MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a7fefa02913c1054e4f0e82c9de74e2fb526bd4a589e861fb4f7f57b31ef9c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XRed


Vendor detections: 19


Intelligence 19 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a7fefa02913c1054e4f0e82c9de74e2fb526bd4a589e861fb4f7f57b31ef9c8
SHA3-384 hash: c114c6164714b9691f30035ff7c0afeae9c314dd269cf5750dafa95a2c53a2ecb647d7c330a49529d5fbcac27f6d1979
SHA1 hash: 5af67dbf3da8aceea9dc6d30385cfbf594d534e3
MD5 hash: 845010e5afaff2737a34b9e53bacb2c5
humanhash: steak-aspen-princess-ack
File name:和平模拟测绘.exe
Download: download sample
Signature XRed
Create hunting rule
File size:4'624'414 bytes
First seen:2025-06-13 20:37:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eeac73be37480fd144f387e3563a0f14 (13 x Gh0stRAT, 2 x N-W0rm, 1 x XRed)
ssdeep 49152:ZCwsbCANnKXferL7Vwe/Gg0P+WhfnsHyjtk2MYC5GDFHPkVOBTKF:Uws2ANnKXOaeOgmhfnsmtk2aTO0F
Threatray 38 similar samples on MalwareBazaar
TLSH T1A226F40666920122C3842734FDE695A2CF143F6F1BF581353E666DCC7D2620EBDB2A79
TrID 34.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
18.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
11.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.0% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
7.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Magika pebin
dhash icon f0d0e8cccce8d0f0 (1 x XRed)
Reporter GDHJDSYDH1
Tags:backdoor exe gh0st Gh0stRAT Loader PurpleFox xred


Avatar
GDHJDSYDH1
More Reference: https://tria.ge/250613-zaqdyazmw6

Intelligence

File Origin
# of uploads :
1
# of downloads :
880
Origin country :
US US
Vendor Threat Intelligence
Malware family:
gh0st
Create hunting rule
ID:
1
File name:
27070026-fb21-4a46-87dd-7e8bab40880e
Verdict:
Malicious activity
Analysis date:
2025-06-13 20:31:07 UTC
Tags:
zegost loader gh0st rat sainbox xred backdoor auto-reg delphi upx dyndns
Link:
https://app.any.run/tasks/27070026-fb21-4a46-87dd-7e8bab40880e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
PCRat / Gh0st
Create hunting rule
Link:
https://www.capesandbox.com/analysis/9400/
Detection(s):
PUA.Win.Packer.D1s1g-5
Create hunting rule

