MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19e59830b3b6742b26575bc2b1ec3276a5d7d75a7f3c92bf0cf5762f07e9f660. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XRed

Vendor detections: 20

Intelligence 20 IOCs YARA 17 File information Comments

SHA256 hash:	19e59830b3b6742b26575bc2b1ec3276a5d7d75a7f3c92bf0cf5762f07e9f660
SHA3-384 hash:	963ad1e98ff09479d2885e6c5f3afb12d8eb64d6584f544f16c14dbed265041ce8dd9df77f962cbb643587455dbcee4d
SHA1 hash:	9bcb5ca6600ef4373923b7706138b69695678f2e
MD5 hash:	9f2440e8a4a561d80fabd0550927fd94
humanhash:	autumn-washington-monkey-table
File name:	李济浙直播助手(32版本以上)V1.2.0.exe
Download:	download sample
Signature	XRed Create hunting rule
File size:	6'094'336 bytes
First seen:	2025-11-10 18:43:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	332f7ce65ead0adfb3d35147033aabe9 (81 x XRed, 18 x SnakeKeylogger, 7 x DarkComet)
ssdeep	98304:unsmtk2aQws2ANnKXOaeOgmhIguwdIaiqPNZVGEmmrQh1Sz1:wLrKXbeO7ugXviq3sEmmrl
Threatray	151 similar samples on MalwareBazaar
TLSH	T1ED56CF13B1860536C2854A31CD63DAB24B3A7E6D2BF74977BAD87DC8BF392403D25612
TrID	47.6% (.EXE) Inno Setup installer (107240/4/30) 19.1% (.EXE) InstallShield setup (43053/19/16) 18.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 4.6% (.EXE) Win64 Executable (generic) (10522/11/4) 4.4% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
Magika	pebin
Reporter	juroots
Tags:	exe xred

Intelligence

File Origin

# of uploads :

# of downloads :

176

Origin country :

Vendor Threat Intelligence

Malware family:

gh0st

ID:

File name:

E69D8EE6B58EE6B599E79BB4E692ADE58AA9E6898B2832E78988E69CACE4BBA5E4B88A29V1.2.0.exe

Verdict:

Malicious activity

Analysis date:

2025-11-10 18:34:02 UTC

Tags:

gh0st rat xred backdoor zegost loader sainbox auto-reg upx delphi dyndns snake keylogger inno installer

Link:

https://app.any.run/tasks/e63d64ba-f55b-455c-a20b-f22eebb3f727

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

PCRat

Link:

https://www.capesandbox.com/analysis/36727/

Detection(s):

Win.Trojan.Zegost-9763840-0

Win.Malware.Farfli-9832713-0

Win.Trojan.Emotet-9850453-0

Win.Trojan.Generic-9908305-0

Win.Trojan.Generic-9936029-0

Win.Trojan.Razy-9938962-0

Win.Dropper.Midie-9942397-0

Win.Trojan.Generickdz-10010918-0

Win.Malware.Flystudio-10011070-0

Win.Trojan.Generickdz-10015217-0

Win.Trojan.Generic-6305873-0

Win.Malware.Delf-6899401-0

TwinWave.EvilDoc.PKILLDropboxMacroDirectDownload.20220331.UNOFFICIAL

SecuriteInfo.com.Other.Malware-gen.4213.13336.UNOFFICIAL

MiscreantPunch.EvilMacro.PVDISABLE.170819.UNOFFICIAL

TwinWave.EvilDoc.PolicyKillOnlyHappyWhenItRains.20210704.UNOFFICIAL

TwinWave.EvilDoc.HanciInterruptMyDayHandler.20210721.UNOFFICIAL

Xls.Dropper.Agent-7382066-0

SecuriteInfo.com.Win32.HLLW.Siggen.10555.UNOFFICIAL

PUA.Win.Packer.D1s1g-5

PUA.Win.Packer.D1s1g-1

PUA.Win.Packer.D1s1g-2

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69123019e2c9ded75d79162a

Tags:

darkkomet delphi emotet madi

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Gathering data

Verdict:

Malicious

Labled as:

Trojan.DarkKomet

Link:

https://www.hybrid-analysis.com/sample/19e59830b3b6742b26575bc2b1ec3276a5d7d75a7f3c92bf0cf5762f07e9f660

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-11-10T15:47:00Z UTC

Last seen:

2025-11-10T17:14:00Z UTC

Hits:

~100

Detections:

Backdoor.Win32.DarkKomet.hqxy VHO:Trojan.MSOffice.SAgent.gen Trojan.Win32.Agentb.jrhy HEUR:Trojan-Downloader.Script.Generic Backdoor.Win32.Farfli.sb BSS:Exploit.Win32.Generic PDM:Trojan.Win32.Generic Trojan.Win32.Antavmu.sb Trojan-Spy.Win64.Agent.sb HEUR:Trojan-Ransom.Win32.Gen.gen HEUR:Backdoor.Win32.Farfli.gen Backdoor.Win32.Zegost.sb Worm.Win32.VBNA Trojan.Win32.XRed.sb Rootkit.Win64.Agent.bgp HEUR:Trojan.Win32.Generic HEUR:Trojan.Win32.Agent.gen HEUR:Trojan.Script.Generic HEUR:Backdoor.Win32.Generic HEUR:Backdoor.Win32.Convagent.gen Trojan.MSOffice.SAgent.sb BSS:Trojan.Win32.Generic Trojan.Win32.Antavmu.atoy Trojan.Win32.Agent.sb HEUR:Trojan-Downloader.MSOffice.Agent.gen HEUR:Backdoor.Win32.Zegost.gen Trojan.Win64.PhantomP.sb VHO:Trojan-Downloader.MSOffice.Agent.gen Trojan-Spy.Win32.Agent.sb Trojan-Dropper.Win32.Dorifel.sbd Backdoor.Agent.HTTP.C&C Backdoor.Zegost.TCP.C&C Trojan.Win32.Farfli.sb Trojan.XRed.UDP.C&C not-a-virus:RiskTool.Win32.FlyStudio.sb

Link:

https://opentip.kaspersky.com/19e59830b3b6742b26575bc2b1ec3276a5d7d75a7f3c92bf0cf5762f07e9f660/results?tab=lookup

Malware family:

XRed

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/11656567-d38c-4338-92e2-534f6d7b6b8c

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/19e59830b3b6742b26575bc2b1ec3276a5d7d75a7f3c92bf0cf5762f07e9f660

Verdict:

Malware

YARA:

5 match(es)

Tags:

ADODB.Stream Blacklist VBA Corrupted Executable Office Document PE (Portable Executable) PE File Layout scripting.filesystemobject Win 32 Exe WinHttp.WinHttpRequest.5 WinHttp.WinHttpRequest.5.1 WScript.Shell x86

Link:

https://app.malva.re/file/9f2440e8a4a561d80fabd0550927fd94

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/19e59830b3b6742b26575bc2b1ec3276a5d7d75a7f3c92bf0cf5762f07e9f660/

Verdict:

Malicious

Threat:

Family.GH0STRAT

Link:

https://tip.neiki.dev/file/19e59830b3b6742b26575bc2b1ec3276a5d7d75a7f3c92bf0cf5762f07e9f660

Threat name:

Win32.Trojan.Synaptics

Status:

Malicious

First seen:

2025-11-10 18:34:03 UTC

File Type:

PE (Exe)

Extracted files:

208

AV detection:

23 of 24 (95.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dhszqmftwz2cwjsxlpbld3bso2s5pv22p46jfpym6v3c6b7j6zqa._file

Verdict:

malicious

Label(s):

xredbackdoor

XRed

61437d273cb1204be0e52d3bc516ea98a6eadcfd044bdf034669773893b58a64

XRed

924a1f82d9119bdfe5cbb6a3eb843596869cf5f83740c631f4f373203156a363

XRed

df8d2aa31a1e622f675b28f46e5eb8d50e61606c5e182969b0376d0d1915062b

XRed

error

XRed

fdd36a586f4979bb696ae7863c45e7332a6e318ef3a6189e1adec270fa698bb6

XRed

+ 141 additional samples on MalwareBazaar

Result

Malware family:

xred

Score:

10/10

Tags:

family:xred backdoor discovery persistence

Link:

https://tria.ge/reports/251110-xd8zcatndt/

Behaviour

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Adds Run key to start application

Xred

Xred family

Malware Config

C2 Extraction:

xred.mooo.com

Verdict:

Malicious

Tags:

backdoor xred_backdoor trojan Win.Trojan.Zegost-9763840-0

YARA:

mal_xred_backdoor Windows_Generic_Threat_3f060b9c

Link:

https://app.threat.zone/submission/0a7dd09b-da28-4d60-96aa-f293a2a96266

Unpacked files

SH256 hash:

19e59830b3b6742b26575bc2b1ec3276a5d7d75a7f3c92bf0cf5762f07e9f660

MD5 hash:

9f2440e8a4a561d80fabd0550927fd94

SHA1 hash:

9bcb5ca6600ef4373923b7706138b69695678f2e

Link:

https://www.unpac.me/results/07d4a534-bdae-4ec9-a142-d512eaaaeb09/

SH256 hash:

e61b0a752fcbebb67e14151fafdcfc52503e42cc2bc1fea7e339b4ca8e66234f

MD5 hash:

15fd1ca46226f56e9ef919c5dbb3682d

SHA1 hash:

