MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b20bb50d5eb548b9de8905a860fe218da7b49e78ae87c0fee159686ba3e48a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XRed

Vendor detections: 19

Intelligence 19 IOCs YARA 10 File information Comments

SHA256 hash:	1b20bb50d5eb548b9de8905a860fe218da7b49e78ae87c0fee159686ba3e48a6
SHA3-384 hash:	4a1e8418df65bd9d25ac21f5f59b90d728df04212e647b5ca21815017cfa7c2e83055d9670634d5df22eecfdd2531287
SHA1 hash:	2fc30c2da50cce256fca4fe3c22944c586db8de0
MD5 hash:	d03734457a171c4998e4e7645297ebbf
humanhash:	delaware-social-california-maine
File name:	RxTrig.exe
Download:	download sample
Signature	XRed Create hunting rule
File size:	2'288'640 bytes
First seen:	2025-07-16 01:01:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	332f7ce65ead0adfb3d35147033aabe9 (81 x XRed, 18 x SnakeKeylogger, 7 x DarkComet)
ssdeep	49152:7nsHyjtk2MYC5GDgWwgkLCDIZHsUdi2oi9rx9A+5h+v4loPB7n3:7nsmtk2aBWwgIZH1dRoKrjAaTEB73
Threatray	467 similar samples on MalwareBazaar
TLSH	T10DB5F132F2D18437D1331A3C9D6BA3A4483ABE512E38794E7BE93E4C5E396812D552D3
TrID	93.3% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58) 1.9% (.EXE) Win32 Executable Delphi generic (14182/79/4) 1.4% (.EXE) Win64 Executable (generic) (10522/11/4) 1.4% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2) 0.6% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	00070a1616973308 (1 x XRed)
Reporter	nickkuechel
Tags:	exe Umbral xred

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

njrat

ID:

File name:

RxTrig.exe

Verdict:

Malicious activity

Analysis date:

2025-07-11 18:33:32 UTC

Tags:

xred backdoor auto-reg autohotkey delphi dyndns rat njrat bladabindi ahk loader discordgrabber generic stealer umbralstealer umbral divulgestealer ims-api snake keylogger

Link:

https://app.any.run/tasks/de0b4867-1554-44af-8774-8b49131ff8b5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Njrat

Link:

https://www.capesandbox.com/analysis/14719/

Detection(s):

PUA.Win.Packer.D1s1g-5

PUA.Win.Packer.D1s1g-2

PUA.Win.Packer.D1s1g-1

Win.Trojan.Emotet-9850453-0

Win.Trojan.Generic-9936029-0

Win.Malware.Delf-6899401-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=687158fac9eb974737686e70

Tags:

darkkomet vmdetect delphi njrat

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Creating a file

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Moving a recently created file

Searching for the window

Creating a file in the %temp% directory

DNS request

Connection attempt

Sending an HTTP GET request

Setting a global event handler

Setting a keyboard event handler

Launching a process

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Query of malicious DNS domain

Adding an exclusion to Microsoft Defender

Changing the hosts file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context anti-debug autorun base64 borland_delphi cmd darkkomet dropper emotet evasive fingerprint keylogger lolbin macros-on-open optix packed reconnaissance virus

Link:

https://www.filescan.io/uploads/6876fa0e12460d69545e0a78/reports/33117c5a-814a-4763-80c7-c55823436cd0/overview

Verdict:

Malicious

Labled as:

Trojan.DarkKomet

Link:

https://www.hybrid-analysis.com/sample/1b20bb50d5eb548b9de8905a860fe218da7b49e78ae87c0fee159686ba3e48a6

Malware family:

XRed

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bac484ed-1c8d-4def-9957-2018867ddfeb

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1b20bb50d5eb548b9de8905a860fe218da7b49e78ae87c0fee159686ba3e48a6

Verdict:

Malware

YARA:

6 match(es)

Tags:

.Net ADODB.Stream Blacklist VBA Corrupted Executable Office Document PE (Portable Executable) scripting.filesystemobject SOS: 0.02 Win 32 Exe WinHttp.WinHttpRequest.5 WinHttp.WinHttpRequest.5.1 WScript.Shell x86

Link:

https://app.malva.re/file/d03734457a171c4998e4e7645297ebbf

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1b20bb50d5eb548b9de8905a860fe218da7b49e78ae87c0fee159686ba3e48a6/

Verdict:

Malicious

Threat:

Win32.Trojan.Synaptics

Link:

https://tip.neiki.dev/file/1b20bb50d5eb548b9de8905a860fe218da7b49e78ae87c0fee159686ba3e48a6

Threat name:

Win32.Worm.Synaptics

Status:

Malicious

First seen:

2025-04-07 18:59:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 23 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dmqlwugv5nkixhpisbnimd7cddnhwsphrluhyd7ocwlinor6jcta._file

Verdict:

malicious

Label(s):

umbral

njrat

xredbackdoor

XRed

1b20bb50d5eb548b9de8905a860fe218da7b49e78ae87c0fee159686ba3e48a6

XRed

627758d18d773a74dd10d6066d68e72c1db2ba5fa81f5535b6b00c4e9b01927b

XRed

bdcad3bd0023fcab3e03c7ab767f67f0c5763bb6d5a8da1a03a3b1ada3643889

XRed

error

XRed

fd2af290651593318f6181ffbbf227f8ae72c1ab1deb2a2ffae91d7a8988c8da

XRed

+ 457 additional samples on MalwareBazaar

Result

Malware family:

xred

Score:

