MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ff8c68ae45074d7866b65839609626a8d7b3a5292a38a39a72b57bd626add4f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XRed


Vendor detections: 19


Intelligence 19 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ff8c68ae45074d7866b65839609626a8d7b3a5292a38a39a72b57bd626add4f
SHA3-384 hash: 546d2bd7278df6e6b7697d7a1739e4b0b7b685bfa6585846c56c6e80e2a7873213da73582c0172db641cb32768e67581
SHA1 hash: 4706f90a4a455dae6b1a928b247084501ab96551
MD5 hash: 76e6b78b9808cd4766f673ef091de07a
humanhash: paris-nineteen-burger-yankee
File name:0ff8c68ae45074d7866b65839609626a8d7b3a5292a38a39a72b57bd626add4f
Download: download sample
Signature XRed
Create hunting rule
File size:7'985'152 bytes
First seen:2025-07-31 11:54:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 332f7ce65ead0adfb3d35147033aabe9 (81 x XRed, 18 x SnakeKeylogger, 7 x DarkComet)
ssdeep 196608:iLqeFgxFYK2GU3giv67kF+d/TqcbVjULchUpCMyKOogQFEH6ob4tzWfj7gmBa:ivFgYKEQiC7kcd/GmBU46pfvOogQFEHu
Threatray 467 similar samples on MalwareBazaar
TLSH T16D86D0E2107A4A53E431C0B50EDF2E57C9DA92D3575A30956F9D2CF48B30CEE28E5AC9
TrID 93.3% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
1.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.4% (.EXE) Win64 Executable (generic) (10522/11/4)
1.4% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
0.6% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 5cf0e85592d6ec6c (1 x XRed)
Reporter JAMESWT_WT
Tags:exe xred

Intelligence

File Origin
# of uploads :
1
# of downloads :
27
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
0ff8c68ae45074d7866b65839609626a8d7b3a5292a38a39a72b57bd626add4f.exe
Verdict:
Malicious activity
Analysis date:
2025-07-31 11:59:53 UTC
Tags:
xred backdoor auto-reg auto redline stealer arch-doc delphi clipper diamotrix dyndns snake keylogger
Link:
https://app.any.run/tasks/9a600f81-9aad-4285-bb44-13bb3f3b698f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/18054/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688b59f20b4775fb2133f2f9
Tags:
dropper delphi smtp remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Moving a recently created file
Creating a file in the %temp% directory
Searching for the window
Creating a process with a hidden window
Moving a file to the %temp% directory
Modifying an executable file
DNS request
Connection attempt
Sending an HTTP GET request
Launching a process
Sending an HTTP POST request
Loading a suspicious library
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Query of malicious DNS domain
Infecting executable files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug base64 borland_delphi cmd crypt crypto dropper evasive fingerprint keylogger lolbin macros-on-open optix packed packed redline
Link:
https://www.filescan.io/uploads/688b59b5a16348d835f5b649/reports/772058f3-d4ce-4c60-916a-37fe09c87f9b/overview
Verdict:
Malicious
Labled as:
Trojan.DarkKomet
Link:
https://www.hybrid-analysis.com/sample/0ff8c68ae45074d7866b65839609626a8d7b3a5292a38a39a72b57bd626add4f
Malware family:
XRed
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/50bbcd5a-f01a-4c0e-9b8a-e2a54086b31f
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0ff8c68ae45074d7866b65839609626a8d7b3a5292a38a39a72b57bd626add4f
Verdict:
Malware
YARA:
5 match(es)
Tags:
ADODB.Stream Blacklist VBA Corrupted Executable Office Document PE (Portable Executable) scripting.filesystemobject Win 32 Exe WinHttp.WinHttpRequest.5 WinHttp.WinHttpRequest.5.1 WScript.Shell x86
Link:
https://app.malva.re/file/76e6b78b9808cd4766f673ef091de07a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ff8c68ae45074d7866b65839609626a8d7b3a5292a38a39a72b57bd626add4f/
Verdict:
Malicious
Threat:
Family.REDLINE
Link:
https://tip.neiki.dev/file/0ff8c68ae45074d7866b65839609626a8d7b3a5292a38a39a72b57bd626add4f
Threat name:
Win32.Trojan.Synaptics
Create hunting rule
Status:
Malicious
First seen:
2025-07-26 09:29:27 UTC
File Type:
PE (Exe)
Extracted files:
66
AV detection:
24 of 24 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b74mncxekb2npbtlmwbzmclcnkgxwossskryuonhfnl32ytk3vhq._file
Verdict:
malicious
Label(s):
redlinestealer
Create hunting rule
xredbackdoor
Create hunting rule
Similar samples:
0ff8c68ae45074d7866b65839609626a8d7b3a5292a38a39a72b57bd626add4f
XRed
148a66e153761e6bc969fbc4f98a40ed0a27d52469901eefe8cd6965ab4d09c5
XRed
627758d18d773a74dd10d6066d68e72c1db2ba5fa81f5535b6b00c4e9b01927b
XRed
bdcad3bd0023fcab3e03c7ab767f67f0c5763bb6d5a8da1a03a3b1ada3643889
XRed
error
XRed
fd2af290651593318f6181ffbbf227f8ae72c1ab1deb2a2ffae91d7a8988c8da
XRed
+ 457 additional samples on MalwareBazaar
Result
Malware family:
xred
Create hunting rule
Score:
  10/10
Tags:
family:redline family:xred botnet:dcxwvcxv5 botnet:jajaja backdoor discovery execution infostealer persistence spyware stealer
Link:
https://tria.ge/reports/250731-n3r8fshm6w/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: PowerShell
Drops file in System32 directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
RedLine
RedLine payload
Redline family
Xred
Xred family
Malware Config
C2 Extraction:
xred.mooo.com
176.46.152.46:1912
176.46.152.46:1911
Verdict:
Malicious
Tags:
backdoor xred_backdoor Win.Trojan.Emotet-9850453-0
YARA:
mal_xred_backdoor
Link:
https://app.threat.zone/submission/bef3d7c3-3b00-432a-9b8f-f6d151ac038d
Unpacked files
SH256 hash:
0ff8c68ae45074d7866b65839609626a8d7b3a5292a38a39a72b57bd626add4f
MD5 hash:
76e6b78b9808cd4766f673ef091de07a
SHA1 hash:
4706f90a4a455dae6b1a928b247084501ab96551
Link:
https://www.unpac.me/results/2ca21631-b49b-4d5a-aa63-337d757270e2/
SH256 hash:
27937b54264d79596cb05ac944eff0bbe1a3f92045dd22602c9e39b90b42719f
MD5 hash:
c54cc06cef71763bf989eb976cf2ba71
SHA1 hash:
253949fcdc15fb53075ec3862556762a66fde630
Link:
https://www.unpac.me/results/2ca21631-b49b-4d5a-aa63-337d757270e2/
SH256 hash:
277b8e0a45a3103e9fc95ece537382836e0bd246a956ab7dd150487e7fdaab96
MD5 hash:
af4002e12c0bd69754f97ab6b8312c74
SHA1 hash:
0808a4e3645869277357ef43b6a449f6237e57ee
Detections:
SUSP_XORed_Mozilla
Create hunting rule
Link:
https://www.unpac.me/results/2ca21631-b49b-4d5a-aa63-337d757270e2/
SH256 hash:
a4c86fc4836ac728d7bd96e7915090fd59521a9e74f1d06ef8e5a47c8695fd81
MD5 hash:
4ff75f505fddcc6a9ae62216446205d9
SHA1 hash:
efe32d504ce72f32e92dcf01aa2752b04d81a342
Link:
https://www.unpac.me/results/2ca21631-b49b-4d5a-aa63-337d757270e2/
SH256 hash:
4dc09bac0613590f1fac8771d18af5be25a1e1cb8fdbf4031aa364f3057e74a2
MD5 hash:
0ee914c6f0bb93996c75941e1ad629c6
SHA1 hash:
12e2cb05506ee3e82046c41510f39a258a5e5549
Link:
https://www.unpac.me/results/2ca21631-b49b-4d5a-aa63-337d757270e2/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/2ca21631-b49b-4d5a-aa63-337d757270e2/
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/2ca21631-b49b-4d5a-aa63-337d757270e2/
SH256 hash:
bf02d45fcbf386cc2556c616f3e0fa1d3380614e026da41e41ba72938d5f9a4b
MD5 hash:
da2ed37b57409184b8c0ecb1c2863494
SHA1 hash:
8f08d4bd6b5407d24da727dc73f890935093b540
Link:
https://www.unpac.me/results/2ca21631-b49b-4d5a-aa63-337d757270e2/
SH256 hash:
74990b7b3cdb9c650ed31da724962d682c19d4f6aaf374eaeb45271c70c3da6a
MD5 hash:
8a80e42126fbaab7cb25f3930fd9f468
SHA1 hash:
b0b20805c2e841c36e75abaf4d6ab58e7dfcc778
Link:
https://www.unpac.me/results/2ca21631-b49b-4d5a-aa63-337d757270e2/
Malware family:
RedLine.F
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0ff8c68ae450/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0ff8c68ae45074d7866b65839609626a8d7b3a5292a38a39a72b57bd626add4f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:D1S1Gv11betaD1N
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vbaproject_bin
Create hunting rule
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/18054/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteExA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessA
advapi32.dll::OpenProcessToken
kernel32.dll::OpenProcess
kernel32.dll::CloseHandle
wininet.dll::InternetCloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::TerminateProcess
kernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetDriveTypeA
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CopyFileA
kernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileA
kernel32.dll::CreateFileMappingA
kernel32.dll::DeleteFileA
kernel32.dll::MoveFileA
WIN_BASE_USER_APIRetrieves Account Informationkernel32.dll::GetComputerNameA
advapi32.dll::GetUserNameA
advapi32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegCreateKeyExA
advapi32.dll::RegNotifyChangeKeyValue
advapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
advapi32.dll::RegSetValueExA
WIN_SVC_APICan Manipulate Windows Servicesadvapi32.dll::OpenSCManagerA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments