MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0166717b404b753bd02d798b428242405e6f6120ce71fbd7b0dd33b3f8de34af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0166717b404b753bd02d798b428242405e6f6120ce71fbd7b0dd33b3f8de34af
SHA3-384 hash: 7e91b0ba1b8e7e2eebe1dbc3be7825c48a60a3da7c588857158003310b1e1b4c474eb86477c2b0698af339ab06636807
SHA1 hash: 18aac4dbe441d79aa8513300c5c1a819efab1d53
MD5 hash: 3e545d11c01dcd525008387a6556d154
humanhash: cola-sodium-twenty-friend
File name:Sapphire Setup.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:832'512 bytes
First seen:2021-10-18 21:24:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4aa82b91dfdd0eea976043de209425e6 (5 x RedLineStealer, 1 x RaccoonStealer)
ssdeep 24576:G4mQPST6ih8bs5kfv0zxNLRNZVvDJOXkmyzhNFFuhk:G4mESGfbsmujHZVU+zhB
Threatray 15 similar samples on MalwareBazaar
TLSH T10605F886E9B3614DE392B2780B0D65910A421C77DB139AFF5FBDB91A31F26D18687303
File icon (PE):PE icon
dhash icon b36494a8cca2cc4d (6 x RedLineStealer, 1 x RaccoonStealer)
Reporter JaffaCakes118
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
263
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Sapphire Setup.exe
Verdict:
Malicious activity
Analysis date:
2021-10-18 21:24:08 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/c2e10297-5b34-4d95-a949-c013346aff0d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/198329/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a service
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/616de631db358dd15ec0f4bf/reports/14f38fe4-a5ca-448b-8732-3af1db88f16f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/09dca633-dc61-4b4a-9d52-1d381a09135f
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/872691
Signature
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0166717b404b753bd02d798b428242405e6f6120ce71fbd7b0dd33b3f8de34af/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-10-18 21:25:08 UTC
AV detection:
14 of 45 (31.11%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
08e34fc9a01f4fd9017b61612d5eac56f1a28945c48d40908da62e430ac9a7d0
RedLineStealer
10a5bbeeb39216bde492a246b1b003bcb2d7c0895dea287b5f8ad4f3428ef3cc
RedLineStealer
54cc3426c8ad3f2d39543a8157843620af7108ea419589cc6755e77a31b96047
RedLineStealer
5c10cf9b9eb40cb03ff0f2af7e6ed3ce2807b47d2aebbd5586e485f50e7def60
RedLineStealer
6c2ad98af84288aff6f49ae92f9f71befbfaa4ac35d1a05b1441f1ce15124ee0
RedLineStealer
a739910a18c1ded77bca7f33c0ff47bf2ef0c049bf0d53d2f7c045d25659581b
RedLineStealer
b861fd048ceff8dca345ce5ab41b60c695d845258ecc3bf175a819ee42037f98
RedLineStealer
be97f2438f11faa0b836f9e01570d20e1e21c981c858a6bc8e144d6ced8c4157
RedLineStealer
f303ccc5cdf05114cedee459d0f66bf3b428e19054e2e3f1f001d945332ab6c0
RedLineStealer
+ 5 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@kulunchick_bot discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211018-z9l6kaehe3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
95.181.152.5:46927
Unpacked files
SH256 hash:
858a302a0b42f42411e98b6e1674657c4f081db2f3019b2c60b4283b8d093da6
MD5 hash:
d013c6f6ad0c8f842062ff21a4bcaba4
SHA1 hash:
7e326c51fb9e6cff70b3342fea5bc00ff600b2f0
Link:
https://www.unpac.me/results/8051e288-fb61-4379-b6c5-b8f2a2349415/
SH256 hash:
f6619ac020d230deaaef1c5aaf7632d80f07bc5feaafbc1c67cd0cd0f836a872
MD5 hash:
cdb566f65701c458bae6e7c1725ffa7f
SHA1 hash:
6f6d0a8c26a9e928b2a6f3426d960e1e84f604b8
Link:
https://www.unpac.me/results/8051e288-fb61-4379-b6c5-b8f2a2349415/
SH256 hash:
0166717b404b753bd02d798b428242405e6f6120ce71fbd7b0dd33b3f8de34af
MD5 hash:
3e545d11c01dcd525008387a6556d154
SHA1 hash:
18aac4dbe441d79aa8513300c5c1a819efab1d53
Link:
https://www.unpac.me/results/8051e288-fb61-4379-b6c5-b8f2a2349415/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0166717b404b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0166717b404b753bd02d798b428242405e6f6120ce71fbd7b0dd33b3f8de34af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 0166717b404b753bd02d798b428242405e6f6120ce71fbd7b0dd33b3f8de34af

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/198329/

Comments