10/10

Tags:

family:njrat family:umbral family:xred backdoor defense_evasion discovery persistence privilege_escalation stealer trojan

Link:

https://tria.ge/reports/250716-bdvk3a1vft/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

Drops file in Windows directory

Drops file in System32 directory

Adds Run key to start application

Looks up external IP address via web service

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Modifies Windows Firewall

Detects Umbral payload

Njrat family

Umbral

Umbral family

Xred

Xred family

njRAT/Bladabindi

Malware Config

C2 Extraction:

xred.mooo.com
https://discord.com/api/webhooks/1260642604438126643/aa_UuahSUZkuOs2VlSIBCQbkyeOFMP2Ohl9qSBW53DeOIykNwknCmzQV8l5t08t9fhd5

Verdict:

Malicious

Tags:

backdoor xred_backdoor Win.Trojan.Emotet-9850453-0

YARA:

mal_xred_backdoor

Link:

https://app.threat.zone/submission/6a1f5fd8-091f-4bf5-b588-ad762be8d462

Unpacked files

SH256 hash:

1b20bb50d5eb548b9de8905a860fe218da7b49e78ae87c0fee159686ba3e48a6

MD5 hash:

d03734457a171c4998e4e7645297ebbf

SHA1 hash:

2fc30c2da50cce256fca4fe3c22944c586db8de0

Link:

https://www.unpac.me/results/c7d6e2c7-1810-46c6-8fd1-57dfffc75c63/

SH256 hash:

33c15725ba01ebc29970e185e508c9bb3c1d01a3730518c94f6f90cb25ad6838

MD5 hash:

5edc00e458d6105cc57e7bf9bcfa9c7b

SHA1 hash:

9e8979ab8284fce63514b7a1167dc8d566107ca0

Link:

https://www.unpac.me/results/c7d6e2c7-1810-46c6-8fd1-57dfffc75c63/

SH256 hash:

b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2

MD5 hash:

c0ef4d6237d106bf51c8884d57953f92

SHA1 hash:

f1da7ecbbee32878c19e53c7528c8a7a775418eb

Link:

https://www.unpac.me/results/c7d6e2c7-1810-46c6-8fd1-57dfffc75c63/

SH256 hash:

f67268d2659ceb1e8cf8a7560784372294bcd8f249f7c0efdf33216722a5f0bb

MD5 hash:

56c788116da32ec8e9ac3b1b0e66b520

SHA1 hash:

545f203f2bdf6fac2f131a76a5f36e21637b27ca

Detections:

UmbralStealer

INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice

INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames

INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs

MALWARE_Win_UmbralStealer

Link:

https://www.unpac.me/results/c7d6e2c7-1810-46c6-8fd1-57dfffc75c63/

SH256 hash:

b59bf09014ee54425d3711f97529c768f14a51855fb104609a08601ff3853b34

MD5 hash:

c9d1849c18ebe8f3c13f76cbd253c16d

SHA1 hash:

f97472bf5ee8eadfb9fdee64f682ef4e3ea1818c

Link:

https://www.unpac.me/results/c7d6e2c7-1810-46c6-8fd1-57dfffc75c63/

SH256 hash:

558efebcc73ee563134b8e213e859fa51ba29758c16ee38f23a14e21aa225edb

MD5 hash:

839f7bd0f36f4b2f76412d0345ba6a29

SHA1 hash:

a49fcc1a481c03e8c89ffbfc42b1495fb7581649

Detections:

win_njrat_g1

win_njrat_w1

NjRat

CN_disclosed_20180208_c

Njrat

win_njrat_bytecodes_oct_2023

win_njrat_strings_oct_2023

MALWARE_Win_NjRAT

Link:

https://www.unpac.me/results/c7d6e2c7-1810-46c6-8fd1-57dfffc75c63/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1b20bb50d5eb548b9de8905a860fe218da7b49e78ae87c0fee159686ba3e48a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	D1S1Gv11betaD1N Create hunting rule
Author:	malware-lu

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	vbaproject_bin Create hunting rule
Author:	CD_R0M_
Description:	{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/14719/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance
SECURITY_BASE_API	Uses Security Base API	advapi32.dll::AdjustTokenPrivileges
SHELL_API	Manipulates System Shell	shell32.dll::ShellExecuteExA
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CreateProcessA advapi32.dll::OpenProcessToken kernel32.dll::OpenProcess kernel32.dll::CloseHandle wininet.dll::InternetCloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::TerminateProcess kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetDriveTypeA kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CopyFileA kernel32.dll::CreateDirectoryA kernel32.dll::CreateFileA kernel32.dll::CreateFileMappingA kernel32.dll::DeleteFileA kernel32.dll::MoveFileA
WIN_BASE_USER_API	Retrieves Account Information	kernel32.dll::GetComputerNameA advapi32.dll::GetUserNameA advapi32.dll::LookupPrivilegeValueA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegCreateKeyExA advapi32.dll::RegNotifyChangeKeyValue advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA advapi32.dll::RegSetValueExA
WIN_SVC_API	Can Manipulate Windows Services	advapi32.dll::OpenSCManagerA
WIN_USER_API	Performs GUI Actions	user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::FindWindowA user32.dll::PeekMessageA user32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample