MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd23680ab97a8fa8c459690061e90ea0d48d19975900f1a0ee41ffcd76bbb311. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd23680ab97a8fa8c459690061e90ea0d48d19975900f1a0ee41ffcd76bbb311
SHA3-384 hash: 1a6ae27f9cf5277391c1b299ed7f2ec91bbe166b48983fdc34aab6d0c4c0b35bc721013899a2197c4a2090152b8a760b
SHA1 hash: 18dfd5d0b5ac95b58293c44c9e6169ebc6033470
MD5 hash: c5e023c10b3cc19d87babc449e5c31bc
humanhash: item-spring-three-west
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'511'872 bytes
First seen:2022-12-13 21:34:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9222d372923baed7aa9dfa28449a94ea (11 x AsyncRAT, 10 x RedLineStealer, 9 x NanoCore)
ssdeep 49152:uluaHa6u22yP7SFTn2zoWkiGJKIZO/Tq4iYJCbtW07CH:ulYJyjSRSfk1JROe4iMyT
Threatray 4'230 similar samples on MalwareBazaar
TLSH T114C5222027F9CD31D076097FA8A1416587AFE842AC61F66B76C727CD0E32790F9176A3
TrID 66.7% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
10.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
3.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
Reporter jstrosch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-12-13 21:37:54 UTC
Tags:
trojan rat redline miner
Link:
https://app.any.run/tasks/663c7cb4-1ff4-461a-8b90-89411a6d8e52

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Neshta
Create hunting rule
Link:
https://www.capesandbox.com/analysis/346036/
Detection(s):
PUA.Win.Packer.Pequake-4
Create hunting rule

Win.Virus.Neshta-7101689-0
Create hunting rule

Win.Tool.Binder-9794371-0
Create hunting rule

Win.Trojan.Generic-9933689-0
Create hunting rule

Win.Trojan.Redline-9938775-1
Create hunting rule

Win.Packed.Lazy-9958163-0
Create hunting rule

Win.Trojan.Binder-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a file in the Windows directory
Modifying an executable file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file in the Program Files subdirectories
Reading critical registry keys
Creating a file in the %AppData% directory
Creating a window
Creating a process with a hidden window
Unauthorized injection to a recently created process
Enabling autorun with the shell\open\command registry branches
Stealing user critical data
Infecting executable files
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware neshta packed shell32.dll stealer
Link:
https://www.filescan.io/uploads/6398f0070c6473d1671aec33/reports/b5d40d20-4ade-44bf-b443-f5868164faa4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d24b4b44-2261-43f7-981c-e6ff1d5d2cfc
Result
Threat name:
Neshta, RedLine, SilentXMRMiner, Xmrig
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1133823
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found strings related to Crypto-Mining
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: Xmrig
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Neshta
Yara detected RedLine Stealer
Yara detected SilentXMRMiner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 766547 Sample: file.exe Startdate: 13/12/2022 Architecture: WINDOWS Score: 100 118 xmr.2miners.com 2->118 128 Snort IDS alert for network traffic 2->128 130 Sigma detected: Xmrig 2->130 132 Malicious sample detected (through community Yara rule) 2->132 134 11 other signatures 2->134 15 file.exe 3 3 2->15         started        18 services64.exe 2->18         started        signatures3 process4 file5 114 C:\Users\user\AppData\Local\...\WINDOWS.EXE, PE32 15->114 dropped 116 C:\Users\user\AppData\Local\Temp\STUB.EXE, PE32 15->116 dropped 21 STUB.EXE 4 15->21         started        25 WINDOWS.EXE 15->25         started        122 Writes to foreign memory regions 18->122 124 Allocates memory in foreign processes 18->124 126 Creates a thread in another existing process (thread injection) 18->126 27 conhost.exe 18->27         started        signatures6 process7 file8 98 C:\Windows\svchost.com, PE32 21->98 dropped 100 C:\Users\user\Desktop\file.exe, PE32 21->100 dropped 102 C:\Users\user\AppData\Local\...\setup.exe, PE32 21->102 dropped 104 107 other malicious files 21->104 dropped 150 Creates an undocumented autostart registry key 21->150 152 Drops PE files with a suspicious file extension 21->152 154 Drops executable to a common third party application directory 21->154 156 Infects executable files (exe, dll, sys, html) 21->156 29 STUB.EXE 4 21->29         started        158 Writes to foreign memory regions 25->158 160 Allocates memory in foreign processes 25->160 162 Creates a thread in another existing process (thread injection) 25->162 33 conhost.exe 4 25->33         started        164 Adds a directory exclusion to Windows Defender 27->164 36 cmd.exe 27->36         started        signatures9 process10 dnsIp11 120 141.255.164.98, 15050, 49717 PLI-ASCH Switzerland 29->120 178 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 29->178 92 C:\Users\user\AppData\...\services64.exe, PE32+ 33->92 dropped 180 Adds a directory exclusion to Windows Defender 33->180 38 cmd.exe 1 33->38         started        40 cmd.exe 1 33->40         started        43 cmd.exe 1 33->43         started        45 conhost.exe 36->45         started        47 powershell.exe 36->47         started        49 powershell.exe 36->49         started        file12 signatures13 process14 signatures15 51 services64.exe 38->51         started        54 conhost.exe 38->54         started        172 Uses schtasks.exe or at.exe to add and modify task schedules 40->172 174 Adds a directory exclusion to Windows Defender 40->174 56 powershell.exe 17 40->56         started        58 powershell.exe 15 40->58         started        60 conhost.exe 40->60         started        62 conhost.exe 43->62         started        64 schtasks.exe 1 43->64         started        process16 signatures17 136 Writes to foreign memory regions 51->136 138 Allocates memory in foreign processes 51->138 140 Creates a thread in another existing process (thread injection) 51->140 66 conhost.exe 51->66         started        process18 file19 94 C:\Users\user\AppData\...\sihost64.exe, PE32+ 66->94 dropped 96 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 66->96 dropped 142 Drops executables to the windows directory (C:\Windows) and starts them 66->142 144 Adds a directory exclusion to Windows Defender 66->144 146 Sample is not signed and drops a device driver 66->146 148 Injects a PE file into a foreign processes 66->148 70 svchost.com 66->70         started        74 cmd.exe 66->74         started        76 conhost.exe 66->76         started        signatures20 process21 file22 106 C:\Program Files (x86)\...\WORDICON.EXE, PE32 70->106 dropped 108 C:\Program Files (x86)\...\VPREVIEW.EXE, PE32 70->108 dropped 110 C:\Program Files (x86)\...\SETLANG.EXE, PE32 70->110 dropped 112 3 other malicious files 70->112 dropped 168 Sample is not signed and drops a device driver 70->168 78 sihost64.exe 70->78         started        170 Adds a directory exclusion to Windows Defender 74->170 80 conhost.exe 74->80         started        82 powershell.exe 74->82         started        84 powershell.exe 74->84         started        signatures23 process24 process25 86 conhost.exe 78->86         started        signatures26 166 Adds a directory exclusion to Windows Defender 86->166 89 cmd.exe 86->89         started        process27 signatures28 176 Adds a directory exclusion to Windows Defender 89->176
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cd23680ab97a8fa8c459690061e90ea0d48d19975900f1a0ee41ffcd76bbb311/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-12-13 21:35:09 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
25 of 26 (96.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zurwqcvzpkh2rrczneagd2ioudki2gmxleapdihoih7425v3wmiq._file
Verdict:
malicious
Similar samples:
4608c3c211744ce283dac6c36cb7a2c0fd584ee440fa4f671bc270f1bc737ff0
RedLineStealer
48eee6e4eedb7291e09cd68d3ff4f1608df7fb538be806d785a4e99cb77a9da2
RedLineStealer
529043b5fcef43623835319764499b2a4ddbae2477697f22aada0e09352b83c5
RedLineStealer
640315d3ee04d383d4b8702b0d29a11846139cb9505078440f2e67b2d9bc3cce
RedLineStealer
81fe52e70e3f0562d02591313a49d2b353bedc557fcc09d3d6093160de68f3d0
RedLineStealer
8c7068ecf9168d899f1e67971f0f20b590ece3c4e60d45bc0a90100eb111868a
RedLineStealer
ba7a55b17174de39cb44b553a52de3d0b3c979d37104a5ad1580cb97a8acc800
RedLineStealer
c8b8445f2852e90f152f6f469e61af5562850ae1814d8b93f7d7f3df0cb0b114
RedLineStealer
c8bb8271adc398661a408fc99b14a7d3797bd546b0b836f68a059c2f72948937
RedLineStealer
e103c29f6e8365d4ca9f843839556faadbb907060dbd711fa3119fe12944a635
RedLineStealer
+ 4'220 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:neshta family:redline family:xmrig discovery infostealer miner persistence spyware stealer
Link:
https://tria.ge/reports/221213-1fb9yaga63/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
XMRig Miner payload
Detect Neshta payload
Modifies system executable filetype association
Neshta
RedLine
xmrig
Malware Config
C2 Extraction:
141.255.164.98:15050
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8da48fc0-859c-435c-b018-adcdaade80ce
Unpacked files
SH256 hash:
d5ece52a71f0de749b31eb99c506c8b9147f2b690b1f85a88c1ad0357540a6a9
MD5 hash:
b01db2780c5a1bbeb3b76e97eb5ea754
SHA1 hash:
c75b2d4e0c81fb42ccf8b6d7da6e3134b480c7dc
Detections:
win_neshta_g0
Create hunting rule
win_neshta_auto
Create hunting rule
Link:
https://www.unpac.me/results/a9c12693-1194-4188-abeb-8d151d0b88a7/
Parent samples :
811d169ec93c76795798353e6fdf509271d61d3424acb7d709c34cc83511b0f9
cb15585aac621fef5710d7c2b6cc714d7d3283576717cd7738a0898d5b63a470
4dcd84003dc7b4d627193ce18034c71a3ee35980495d755d9bcf80a672eb544e
2e5b9ebfb2b81c5e512248e2e9224d1054defc4b027c0108fc10d268312ce290
68652defc71770065997b7d60a64a3959446a114a2ee17a443a15ae8b767f150
640315d3ee04d383d4b8702b0d29a11846139cb9505078440f2e67b2d9bc3cce
4608c3c211744ce283dac6c36cb7a2c0fd584ee440fa4f671bc270f1bc737ff0
c8bb8271adc398661a408fc99b14a7d3797bd546b0b836f68a059c2f72948937
cd23680ab97a8fa8c459690061e90ea0d48d19975900f1a0ee41ffcd76bbb311
313cabf464e7edf69744f94c3ea234fbb5d7b99daf2aff5492131a4ca9d08e00
60292e6be9d0d5e5f82a3382e4b69fcd19362b4c30a1829787dfc6ea5462a117
ec2ec99d719ccde3972abb4db0ef83eae6462f4697861529ead23d304c527d29
a8df709495ab9ea938880b1ebe744b33bc163b2fe576ce7e585caef7c846b718
a6077288d1353daaab0bf9092c357cd7f0712537def3ff3be60fa68da4e436ac
SH256 hash:
cd23680ab97a8fa8c459690061e90ea0d48d19975900f1a0ee41ffcd76bbb311
MD5 hash:
c5e023c10b3cc19d87babc449e5c31bc
SHA1 hash:
18dfd5d0b5ac95b58293c44c9e6169ebc6033470
Link:
https://www.unpac.me/results/a9c12693-1194-4188-abeb-8d151d0b88a7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cd23680ab97a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd23680ab97a8fa8c459690061e90ea0d48d19975900f1a0ee41ffcd76bbb311

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MacOS_Cryptominer_Generic_333129b7
Create hunting rule
Author:Elastic Security
Rule name:MacOS_Cryptominer_Xmrig_241780a1
Create hunting rule
Author:Elastic Security
Rule name:Malware_QA_update
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:Malware_QA_update_RID2DAD
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:MALWARE_Win_CoinMiner02
Create hunting rule
Author:ditekSHen
Description:Detects coinmining malware
Rule name:MALWARE_Win_Neshta
Create hunting rule
Author:ditekSHen
Description:Detects Neshta
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_Neshta_Generic_RID2DC9
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MAL_XMR_Miner_May19_1_RID2E1B
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:rig_win64_xmrig_6_13_1_xmrig
Create hunting rule
Author:yarGen Rule Generator
Description:rig_win64 - file xmrig.exe
Reference:https://github.com/Neo23x0/yarGen
Rule name:XMRIG_Monero_Miner
Create hunting rule
Author:Florian Roth
Description:Detects Monero mining software
Reference:https://github.com/xmrig/xmrig/releases

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe cd23680ab97a8fa8c459690061e90ea0d48d19975900f1a0ee41ffcd76bbb311

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/346036/

Comments