62a433d5e8ec42137d76bb5a02b8b218be15da11

Link:

https://www.unpac.me/results/07d4a534-bdae-4ec9-a142-d512eaaaeb09/

SH256 hash:

ccc4540a14745f7ee096e24ae1cc177544620952cae99582b98534040059b5c7

MD5 hash:

6764f6c1a8f8d973509740ef20f3fe4e

SHA1 hash:

1abef6586edc15c86768fd00afbd86a21bfcbd20

Link:

https://www.unpac.me/results/07d4a534-bdae-4ec9-a142-d512eaaaeb09/

SH256 hash:

cac7320c0c27c473855ed825988a8c091c9d7fb822f4b9eff946861ee1eb8f47

MD5 hash:

0d92b5f7a0f338472d59c5f2208475a3

SHA1 hash:

088d253bb23f6222dcaf06f7a2430e3a059a35e7

Detections:

Hidden

cert_blocklist_5f78149eb4f75eb17404a8143aaeaed7

INDICATOR_TOOL_RTK_HiddenRootKit

Link:

https://www.unpac.me/results/07d4a534-bdae-4ec9-a142-d512eaaaeb09/

Parent samples :

364b087a1916c5f13675449a4470763adebd4977fc21ea2169d8d67b11e83ba7
089f7f88c1d64dcebf1042f481f17a7fb1fe6fc095cb5c9e10bbcb3f36a629ab
acb615b72532d8020f1fa9afa65c44bd67caa1ec83f39f4b029287e70c344d0b
37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad
3730e600a60fed05d20e23e9340e37e5f5f072e6d4801150326ff4e2a4fdb4c5
d3af6e62ef3ce968da90beb9be44b04948b996c3dda893ba425a1147eb7696ad
765e42948327b849c172f8c70617af6007e7f126c17bb56f490c10e12aa20492
dbaedcc548579a20fab98b28992301084fe27e91460fbdb2a6e00df5e58f52fe
e119f126968b206ebfbf49923c1aac3dbe948461ff38d9f638b6cdf12ff47560
502459f1d4325d917bf46a104cbc3255c29b88a787cd9f930462cfa1002134fd
fe8954c55b06912419f62ae4c04e19ba8d16a8d5098c28dfcc3c6ef04a154f49
ad7a76c684f1bd1910142d97a01fd6373a05872a0aefd213cf85e891428fdcc7
e65ce5d4d20836181fbc041ca28853c89946013e1ab7fcd7e0bb58442f274e0d
6d74ed0eda4cf7f7edb2f8982cc706e84a402008fc74f442d898da7d6be05143
0fca043ce6592269f8463ec4c803eabb3d09ff412401521090513e8310463fdb
179dab5fc5a32307466541f88cfc1992cb96664218711f6d525586976c9d44ad
f17af5296ff826f4199381574dccb3dcb8a5deeb811e40929f95c722ab70aeb7
9740fb71580a1e6809c694ebd1aa132e76d0dc985dbc0721ae6590f3bf5ed19b
1d83bdba4198a28193b93de0f88fa79bb7ff17249b54654c07cb11a27e708644
d8162221ce6d607b5fe77565f53c5310bfaff050b0c26abe2ca9b9ebdb9ad51f
cebf76deabb47efe7ad3769c0586815d1d45e2ef9718057de77abb46b554f6f4
794ec24e28f6351c9ad2c04101d774e9763f4f444cfb7c15da782922c6f07e69
48956128660f7a745aa918eac38e5baacdae1bc0809503f2a2c3f2b79507e3ff
f036b3031238597750e077c2d03b2bc41d089f9db461244059db8485fac28e63
57eff460128e65204d46aa5a0012f8ba4758fa76a74d9dabe5d4b4b0bd1b11cc
613a829a972efe001e9f1a4e067b560db96acd44161d91d6daf5d6489f686938
94beb32181e321ef10e85ee652f1ef1e602c252d6c7d4593c556a6bfcec1d4f0
fda844b16b91a38417af25d13bd0992c3344de12ebcd0283732a3e0a6e91811d
bef42fdae71eff14767b54c660a42d7ab6fedf56ce74f8faa304a0e1b526fe4a
a2b98d6820777aaacdb0646a2836b3ebc809b3fe9eef65d201e2ff343580721c
0cb5c8e6987f74a213353851dc12b7b3a08130fd5ebb18f4455c659e8f46442f
b9d338ff7f7d63d28c765007e9e150b3c30a9acac1e16bfd0317d375b4fc6166
df60b74ff96bb320d1cf8d1a511c56bae2ca8d94ebb6566eca7b51c3521c0171
394ed5e270bb760bee2b5ffea56421afb2a22aff35d78d29da92842f606b8d53
9c0116c29d031bc42faaa5e312c7c6b99378ed115b069b2d6c2d228ae563375b
76a236349c0820e4dfba81e3382e50833ee238452c0c271d6a0cf83b4fcca235
1b6b8aa0a500b965193144be54ffe030e84f8e2936c3e92d4a2b05a8759944d3
2090bdae4d49cc0a20526b8d57c5928500eadab334764b89810e0b08f907308a
1a7fefa02913c1054e4f0e82c9de74e2fb526bd4a589e861fb4f7f57b31ef9c8
00c1314504b05c7fc7cc7280405f31165b9722c704520afef26aa88ff566b871
1fe21e70078942fa8dc7bccb5362e86b0e6340c533eb8e01b59e34a0dd61bd05
580e6c64ba71bf32dc63c34204dc48d17ff8de949c916f101e89472222b41a88
19e59830b3b6742b26575bc2b1ec3276a5d7d75a7f3c92bf0cf5762f07e9f660
c0839998e41d029efd4bb304440cd029acf32ce8f541be6f813c5c4d935e9350
1f8cdb119164550161cddba78f7d30f36cd3304dc4c127c37b15d3030b743b4b

SH256 hash:

3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

MD5 hash:

4a36a48e58829c22381572b2040b6fe0

SHA1 hash:

f09d30e44ff7e3f20a5de307720f3ad148c6143b

Link:

https://www.unpac.me/results/07d4a534-bdae-4ec9-a142-d512eaaaeb09/

SH256 hash:

388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

MD5 hash:

e4211d6d009757c078a9fac7ff4f03d4

SHA1 hash:

019cd56ba687d39d12d4b13991c9a42ea6ba03da

Link:

https://www.unpac.me/results/07d4a534-bdae-4ec9-a142-d512eaaaeb09/

SH256 hash:

b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2

MD5 hash:

c0ef4d6237d106bf51c8884d57953f92

SHA1 hash:

f1da7ecbbee32878c19e53c7528c8a7a775418eb

Link:

https://www.unpac.me/results/07d4a534-bdae-4ec9-a142-d512eaaaeb09/

SH256 hash:

bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

MD5 hash:

8dc3adf1c490211971c1e2325f1424d2

SHA1 hash:

4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

Link:

https://www.unpac.me/results/07d4a534-bdae-4ec9-a142-d512eaaaeb09/

SH256 hash:

fab012b54e904026517da86f3796b36259e172bfd20186fe6f2d95f227f164b3

MD5 hash:

dcb806ae35f2f45c9463cdb749172ac4

SHA1 hash:

d2b6866479e9660ed09db324cc1511bd54ca90fc

Link:

https://www.unpac.me/results/07d4a534-bdae-4ec9-a142-d512eaaaeb09/

SH256 hash:

fe04dd20c27d483e0ed1f07f39f2cf8f54f1e1af9ad794c9dfc4773a8fae7f60

MD5 hash:

8b1eda0bf1e445f16b910bc00b57d9b9

SHA1 hash:

5bbc680644c09a94d865c2440242a2eed1243d7f

Detections:

Hidden

potential_termserv_dll_replacement

Mimikatz_Strings

INDICATOR_TOOL_RTK_HiddenRootKit

MALWARE_Win_PCRat

check_installed_software

Link:

https://www.unpac.me/results/07d4a534-bdae-4ec9-a142-d512eaaaeb09/

Parent samples :

d62ee92b65a34ba6023b4f16dd7b8083a14a5d6bf4d99af6e82676f9d468b656
9f61a3757f737404c25a2837ddd1ff6c14dfe394127c8a94c5c10f00dfa34811
5830e0703e93cc2d8a1ba6377650ff5f7b8cbb36d58122c613fa56930f71a88d
90c52141e31399449a689286fcf58c94584a75f1fd7ad3bd39b5aac09adff639
dbaedcc548579a20fab98b28992301084fe27e91460fbdb2a6e00df5e58f52fe
e119f126968b206ebfbf49923c1aac3dbe948461ff38d9f638b6cdf12ff47560
502459f1d4325d917bf46a104cbc3255c29b88a787cd9f930462cfa1002134fd
394ed5e270bb760bee2b5ffea56421afb2a22aff35d78d29da92842f606b8d53
9c0116c29d031bc42faaa5e312c7c6b99378ed115b069b2d6c2d228ae563375b
1a7fefa02913c1054e4f0e82c9de74e2fb526bd4a589e861fb4f7f57b31ef9c8
19e59830b3b6742b26575bc2b1ec3276a5d7d75a7f3c92bf0cf5762f07e9f660

Malware family:

XRed

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/19e59830b3b6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/19e59830b3b6742b26575bc2b1ec3276a5d7d75a7f3c92bf0cf5762f07e9f660

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	D1S1Gv11betaD1N Create hunting rule
Author:	malware-lu

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	vbaproject_bin Create hunting rule
Author:	CD_R0M_
Description:	{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

Rule name:	Windows_Generic_Threat_3f060b9c Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Gh0st_9e4bb0ce Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/36727/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample