MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9806db6959eaf756dd803b51495ab2d9b2ef4aa0b7a902b268d07ab7af15748. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b9806db6959eaf756dd803b51495ab2d9b2ef4aa0b7a902b268d07ab7af15748
SHA3-384 hash: 70eebfb4fdb0832410e12d52649a1802dd4be0f9904d8fa8c73c96462d4ae771a88b244daee770528866d7a9608f5247
SHA1 hash: 41ff2c2f863df5e52c8ab28705cf1df1f633f15c
MD5 hash: 71d1b7ce025e5d50d245d777cf47b2ea
humanhash: diet-alpha-carolina-moon
File name:B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:9'533'452 bytes
First seen:2022-12-03 12:25:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f4693fc0c511135129493f2161d1e86 (250 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep 196608:SAiDgpcQXledaHtC5/hABhZAbhKhnD7vyVGLi+Y3nZ/yy:fpcQXiNhChZAbhK2yipp
Threatray 873 similar samples on MalwareBazaar
TLSH T1ADA6338279C859B0C6A43D768BEABA7484387F111F6ACFD7B3593E0E11B11D04E39627
TrID 43.9% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
43.5% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
7.1% (.EXE) InstallShield setup (43053/19/16)
1.7% (.EXE) Win64 Executable (generic) (10523/12/4)
1.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 84b4b494d48eacec (1 x njrat, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
5.189.138.247:7059

Intelligence

File Origin
# of uploads :
1
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe
Verdict:
Malicious activity
Analysis date:
2022-12-03 12:25:57 UTC
Tags:
installer
Link:
https://app.any.run/tasks/3157c659-ed1e-4092-b50d-bab87819c643

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/342249/
Detection(s):
PUA.Win.Packer.Pequake-4
Create hunting rule

Win.Trojan.Neshta-157
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file in the Windows directory
Modifying an executable file
Creating a window
Searching for the window
Searching for synchronization primitives
Creating a file
Creating a file in the Program Files subdirectories
Enabling autorun with the shell\open\command registry branches
Infecting executable files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware neshta overlay packed redline setupapi.dll shdocvw.dll shell32.dll virus windows
Link:
https://www.filescan.io/uploads/638b405bf6e448d42df7184a/reports/ab55093e-1502-4503-8447-d90d9ee10d42/overview
Result
Verdict:
MALICIOUS
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/afdd4e99-962b-4446-b20c-19113a67fd39
Result
Threat name:
Neshta, RedLine
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1127069
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Tries to steal Crypto Currency Wallets
Yara detected Neshta
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 759793 Sample: B9806DB6959EAF756DD803B5149... Startdate: 03/12/2022 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic 2->52 54 Multi AV Scanner detection for domain / URL 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 11 other signatures 2->58 8 B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe 4 2->8         started        process3 file4 30 C:\Windows\svchost.com, PE32 8->30 dropped 32 C:\Users\user\Downloads\ChromeSetup.exe, PE32 8->32 dropped 34 B9806DB6959EAF756D...2D9B2EF4AA0B7A9.exe, PE32 8->34 dropped 36 26 other malicious files 8->36 dropped 64 Creates an undocumented autostart registry key 8->64 66 Drops PE files with a suspicious file extension 8->66 68 Drops executable to a common third party application directory 8->68 70 Infects executable files (exe, dll, sys, html) 8->70 12 B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe 3 24 8->12         started        signatures5 process6 file7 38 C:\Users\user\Desktop\arqc_gen\set up.exe, PE32 12->38 dropped 40 C:\Users\user\Desktop\arqc_gen\arqc_gen.exe, PE32 12->40 dropped 72 Antivirus detection for dropped file 12->72 74 Multi AV Scanner detection for dropped file 12->74 76 Machine Learning detection for dropped file 12->76 78 Drops executables to the windows directory (C:\Windows) and starts them 12->78 16 svchost.com 1 12->16         started        20 svchost.com 12->20         started        signatures8 process9 file10 28 C:\Windows\directx.sys, ASCII 16->28 dropped 44 Antivirus detection for dropped file 16->44 46 Multi AV Scanner detection for dropped file 16->46 48 Machine Learning detection for dropped file 16->48 50 Sample is not signed and drops a device driver 16->50 22 set up.exe 4 16->22         started        26 arqc_gen.exe 2 20->26         started        signatures11 process12 dnsIp13 42 5.189.138.247, 49700, 7059 CONTABODE Germany 22->42 60 Tries to steal Crypto Currency Wallets 22->60 62 Machine Learning detection for dropped file 26->62 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b9806db6959eaf756dd803b51495ab2d9b2ef4aa0b7a902b268d07ab7af15748/
Threat name:
Win32.Virus.Neshta
Create hunting rule
Status:
Malicious
First seen:
2022-10-21 20:47:53 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
26 of 26 (100.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xgag3nuvt2xxk3oyao2rjfnlfwns55fkbn5jakzgrud2w6xrk5ea._file
Verdict:
malicious
Similar samples:
0411663612d47e64b4ae08bd9c989141d00118fc327a1162eee523fb55df2520
RedLineStealer
16f75019c7de5d79c259d4b1f1003938bd6449ce3c49b28d6320bb43dd6bd82a
RedLineStealer
2551a9e1052a5b3cfcef38482db2a1b0d2b85f3889b0ebc9b0a9a77bbadc940d
RedLineStealer
52d2f039a91a25a6e2a14cf3701ce7ff42fad5134eaed25e9bd30606a4f85f60
RedLineStealer
8725f5edcadc9327d76c8d87e9ad054f7a4acc78f66c8cccd5272472f5201f46
RedLineStealer
9b1d91114fdc8c143afbedc2475e69a539c81d19eeee4ba9301da81b794efaf7
RedLineStealer
ce87832b753df5480849c61df4e05bfd2bfbd72af88ad52093a54555f3d96f0e
RedLineStealer
e9b5861c31edac2ccbf35a953c768ef15d221b448102123485ace59253388985
RedLineStealer
+ 863 additional samples on MalwareBazaar
Result
Malware family:
neshta
Create hunting rule
Score:
  10/10
Tags:
family:neshta persistence spyware stealer
Link:
https://tria.ge/reports/221203-pl6vysdf2w/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies system executable filetype association
Neshta
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3997e5d7-2aba-470a-a743-ba1841b10e06
Unpacked files
SH256 hash:
1d58dce892dc655f2f62a33cf64edd5267daf76fdb13bb5a2d50d5916fa621d0
MD5 hash:
530a4c309a5aff766b7268ab6ccdd4e9
SHA1 hash:
348c8358970ff1cb5cb2d3a20084d1c1a895a860
Link:
https://www.unpac.me/results/9ca481c0-0e36-4542-97c2-e7af16bc34f7/
SH256 hash:
b9806db6959eaf756dd803b51495ab2d9b2ef4aa0b7a902b268d07ab7af15748
MD5 hash:
71d1b7ce025e5d50d245d777cf47b2ea
SHA1 hash:
41ff2c2f863df5e52c8ab28705cf1df1f633f15c
Link:
https://www.unpac.me/results/9ca481c0-0e36-4542-97c2-e7af16bc34f7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b9806db6959eaf756dd803b51495ab2d9b2ef4aa0b7a902b268d07ab7af15748

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/342249/

Comments