ad41-2d49d81fb3d4
Result
Threat name:
Neshta, RedLine, SilentXMRMiner, Xmrig
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1133819
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found strings related to Crypto-Mining
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sigma detected: Xmrig
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Neshta
Yara detected RedLine Stealer
Yara detected SilentXMRMiner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 766543 Sample: file.exe Startdate: 13/12/2022 Architecture: WINDOWS Score: 100 119 xmr.2miners.com 2->119 125 Snort IDS alert for network traffic 2->125 127 Sigma detected: Xmrig 2->127 129 Malicious sample detected (through community Yara rule) 2->129 131 12 other signatures 2->131 15 file.exe 3 2->15         started        18 services64.exe 2->18         started        signatures3 process4 file5 115 C:\Users\user\AppData\Local\...\WINDOWS.EXE, PE32 15->115 dropped 117 C:\Users\user\AppData\...\SERVICES64.EXE, PE32 15->117 dropped 20 WINDOWS.EXE 4 15->20         started        24 SERVICES64.EXE 2 15->24         started        27 conhost.exe 2 18->27         started        process6 dnsIp7 99 C:\Windows\svchost.com, PE32 20->99 dropped 101 C:\Users\user\Downloads\ChromeSetup.exe, PE32 20->101 dropped 103 C:\Users\user\Desktop\file.exe, PE32 20->103 dropped 105 91 other malicious files 20->105 dropped 145 Multi AV Scanner detection for dropped file 20->145 147 Creates an undocumented autostart registry key 20->147 149 Drops PE files with a suspicious file extension 20->149 153 2 other signatures 20->153 29 WINDOWS.EXE 20->29         started        121 141.255.164.98, 15050, 49698 PLI-ASCH Switzerland 24->121 151 Adds a directory exclusion to Windows Defender 27->151 32 cmd.exe 27->32         started        file8 signatures9 process10 signatures11 161 Multi AV Scanner detection for dropped file 29->161 163 Writes to foreign memory regions 29->163 165 Allocates memory in foreign processes 29->165 167 Creates a thread in another existing process (thread injection) 29->167 34 conhost.exe 4 29->34         started        169 Adds a directory exclusion to Windows Defender 32->169 38 powershell.exe 32->38         started        40 conhost.exe 32->40         started        42 powershell.exe 32->42         started        process12 file13 93 C:\Users\user\AppData\...\services64.exe, PE32+ 34->93 dropped 133 Adds a directory exclusion to Windows Defender 34->133 44 cmd.exe 34->44         started        46 cmd.exe 1 34->46         started        49 cmd.exe 1 34->49         started        135 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 38->135 signatures14 process15 signatures16 51 services64.exe 44->51         started        54 conhost.exe 44->54         started        171 Uses schtasks.exe or at.exe to add and modify task schedules 46->171 173 Adds a directory exclusion to Windows Defender 46->173 56 powershell.exe 19 46->56         started        58 powershell.exe 18 46->58         started        60 conhost.exe 46->60         started        62 conhost.exe 49->62         started        64 schtasks.exe 1 49->64         started        process17 signatures18 137 Multi AV Scanner detection for dropped file 51->137 66 conhost.exe 3 6 51->66         started        process19 file20 95 C:\Users\user\AppData\...\sihost64.exe, PE32+ 66->95 dropped 97 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 66->97 dropped 139 Drops executables to the windows directory (C:\Windows) and starts them 66->139 141 Adds a directory exclusion to Windows Defender 66->141 143 Sample is not signed and drops a device driver 66->143 70 svchost.com 1 66->70         started        74 cmd.exe 66->74         started        76 MpCmdRun.exe 66->76         started        78 conhost.exe 66->78         started        signatures21 process22 file23 107 C:\...\protocolhandler.exe, PE32 70->107 dropped 109 C:\Program Files (x86)\...\misc.exe, PE32 70->109 dropped 111 C:\Program Files (x86)\...\XLICONS.EXE, PE32 70->111 dropped 113 17 other malicious files 70->113 dropped 155 Multi AV Scanner detection for dropped file 70->155 157 Sample is not signed and drops a device driver 70->157 80 sihost64.exe 70->80         started        159 Adds a directory exclusion to Windows Defender 74->159 83 conhost.exe 74->83         started        85 powershell.exe 74->85         started        87 powershell.exe 74->87         started        89 conhost.exe 76->89         started        signatures24 process25 signatures26 123 Multi AV Scanner detection for dropped file 80->123 91 conhost.exe 80->91         started        process27
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/640315d3ee04d383d4b8702b0d29a11846139cb9505078440f2e67b2d9bc3cce/
Threat name:
Win32.Virus.Neshta
Create hunting rule
Status:
Malicious
First seen:
2022-12-11 20:34:02 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
36 of 41 (87.80%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mqbrlu7oatjyhvfyoavq2knbdbdbhhfzkbihqrapfzt3fwn4htha._file
Verdict:
malicious
Similar samples:
48eee6e4eedb7291e09cd68d3ff4f1608df7fb538be806d785a4e99cb77a9da2
RedLineStealer
529043b5fcef43623835319764499b2a4ddbae2477697f22aada0e09352b83c5
RedLineStealer
81fe52e70e3f0562d02591313a49d2b353bedc557fcc09d3d6093160de68f3d0
RedLineStealer
8c7068ecf9168d899f1e67971f0f20b590ece3c4e60d45bc0a90100eb111868a
RedLineStealer
a862ea441bd7820c5fd7faf9a43a4c455c38401f486e3b0dfabc84dd53193df9
RedLineStealer
ba7a55b17174de39cb44b553a52de3d0b3c979d37104a5ad1580cb97a8acc800
RedLineStealer
c8b8445f2852e90f152f6f469e61af5562850ae1814d8b93f7d7f3df0cb0b114
RedLineStealer
c8bb8271adc398661a408fc99b14a7d3797bd546b0b836f68a059c2f72948937
RedLineStealer
e103c29f6e8365d4ca9f843839556faadbb907060dbd711fa3119fe12944a635
RedLineStealer
+ 4'132 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:neshta family:redline family:xmrig discovery infostealer miner persistence spyware stealer
Link:
https://tria.ge/reports/221213-1c14wsaf9x/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
XMRig Miner payload
Detect Neshta payload
Modifies system executable filetype association
Neshta
RedLine
xmrig
Malware Config
C2 Extraction:
141.255.164.98:15050
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fb984f7d-5fba-464a-a8fa-79b987fe9979
Unpacked files
SH256 hash:
d5ece52a71f0de749b31eb99c506c8b9147f2b690b1f85a88c1ad0357540a6a9
MD5 hash:
b01db2780c5a1bbeb3b76e97eb5ea754
SHA1 hash:
c75b2d4e0c81fb42ccf8b6d7da6e3134b480c7dc
Detections:
win_neshta_g0
Create hunting rule
win_neshta_auto
Create hunting rule
Link:
https://www.unpac.me/results/1f6a3b09-e935-40f2-a992-4a2e00046584/
Parent samples :
811d169ec93c76795798353e6fdf509271d61d3424acb7d709c34cc83511b0f9
cb15585aac621fef5710d7c2b6cc714d7d3283576717cd7738a0898d5b63a470
4dcd84003dc7b4d627193ce18034c71a3ee35980495d755d9bcf80a672eb544e
2e5b9ebfb2b81c5e512248e2e9224d1054defc4b027c0108fc10d268312ce290
68652defc71770065997b7d60a64a3959446a114a2ee17a443a15ae8b767f150
640315d3ee04d383d4b8702b0d29a11846139cb9505078440f2e67b2d9bc3cce
4608c3c211744ce283dac6c36cb7a2c0fd584ee440fa4f671bc270f1bc737ff0
c8bb8271adc398661a408fc99b14a7d3797bd546b0b836f68a059c2f72948937
cd23680ab97a8fa8c459690061e90ea0d48d19975900f1a0ee41ffcd76bbb311
313cabf464e7edf69744f94c3ea234fbb5d7b99daf2aff5492131a4ca9d08e00
60292e6be9d0d5e5f82a3382e4b69fcd19362b4c30a1829787dfc6ea5462a117
ec2ec99d719ccde3972abb4db0ef83eae6462f4697861529ead23d304c527d29
a8df709495ab9ea938880b1ebe744b33bc163b2fe576ce7e585caef7c846b718
a6077288d1353daaab0bf9092c357cd7f0712537def3ff3be60fa68da4e436ac
SH256 hash:
640315d3ee04d383d4b8702b0d29a11846139cb9505078440f2e67b2d9bc3cce
MD5 hash:
6116ee354179f3ec68a629da23323a3b
SHA1 hash:
ca8ed668e3a085a139d0556432c4952bc92465dd
Link:
https://www.unpac.me/results/1f6a3b09-e935-40f2-a992-4a2e00046584/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/640315d3ee04/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/640315d3ee04d383d4b8702b0d29a11846139cb9505078440f2e67b2d9bc3cce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MacOS_Cryptominer_Generic_333129b7
Create hunting rule
Author:Elastic Security
Rule name:MacOS_Cryptominer_Xmrig_241780a1
Create hunting rule
Author:Elastic Security
Rule name:Malware_QA_update
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:Malware_QA_update_RID2DAD
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:MALWARE_Win_CoinMiner02
Create hunting rule
Author:ditekSHen
Description:Detects coinmining malware
Rule name:MALWARE_Win_Neshta
Create hunting rule
Author:ditekSHen
Description:Detects Neshta
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_Neshta_Generic_RID2DC9
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MAL_XMR_Miner_May19_1_RID2E1B
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:rig_win64_xmrig_6_13_1_xmrig
Create hunting rule
Author:yarGen Rule Generator
Description:rig_win64 - file xmrig.exe
Reference:https://github.com/Neo23x0/yarGen
Rule name:XMRIG_Monero_Miner
Create hunting rule
Author:Florian Roth
Description:Detects Monero mining software
Reference:https://github.com/xmrig/xmrig/releases

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 640315d3ee04d383d4b8702b0d29a11846139cb9505078440f2e67b2d9bc3cce

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/346029/

Comments