MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11dee89c0ea7cb7142d3edd87bf1888f3d559ab6752f0762b123e60bbb0cdac9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XRed

Vendor detections: 20

Intelligence 20 IOCs YARA 16 File information Comments

SHA256 hash:	11dee89c0ea7cb7142d3edd87bf1888f3d559ab6752f0762b123e60bbb0cdac9
SHA3-384 hash:	c91bee04747319ca30675c2c70dc427f4f36ed8586c3a0303ed75e223df2b50b0ecbb8d070a45487e73bf3e673265db7
SHA1 hash:	acf710f210e01a9162fd69b668205c898892d948
MD5 hash:	cef4eb76c55cec6a28aad1ce08dbf61c
humanhash:	oscar-cold-lithium-tennessee
File name:	libcef.exe
Download:	download sample
Signature	XRed Create hunting rule
File size:	4'445'696 bytes
First seen:	2026-02-22 16:52:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	332f7ce65ead0adfb3d35147033aabe9 (95 x XRed, 18 x SnakeKeylogger, 9 x DarkComet)
ssdeep	98304:ensmtk2aPskDP1dOcd6cy2LkZkkd0sAon:gLYOMy2LkZ71
Threatray	41 similar samples on MalwareBazaar
TLSH	T1D7269D292B924262C3513738CC76A6A425796F131F18D4766EB42D4D7D3228EFC13EBE
TrID	88.5% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58) 5.7% (.EXE) InstallShield setup (43053/19/16) 1.8% (.EXE) Win32 Executable Delphi generic (14182/79/4) 1.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2) 0.8% (.EXE) Win64 Executable (generic) (6522/11/2)
Magika	pebin
dhash icon	78646ce49ac8c8c4 (1 x XRed)
Reporter	Ling
Tags:	autorun exe Farfli Worm:Win32/AutoRun!atmn xred

CNGaoLing

Worm:Win32/AutoRun!atmn (Microsoft Defender)

Farfli & XRed
IOC (Domain hackerinvasion.f3322.net) (Domain xred.mooo.com)

Intelligence

File Origin

# of uploads :

# of downloads :

117

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

MSO XRed

Details

MSO

extracted VBA Macros and, if observed, MS-OFORM variables/data are added to the knowledge base for usage in later parsing of the Macros

XRed

url(s), filepath(s) and a user-agent

XRed

extracted components and server, download, gmail, client, and active configuration settings

Link:

https://research.acce.ciphertechsolutions.com/results/b56d7adf-a94a-458b-a743-1279500c8aff/

Malware family:

n/a

ID:

File name:

libcef.exe

Verdict:

Malicious activity

Analysis date:

2026-02-21 20:37:32 UTC

Tags:

xred backdoor delphi dyndns

Link:

https://app.any.run/tasks/8cbe561f-57da-4571-9591-78d131e5b609

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

PCRat

Link:

https://www.capesandbox.com/analysis/54079/

Detection(s):

Win.Dropper.Tiggre-9845940-0

Win.Trojan.Emotet-9850453-0

Win.Trojan.Generic-9936029-0

Win.Malware.Farfli-9975985-0

Win.Trojan.Farfli-10018321-0

Win.Trojan.Farfli-10018322-0

Win.Malware.Generickdz-10032432-0

Win.Malware.Delf-6899401-0

TwinWave.EvilDoc.PKILLDropboxMacroDirectDownload.20220331.UNOFFICIAL

SecuriteInfo.com.Other.Malware-gen.4213.13336.UNOFFICIAL

MiscreantPunch.EvilMacro.PVDISABLE.170819.UNOFFICIAL

TwinWave.EvilDoc.PolicyKillOnlyHappyWhenItRains.20210704.UNOFFICIAL

TwinWave.EvilDoc.HanciInterruptMyDayHandler.20210721.UNOFFICIAL

Xls.Dropper.Agent-7382066-0

PUA.Win.Packer.D1s1g-5

PUA.Win.Packer.D1s1g-2

PUA.Win.Packer.D1s1g-1

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=699b3480c950ab5d9ab07bd4

Tags:

blackmoon delphi farfli

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Creating a file

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Moving a recently created file

Creating a file in the %temp% directory

Creating a file in the Windows directory

Moving a file to the %temp% directory

Modifying an executable file

Sending a custom TCP request

Searching for the window

Creating a file in the Windows subdirectories

Creating a service

Launching a service

Moving a file to the Windows subdirectory

DNS request

Connection attempt

Sending an HTTP GET request

Creating a file in the drivers directory

Loading a system driver

Running batch commands

Creating a process with a hidden window

Launching a process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun for a service

Query of malicious DNS domain

Infecting executable files

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context anti-debug autorun base64 borland_delphi cmd darkkomet dropper evasive explorer fingerprint installer-heuristic keylogger lolbin macros-on-open packed packed virus

Link:

https://www.filescan.io/uploads/699b347d10e80629d4ed5256/reports/cc15a2c0-58f4-41f1-9b44-53160e4dc100/overview

Verdict:

Malicious

Labled as:

Comet.A

Link:

https://www.hybrid-analysis.com/sample/11dee89c0ea7cb7142d3edd87bf1888f3d559ab6752f0762b123e60bbb0cdac9

Verdict:

Malicious

File Type:

exe x32

Detections:

Backdoor.Farfli.HTTP.C&C Trojan.Comei.UDP.C&C Trojan.Win32.XRed.mg Trojan.Win32.Agent.sb HEUR:Trojan-Ransom.Win32.Gen.gen HEUR:Trojan.Win32.Agent.gen Trojan.Win32.XRed.ox Trojan.Win32.Macri.sb Trojan-Dropper.MSOffice.SDrop.sb Trojan-Downloader.Win32.Upatre.sb Trojan.Win32.Blamon.sb HEUR:Trojan.Win32.Blamon.gen HEUR:Backdoor.Win32.Farfli.vho Trojan.Win32.XRed.op Trojan-Dropper.Win32.Daws.sb VHO:Trojan.MSOffice.SAgent.gen Backdoor.Zegost.TCP.C&C Trojan.Win32.Comei.sb Trojan-Dropper.Win32.Daws.sba Trojan.XRed.UDP.C&C Backdoor.Agent.HTTP.C&C Trojan-Spy.Win32.Agent.sb Trojan-Spy.Win64.Agent.sb Trojan.Win32.Agentb.jrhy HEUR:Trojan-Downloader.MSOffice.Agent.gen Backdoor.Win32.Zegost.sb PDM:Trojan.Win32.Generic Trojan-Spy.Win32.Agent Trojan-Downloader.Win32.Blamon.sb Trojan.Win32.XRed.sb Trojan.Win32.XRed.nd HEUR:Backdoor.Win32.Convagent.gen Backdoor.Win32.Poison.sb Backdoor.Win32.DarkKomet.hqxy Trojan.MSOffice.SAgent.sb Trojan-Dropper.Win32.Dorifel.sbd Worm.Win32.VBNA.sb Rootkit.Win64.Agent.bgp HEUR:Worm.Win32.Generic HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Win32.Generic HEUR:Backdoor.Win32.Farfli.gen Trojan.Win32.Kryplod.sb Trojan.Win32.XRed.nt Trojan.Win32.XRed.mq Backdoor.Win32.Farfli.sb Trojan.Win32.Comei.ujs BSS:Exploit.Win32.Generic BSS:Trojan.Win32.Generic Trojan.Win32.Antavmu.sb Trojan.Win32.Agent.gen HEUR:Trojan.Script.Generic HEUR:Backdoor.Win32.Generic Backdoor.Win32.Farfli.bovu Trojan-Downloader.Win32.Zenlod.a

Link:

https://opentip.kaspersky.com/11dee89c0ea7cb7142d3edd87bf1888f3d559ab6752f0762b123e60bbb0cdac9/results?tab=lookup

Malware family:

Swrort

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0d889a04-4c73-4f1d-9a6c-890632809e47

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/11dee89c0ea7cb7142d3edd87bf1888f3d559ab6752f0762b123e60bbb0cdac9

Verdict:

Malware

YARA:

7 match(es)

Tags:

.Net ADODB.Stream Blacklist VBA Corrupted Executable Office Document PE (Portable Executable) PE File Layout scripting.filesystemobject Win 32 Exe WinHttp.WinHttpRequest.5 WinHttp.WinHttpRequest.5.1 WScript.Shell x86

Link:

https://app.malva.re/file/cef4eb76c55cec6a28aad1ce08dbf61c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/11dee89c0ea7cb7142d3edd87bf1888f3d559ab6752f0762b123e60bbb0cdac9/

Verdict:

Malicious

Threat:

Family.BLACKMOON

Link:

https://tip.neiki.dev/file/11dee89c0ea7cb7142d3edd87bf1888f3d559ab6752f0762b123e60bbb0cdac9

Threat name:

Win32.Worm.AutoRun

Status:

Malicious

First seen:

2026-02-21 23:11:17 UTC

File Type:

PE (Exe)

Extracted files:

206

AV detection:

23 of 23 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=chporhaou7fxcqwt5xmhx4mir46vlgvwouxqoyvreptaxoym3leq._file

Verdict:

malicious

Label(s):

xredbackdoor

fatalrat

krbanker

XRed

90c52141e31399449a689286fcf58c94584a75f1fd7ad3bd39b5aac09adff639

XRed

9c0116c29d031bc42faaa5e312c7c6b99378ed115b069b2d6c2d228ae563375b

XRed

dbaedcc548579a20fab98b28992301084fe27e91460fbdb2a6e00df5e58f52fe

XRed

df8d2aa31a1e622f675b28f46e5eb8d50e61606c5e182969b0376d0d1915062b

XRed

e119f126968b206ebfbf49923c1aac3dbe948461ff38d9f638b6cdf12ff47560

XRed

error

XRed

+ 31 additional samples on MalwareBazaar

Result

Malware family:

xred

Score:

10/10

Tags:

family:blackmoon family:gh0strat family:purplefox family:xred backdoor banker discovery persistence rat rootkit trojan upx

Link:

https://tria.ge/reports/260222-vd32zsas3d/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies registry class

Runs ping.exe

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Drops file in Windows directory

Drops file in System32 directory

UPX packed file

Adds Run key to start application

Enumerates connected drives

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops file in Drivers directory

Sets service image path in registry

Blackmoon family

Blackmoon, KrBanker

Detect Blackmoon payload

Detect PurpleFox Rootkit

Gh0st RAT payload

Gh0strat

Gh0strat family

PurpleFox

Purplefox family

Xred

Xred family

Malware Config

C2 Extraction:

xred.mooo.com

Unpacked files

SH256 hash:

11dee89c0ea7cb7142d3edd87bf1888f3d559ab6752f0762b123e60bbb0cdac9

MD5 hash:

cef4eb76c55cec6a28aad1ce08dbf61c

SHA1 hash:

acf710f210e01a9162fd69b668205c898892d948

Detections:

BlackmoonBanker

Link:

https://www.unpac.me/results/5b122e64-94ce-4aff-b58b-e86e695d589f/

Malware family:

KrBanker

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/11dee89c0ea7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/11dee89c0ea7cb7142d3edd87bf1888f3d559ab6752f0762b123e60bbb0cdac9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BlackMoon Create hunting rule
Author:	NDA0E
Description:	Detects BlackMoon

Rule name:	blackmoon_payload_v1 Create hunting rule
Author:	RandomMalware

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	D1S1Gv11betaD1N Create hunting rule
Author:	malware-lu

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MALWARE_Win_BlackMoon Create hunting rule
Author:	ditekSHen
Description:	Detects executables using BlackMoon RunTime

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	vbaproject_bin Create hunting rule
Author:	CD_R0M_
Description:	{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

Rule name:	without_attachments Create hunting rule
Author:	Antonio Sanchez <asanchez@hispasec.com>
Description:	Rule to detect the no presence of any attachment
Reference:	http://laboratorio.blogs.hispasec.com/

Rule name:	with_urls Create hunting rule
Author:	Antonio Sanchez <asanchez@hispasec.com>
Description:	Rule to detect the presence of an or several urls
Reference:	http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XRed

exe 11dee89c0ea7cb7142d3edd87bf1888f3d559ab6752f0762b123e60bbb0cdac9

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/54079/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample