MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10b08331fe0140164426eb9c6f8c575fd87136e5d8282bfbb6eaf5b3b74126c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 18

Intelligence 18 IOCs YARA 10 File information Comments

SHA256 hash:	10b08331fe0140164426eb9c6f8c575fd87136e5d8282bfbb6eaf5b3b74126c2
SHA3-384 hash:	aa928e5c3fdaf149c929db24337c9b99752b19080a80a1701c8aaf2e1f840bd7e1235a1aa9e91430b4d04a73bb3d21eb
SHA1 hash:	54b13a1b358855617a4374371655f2ceec50280a
MD5 hash:	3cc37b2d7dfb352275da3ad57eeca945
humanhash:	robin-zebra-harry-arizona
File name:	QUOTATION REQUIRED.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'112'064 bytes
First seen:	2025-08-11 13:29:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep	24576:8tb20pkaCqT5TBWgNQ7a/FPVO7LI/y6A:lVg5tQ7a/F9Ez5
TLSH	T1B735CF2373DD8361C7725273BA667701AEBF782506A1F96B2FD8093DE920122521E773
TrID	40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter	James_inthe_box
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

QUOTATION REQUIRED.exe

Verdict:

Malicious activity

Analysis date:

2025-08-11 13:32:42 UTC

Tags:

evasion snake keylogger stealer netreactor smtp

Link:

https://app.any.run/tasks/d855e204-8141-4084-9007-5b1397092823

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/20158/

Detection(s):

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6899f08fc633abe3908ddc84

Tags:

autoit emotet spam

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Launching a process

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Stealing user critical data

Unauthorized injection to a system process

Forced shutdown of a browser

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

adaptive-context anti-debug autoit compiled-script fingerprint keylogger microsoft_visual_cc packed

Link:

https://www.filescan.io/uploads/6899f08e9ef4d2ff7cf6396d/reports/6159cad7-f011-4578-8188-0628a78209de/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/10b08331fe0140164426eb9c6f8c575fd87136e5d8282bfbb6eaf5b3b74126c2

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/eaf5062e-55a4-47b6-b286-024a733d85f8

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/10b08331fe0140164426eb9c6f8c575fd87136e5d8282bfbb6eaf5b3b74126c2

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/10b08331fe0140164426eb9c6f8c575fd87136e5d8282bfbb6eaf5b3b74126c2/

Verdict:

Malicious

Threat:

Family.SNAKE

Link:

https://tip.neiki.dev/file/10b08331fe0140164426eb9c6f8c575fd87136e5d8282bfbb6eaf5b3b74126c2

Threat name:

Win32.Trojan.Egairtigado

Status:

Malicious

First seen:

2025-08-11 00:31:25 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ccyigmp6afabmrbg5oog7dcxl7mhcnxf3aucx65w5l23hn2be3ba._file

Verdict:

malicious

Label(s):

autoit

asyncrat

unc_loader_001

Similar samples:

error

RedLineStealer

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection discovery keylogger stealer

Link:

https://tria.ge/reports/250811-qr7j4svl13/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Snake Keylogger

Snake Keylogger payload

Snakekeylogger family

Verdict:

Malicious

Tags:

404Keylogger

YARA:

n/a

Link:

https://app.threat.zone/submission/6715442e-3ed2-4b76-9e4d-e024e1f48feb

Unpacked files

SH256 hash:

10b08331fe0140164426eb9c6f8c575fd87136e5d8282bfbb6eaf5b3b74126c2

MD5 hash:

3cc37b2d7dfb352275da3ad57eeca945

SHA1 hash:

54b13a1b358855617a4374371655f2ceec50280a

Link:

https://www.unpac.me/results/58c4b18c-5896-469f-be80-eb405debd2f9/

SH256 hash:

be611b361db2075fa58733b547719a55f074a975016e83c7be589ef8040ec9de

MD5 hash:

0f31d4d9b72edf3b96012a5d800f650d

SHA1 hash:

3d5243e7454ef62b19038e60c00c13029032c441

Detections:

win_samsam_auto

SUSP_OBF_NET_Reactor_Native_Stub_Jan24

MAL_Malware_Imphash_Mar23_1

MetaStealer_NET_Reactor_packer

MALWARE_Win_RedLine

Link:

https://www.unpac.me/results/58c4b18c-5896-469f-be80-eb405debd2f9/

SH256 hash:

f3e95a76bfaa378dc58e091c3fb555de6fb1e020cf2c09cf9e59142548e55bb0

MD5 hash:

6e294afa25a60aca88194d20fa07c5de

SHA1 hash:

a9a6bc5835f8b612bc441d1f34840d76e595704a

Detections:

win_404keylogger_g1

snake_keylogger

SUSP_OBF_NET_Reactor_Indicators_Jan24

RedLine_Campaign_June2021

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

MALWARE_Win_SnakeKeylogger

Link:

https://www.unpac.me/results/58c4b18c-5896-469f-be80-eb405debd2f9/

SH256 hash:

f324e734134ca7f49af74a4875d553c1d6a83efb84a3b4c6be5108d6d00f9721

MD5 hash:

b2fa1bc5cd15648917652af2cca83227

SHA1 hash:

b218b69f61175eac77c909bcb78dd359f4d270c9

Detections:

win_404keylogger_g1

snake_keylogger

SUSP_OBF_NET_Reactor_Indicators_Jan24

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

MALWARE_Win_SnakeKeylogger

Link:

https://www.unpac.me/results/58c4b18c-5896-469f-be80-eb405debd2f9/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/10b08331fe01/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/10b08331fe0140164426eb9c6f8c575fd87136e5d8282bfbb6eaf5b3b74126c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	win_samsam_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	YahLover Create hunting rule
Author:	Kevin Falcoz
Description:	YahLover

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/20158/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample