MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 106c6fcbfe6af29e20fa66915f533e4b38e2fa103b8b4d7ec88295d8fd511764. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 106c6fcbfe6af29e20fa66915f533e4b38e2fa103b8b4d7ec88295d8fd511764
SHA3-384 hash: db64bce4a6b3755d9399b2b3d1e140ad19a17a7068fd267994f37a899dc2912bd6adfb19941da82c1243c85047a39d5d
SHA1 hash: 72e4baa41ad987502daeb9cdcf83393f38141826
MD5 hash: 02820b28110c19f3084ba705a39e4956
humanhash: cardinal-glucose-princess-table
File name:緊急請求 [PO_2689068_june2025] ST89076.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:705'024 bytes
First seen:2025-06-26 06:39:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 21371b611d91188d602926b15db6bd48 (70 x Formbook, 35 x AgentTesla, 20 x RemcosRAT)
ssdeep 12288:Qz7hU5I5yuNHIgzSFKxWltRohBfSTso93UcULNBcUkC8RJKGbMTOhXQNhjpl:Qf+iN57Gtene3aBQXRJLbPi1
Threatray 53 similar samples on MalwareBazaar
TLSH T14EE42351A7812820C3655370883ACD8089753DB1AE11676FC72EFA5E6871387FEB3B5E
TrID 39.1% (.EXE) UPX compressed Win32 Executable (27066/9/6)
38.3% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
7.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.9% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter lowmal3
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
522
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
緊急請求 [PO_2689068_june2025] ST89076.exe
Verdict:
Malicious activity
Analysis date:
2025-06-26 06:41:59 UTC
Tags:
stealer snake keylogger evasion ims-api generic netreactor
Link:
https://app.any.run/tasks/4c1474e8-4b5d-4903-a7d6-9da8a921eb67

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/11194/
Detection(s):
SecuriteInfo.com.FileRepMalware.3656.11900.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=685cebb632ed47a3a8d76427
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Searching for the window
Creating a window
Creating a file in the %temp% directory
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
autoit compiled-script entropy microsoft_visual_cc overlay packed packed packed packer_detected upx virtual
Link:
https://www.filescan.io/uploads/685cebb445e80b29f89ec73f/reports/0b83ff91-a92f-4071-81fa-4ca5b0a7f58e/overview
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/adc5763a-0264-4fef-b38c-464d4952ccd5
Result
Threat name:
MSIL Logger, MassLogger RAT, PureLog Ste
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1723262
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected MSIL Logger
Yara detected PureLog Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/106c6fcbfe6af29e20fa66915f533e4b38e2fa103b8b4d7ec88295d8fd511764
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/106c6fcbfe6af29e20fa66915f533e4b38e2fa103b8b4d7ec88295d8fd511764/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-06-26 01:58:06 UTC
File Type:
PE (Exe)
Extracted files:
43
AV detection:
22 of 24 (91.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cbwg7s76nlzj4ih2m2iv6uz6jm4of6qqhofu27wiqkk5r7krc5sa._file
Verdict:
malicious
Label(s):
unc_loader_001
Create hunting rule
zgrat
Create hunting rule
Similar samples:
052dca4820559afcefaa0fc6769f8095e160d887a1e08e9393e4da9d3fa2a7eb
RedLineStealer
106c6fcbfe6af29e20fa66915f533e4b38e2fa103b8b4d7ec88295d8fd511764
RedLineStealer
19668327394d8d4ec3344736d51fd3ab1baf84b6982c549fe85772633116a1d1
RedLineStealer
219b2f19475b0ba36726568f9dd52320c1c44f24c9e3ac018c0742967e157ba2
RedLineStealer
3d9c9606d3bba567a0ce9f2d8c891239cd06c4cb470df92dfcee5fca5a0e7b7b
RedLineStealer
5cf9f8b94a395f9cba3658502e40b014d67026a16da2aa91a3f7bb64931ae8e2
RedLineStealer
88795ccbb26f764aa31d3e28c8df85f970334a67bc61b06682745b185900ea75
RedLineStealer
error
RedLineStealer
+ 43 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger collection discovery spyware stealer upx
Link:
https://tria.ge/reports/250626-hfzq5abn8s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
AutoIT Executable
Suspicious use of SetThreadContext
UPX packed file
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
MassLogger
Masslogger family
Verdict:
Malicious
Tags:
404keylogger
YARA:
n/a
Link:
https://app.threat.zone/submission/c9dd15b4-759d-4b1a-87ac-d5e916d41c0b
Unpacked files
SH256 hash:
106c6fcbfe6af29e20fa66915f533e4b38e2fa103b8b4d7ec88295d8fd511764
MD5 hash:
02820b28110c19f3084ba705a39e4956
SHA1 hash:
72e4baa41ad987502daeb9cdcf83393f38141826
Link:
https://www.unpac.me/results/72c05c78-f766-4d49-bd8a-9f0649a1fd82/
SH256 hash:
74086398130dfdfe8b2d8cd263df9f27dd9cb139feab00ec66b233b6eb248a6b
MD5 hash:
3256b3933581f6fe43a0f2203886d4a4
SHA1 hash:
0ddaf54c0812e45d9a91d5d436a5bb0c2a9f7d39
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/72c05c78-f766-4d49-bd8a-9f0649a1fd82/
SH256 hash:
44a399dbffcbb88654390ce3d5a52b01d88196779a5c9213e1907fc52ecc7037
MD5 hash:
a9d28c5ac5c3dcc9fb19883083f8b014
SHA1 hash:
29241e38acee0ce7b22bf9db4ba8fe9fe193dc3f
Detections:
win_samsam_auto
Create hunting rule
SUSP_OBF_NET_Reactor_Native_Stub_Jan24
Create hunting rule
MAL_Malware_Imphash_Mar23_1
Create hunting rule
MetaStealer_NET_Reactor_packer
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
Link:
https://www.unpac.me/results/72c05c78-f766-4d49-bd8a-9f0649a1fd82/
SH256 hash:
3aeb2005a8956e7d6fc40b48fb9f6a66063720bd518ef9cd29cceb77e985d426
MD5 hash:
313226c2bf17743543fec526b647fd93
SHA1 hash:
16f8489e6ab55b7d278d2d7e91f530ba20e4c19c
Detections:
win_404keylogger_g1
Create hunting rule
win_masslogger_w0
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/72c05c78-f766-4d49-bd8a-9f0649a1fd82/
SH256 hash:
30ffc1f873ce0aedf852b2730d7859d077cbfcfc8cd47e798924bf95ec7d37ea
MD5 hash:
ffa41c08e668f7599883658f3804964d
SHA1 hash:
60a72dba8ac25eea6be80e9f40c8ef399808f996
Detections:
win_404keylogger_g1
Create hunting rule
win_masslogger_w0
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
RedLine_Campaign_June2021
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/72c05c78-f766-4d49-bd8a-9f0649a1fd82/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/106c6fcbfe6a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/106c6fcbfe6af29e20fa66915f533e4b38e2fa103b8b4d7ec88295d8fd511764

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:win_samsam_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

Executable exe 106c6fcbfe6af29e20fa66915f533e4b38e2fa103b8b4d7ec88295d8fd511764

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/11194/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::GetAce
MULTIMEDIA_APICan Play MultimediaWINMM.dll::timeGetTime
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA

Comments