MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8bb8271adc398661a408fc99b14a7d3797bd546b0b836f68a059c2f72948937. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c8bb8271adc398661a408fc99b14a7d3797bd546b0b836f68a059c2f72948937
SHA3-384 hash: 2b86ce3553af58ef6a416261947e3986c222059e2a5b454821a810595a05d479fad9e42e3908f974e79f0c9a8324a4a1
SHA1 hash: 07d7c3086947eebbc50d4effec7457d10b5d6d6f
MD5 hash: ef4de29fc64c97034c3f9a4b8015decc
humanhash: bacon-uniform-happy-indigo
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'647'552 bytes
First seen:2022-12-13 21:30:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9222d372923baed7aa9dfa28449a94ea (11 x AsyncRAT, 10 x RedLineStealer, 9 x NanoCore)
ssdeep 49152:nhuwLFNCFe99quL2SVHtaTKnY/o5cZachVoEnYf9+DwPKFZ7tq:nh9hNF9XLxVgKAo5rchVhEQPhq
Threatray 4'140 similar samples on MalwareBazaar
TLSH T114C5CE403E7CCE5BF0B95A3F6869DA14B97B5890D80B75923ED3039D2A31B447993AC3
TrID 53.5% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
19.8% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
8.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
4.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
2.8% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon 3232b2b2b2b2960e (1 x RedLineStealer)
Reporter jstrosch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-12-13 21:34:24 UTC
Tags:
trojan rat redline miner
Link:
https://app.any.run/tasks/9b1bcf56-0fa6-4913-90d6-7202526a1913

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CoinMiner02
Create hunting rule
Link:
https://www.capesandbox.com/analysis/346032/
Detection(s):
PUA.Win.Packer.Pequake-4
Create hunting rule

Win.Virus.Neshta-7101689-0
Create hunting rule

Win.Tool.Binder-9794371-0
Create hunting rule

Win.Trojan.Generic-9933689-0
Create hunting rule

Win.Trojan.Redline-9938775-1
Create hunting rule

Win.Packed.Lazy-9958163-0
Create hunting rule

Win.Trojan.Binder-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a file in the Windows directory
Modifying an executable file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file in the Program Files subdirectories
Reading critical registry keys
Creating a file in the %AppData% directory
Creating a window
Creating a process with a hidden window
Unauthorized injection to a recently created process
Enabling autorun with the shell\open\command registry branches
Stealing user critical data
Infecting executable files
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware neshta packed shell32.dll stealer
Link:
https://www.filescan.io/uploads/6398ef1a485d8463dc4167a3/reports/1bb596a2-c0a4-4e34-bad8-fbde1ad5b764/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/27e2fdd3-c770-4b2a-afcb-7ffb6e70d3bb
Result
Threat name:
Neshta, RedLine, Xmrig
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1133816
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found strings related to Crypto-Mining
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sample is not signed and drops a device driver
Sigma detected: Xmrig
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Neshta
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 766540 Sample: file.exe Startdate: 13/12/2022 Architecture: WINDOWS Score: 100 112 xmr.2miners.com 2->112 128 Snort IDS alert for network traffic 2->128 130 Sigma detected: Xmrig 2->130 132 Malicious sample detected (through community Yara rule) 2->132 134 10 other signatures 2->134 15 file.exe 3 2->15         started        18 services64.exe 2->18         started        signatures3 process4 file5 108 C:\Users\user\AppData\Local\...\WINDOWS.EXE, PE32 15->108 dropped 110 C:\Users\user\AppData\...\SERVICES64.EXE, PE32 15->110 dropped 20 WINDOWS.EXE 4 15->20         started        24 SERVICES64.EXE 2 15->24         started        27 conhost.exe 2 18->27         started        process6 dnsIp7 92 C:\Windows\svchost.com, PE32 20->92 dropped 94 C:\Users\user\Desktop\file.exe, PE32 20->94 dropped 96 C:\Users\user\AppData\Local\...\DismHost.exe, PE32 20->96 dropped 98 71 other malicious files 20->98 dropped 138 Creates an undocumented autostart registry key 20->138 140 Drops PE files with a suspicious file extension 20->140 142 Infects executable files (exe, dll, sys, html) 20->142 29 WINDOWS.EXE 20->29         started        114 141.255.164.98, 15050, 49711, 49714 PLI-ASCH Switzerland 24->114 144 Adds a directory exclusion to Windows Defender 27->144 32 cmd.exe 27->32         started        file8 signatures9 process10 signatures11 154 Writes to foreign memory regions 29->154 156 Allocates memory in foreign processes 29->156 158 Creates a thread in another existing process (thread injection) 29->158 34 conhost.exe 4 29->34         started        38 conhost.exe 32->38         started        40 powershell.exe 32->40         started        process12 file13 90 C:\Users\user\AppData\...\services64.exe, PE32+ 34->90 dropped 136 Adds a directory exclusion to Windows Defender 34->136 42 cmd.exe 1 34->42         started        44 cmd.exe 1 34->44         started        47 cmd.exe 1 34->47         started        signatures14 process15 signatures16 49 services64.exe 42->49         started        52 conhost.exe 42->52         started        150 Uses schtasks.exe or at.exe to add and modify task schedules 44->150 152 Adds a directory exclusion to Windows Defender 44->152 54 powershell.exe 19 44->54         started        56 powershell.exe 17 44->56         started        58 conhost.exe 44->58         started        60 conhost.exe 47->60         started        62 schtasks.exe 1 47->62         started        process17 signatures18 116 Writes to foreign memory regions 49->116 118 Allocates memory in foreign processes 49->118 120 Creates a thread in another existing process (thread injection) 49->120 64 conhost.exe 3 6 49->64         started        process19 file20 86 C:\Users\user\AppData\...\sihost64.exe, PE32+ 64->86 dropped 88 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 64->88 dropped 122 Drops executables to the windows directory (C:\Windows) and starts them 64->122 124 Adds a directory exclusion to Windows Defender 64->124 126 Sample is not signed and drops a device driver 64->126 68 svchost.com 64->68         started        72 cmd.exe 64->72         started        74 conhost.exe 64->74         started        signatures21 process22 file23 100 C:\Program Files (x86)\...\ACCICONS.EXE, PE32 68->100 dropped 102 C:\Program Files (x86)\Java\...\unpack200.exe, PE32 68->102 dropped 104 C:\Program Files (x86)\Java\...\ssvagent.exe, PE32 68->104 dropped 106 14 other malicious files 68->106 dropped 146 Sample is not signed and drops a device driver 68->146 76 sihost64.exe 68->76         started        148 Adds a directory exclusion to Windows Defender 72->148 78 conhost.exe 72->78         started        80 powershell.exe 72->80         started        82 powershell.exe 72->82         started        signatures24 process25 process26 84 conhost.exe 76->84         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c8bb8271adc398661a408fc99b14a7d3797bd546b0b836f68a059c2f72948937/
Threat name:
Win32.Virus.Neshta
Create hunting rule
Status:
Malicious
First seen:
2022-12-13 21:31:12 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
25 of 26 (96.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zc5ye4nnyomgmgsar7ezwffh2n4xxvkgwc4dn5ukawoc64uure3q._file
Verdict:
malicious
Similar samples:
48eee6e4eedb7291e09cd68d3ff4f1608df7fb538be806d785a4e99cb77a9da2
RedLineStealer
529043b5fcef43623835319764499b2a4ddbae2477697f22aada0e09352b83c5
RedLineStealer
78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361
RedLineStealer
81fe52e70e3f0562d02591313a49d2b353bedc557fcc09d3d6093160de68f3d0
RedLineStealer
8c7068ecf9168d899f1e67971f0f20b590ece3c4e60d45bc0a90100eb111868a
RedLineStealer
a862ea441bd7820c5fd7faf9a43a4c455c38401f486e3b0dfabc84dd53193df9
RedLineStealer
ba7a55b17174de39cb44b553a52de3d0b3c979d37104a5ad1580cb97a8acc800
RedLineStealer
c8b8445f2852e90f152f6f469e61af5562850ae1814d8b93f7d7f3df0cb0b114
RedLineStealer
e103c29f6e8365d4ca9f843839556faadbb907060dbd711fa3119fe12944a635
RedLineStealer
+ 4'130 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:neshta family:redline family:xmrig discovery infostealer miner persistence spyware stealer
Link:
https://tria.ge/reports/221213-1c2qesaf9y/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
XMRig Miner payload
Detect Neshta payload
Modifies system executable filetype association
Neshta
RedLine
xmrig
Malware Config
C2 Extraction:
141.255.164.98:15050
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0ba287f2-38d4-4417-abae-9aae271201f4
Unpacked files
SH256 hash:
d5ece52a71f0de749b31eb99c506c8b9147f2b690b1f85a88c1ad0357540a6a9
MD5 hash:
b01db2780c5a1bbeb3b76e97eb5ea754
SHA1 hash:
c75b2d4e0c81fb42ccf8b6d7da6e3134b480c7dc
Detections:
win_neshta_g0
Create hunting rule
win_neshta_auto
Create hunting rule
Link:
https://www.unpac.me/results/d43d4f97-79f6-4d5b-85c5-4b52683b27cc/
Parent samples :
811d169ec93c76795798353e6fdf509271d61d3424acb7d709c34cc83511b0f9
cb15585aac621fef5710d7c2b6cc714d7d3283576717cd7738a0898d5b63a470
4dcd84003dc7b4d627193ce18034c71a3ee35980495d755d9bcf80a672eb544e
2e5b9ebfb2b81c5e512248e2e9224d1054defc4b027c0108fc10d268312ce290
68652defc71770065997b7d60a64a3959446a114a2ee17a443a15ae8b767f150
640315d3ee04d383d4b8702b0d29a11846139cb9505078440f2e67b2d9bc3cce
4608c3c211744ce283dac6c36cb7a2c0fd584ee440fa4f671bc270f1bc737ff0
c8bb8271adc398661a408fc99b14a7d3797bd546b0b836f68a059c2f72948937
cd23680ab97a8fa8c459690061e90ea0d48d19975900f1a0ee41ffcd76bbb311
313cabf464e7edf69744f94c3ea234fbb5d7b99daf2aff5492131a4ca9d08e00
60292e6be9d0d5e5f82a3382e4b69fcd19362b4c30a1829787dfc6ea5462a117
ec2ec99d719ccde3972abb4db0ef83eae6462f4697861529ead23d304c527d29
a8df709495ab9ea938880b1ebe744b33bc163b2fe576ce7e585caef7c846b718
a6077288d1353daaab0bf9092c357cd7f0712537def3ff3be60fa68da4e436ac
SH256 hash:
c8bb8271adc398661a408fc99b14a7d3797bd546b0b836f68a059c2f72948937
MD5 hash:
ef4de29fc64c97034c3f9a4b8015decc
SHA1 hash:
07d7c3086947eebbc50d4effec7457d10b5d6d6f
Link:
https://www.unpac.me/results/d43d4f97-79f6-4d5b-85c5-4b52683b27cc/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c8bb8271adc3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c8bb8271adc398661a408fc99b14a7d3797bd546b0b836f68a059c2f72948937

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Malware_QA_update
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:Malware_QA_update_RID2DAD
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:MALWARE_Win_Neshta
Create hunting rule
Author:ditekSHen
Description:Detects Neshta
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_Neshta_Generic_RID2DC9
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe c8bb8271adc398661a408fc99b14a7d3797bd546b0b836f68a059c2f72948937

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/346032/

Comments