PUA.Win.Packer.D1s1g-1
Create hunting rule

PUA.Win.Packer.D1s1g-2
Create hunting rule

Win.Trojan.Zegost-9763840-0
Create hunting rule

Win.Malware.Farfli-9832713-0
Create hunting rule

Win.Trojan.Emotet-9850453-0
Create hunting rule

Win.Trojan.Generic-9908305-0
Create hunting rule

Win.Trojan.Generic-9936029-0
Create hunting rule

Win.Keylogger.Gh0stRAT-9937444-1
Create hunting rule

Win.Keylogger.Gh0stRAT-9937448-1
Create hunting rule

Win.Trojan.Razy-9938962-0
Create hunting rule

Win.Dropper.Midie-9942397-0
Create hunting rule

Win.Trojan.Generickdz-10010918-0
Create hunting rule

Win.Malware.Flystudio-10011070-0
Create hunting rule

Win.Trojan.Generickdz-10015217-0
Create hunting rule

Win.Trojan.Generic-6305873-0
Create hunting rule

Win.Malware.Delf-6899401-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=684c8c068bd5d68a12e89048
Tags:
delphi farfli zegost emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Creating a file in the Windows subdirectories
Creating a service
Launching a service
Launching a process
Searching for synchronization primitives
Creating a file in the drivers directory
Loading a system driver
Running batch commands
Creating a process with a hidden window
DNS request
Creating a file
Enabling autorun for a service
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/1a7fefa02913c1054e4f0e82c9de74e2fb526bd4a589e861fb4f7f57b31ef9c8
Malware family:
XRed
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4105557f-174c-49d0-ae09-adc3f2bae734
Result
Threat name:
Gh0stCringe, Mimikatz, RunningRAT, XRed
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1714341
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if browser processes are running
Connects to many ports of the same IP (likely port scanning)
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to modify windows services which are used for security filtering and protection
Creates a Windows Service pointing to an executable in C:\Windows
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the document folder of the user
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found stalling execution ending in API Sleep call
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Sample is not signed and drops a device driver
Suricata IDS alerts for network traffic
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Gh0stCringe
Yara detected Mimikatz
Yara detected RunningRAT
Yara detected XRed
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1714341 Sample: #U548c#U5e73#U6a21#U62df#U6... Startdate: 13/06/2025 Architecture: WINDOWS Score: 100 107 freedns.afraid.org 2->107 109 hackerinvasion.f3322.net 2->109 111 13 other IPs or domains 2->111 123 Suricata IDS alerts for network traffic 2->123 125 Found malware configuration 2->125 127 Malicious sample detected (through community Yara rule) 2->127 131 22 other signatures 2->131 10 #U548c#U5e73#U6a21#U62df#U6d4b#U7ed8.exe 8 2->10         started        13 TXPlatfor.exe 2->13         started        16 svchost.exe 1 2->16         started        18 12 other processes 2->18 signatures3 129 Uses dynamic DNS services 107->129 process4 dnsIp5 81 HD_#U548c#U5e73#U6...2df#U6d4b#U7ed8.exe, PE32 10->81 dropped 83 C:\Users\user\AppData\Local\...\RCXBA19.tmp, PE32 10->83 dropped 85 C:\Users\user\AppData\Local\Temp\R.exe, PE32 10->85 dropped 89 2 other malicious files 10->89 dropped 21 HD_#U548c#U5e73#U6a21#U62df#U6d4b#U7ed8.exe 1 5 10->21         started        25 N.exe 1 1 10->25         started        27 R.exe 3 2 10->27         started        159 Antivirus detection for dropped file 13->159 161 Multi AV Scanner detection for dropped file 13->161 163 Drops executables to the windows directory (C:\Windows) and starts them 13->163 29 TXPlatfor.exe 13 1 13->29         started        87 C:\Windows\SysWOW64\Remote Data.exe, PE32 16->87 dropped 31 Remote Data.exe 16->31         started        113 s-part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49768, 49770 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->113 165 Changes security center settings (notifications, updates, antivirus, firewall) 18->165 167 Checks if browser processes are running 18->167 169 Contains functionality to detect sleep reduction / modifications 18->169 33 sainbox.exe 1 18->33         started        36 MpCmdRun.exe 18->36         started        38 WerFault.exe 18->38         started        40 WerFault.exe 18->40         started        file6 signatures7 process8 dnsIp9 69 ._cache_HD_#U548c#...2df#U6d4b#U7ed8.exe, PE32 21->69 dropped 71 C:\ProgramData\Synaptics\Synaptics.exe, PE32 21->71 dropped 73 C:\ProgramData\Synaptics\RCXBB32.tmp, PE32 21->73 dropped 135 Antivirus detection for dropped file 21->135 137 Multi AV Scanner detection for dropped file 21->137 42 ._cache_HD_#U548c#U5e73#U6a21#U62df#U6d4b#U7ed8.exe 2 21->42         started        46 Synaptics.exe 53 21->46         started        75 C:\Windows\SysWOW64\TXPlatfor.exe, PE32 25->75 dropped 49 cmd.exe 1 25->49         started        77 C:\Windows\SysWOW64\3911718.txt, PE32 27->77 dropped 139 Creates a Windows Service pointing to an executable in C:\Windows 27->139 79 C:\Windows\System32\drivers\QAssist.sys, PE32+ 29->79 dropped 141 Sample is not signed and drops a device driver 29->141 143 Opens the same file many times (likely Sandbox evasion) 31->143 101 124.248.67.212, 21738, 49774, 49775 CT-HANGZHOU-IDCNo288Fu-chunRoadCN China 33->101 103 gtm-a1.luyouxia.net 124.248.69.230, 21738, 49714, 49721 CT-HANGZHOU-IDCNo288Fu-chunRoadCN China 33->103 105 124.248.70.232, 21738, 49767, 49769 CT-HANGZHOU-IDCNo288Fu-chunRoadCN China 33->105 51 conhost.exe 36->51         started        file10 signatures11 process12 dnsIp13 91 C:\Program Files (x86)\...\sainbox.exe, PE32 42->91 dropped 145 Antivirus detection for dropped file 42->145 147 Multi AV Scanner detection for dropped file 42->147 149 Found evasive API chain (may stop execution after checking mutex) 42->149 157 6 other signatures 42->157 53 cmd.exe 1 42->53         started        117 docs.google.com 142.251.40.110, 443, 49722, 49723 GOOGLEUS United States 46->117 119 drive.usercontent.google.com 142.251.40.225, 443, 49729, 49730 GOOGLEUS United States 46->119 121 freedns.afraid.org 69.42.215.252, 49733, 80 AWKNET-LLCUS United States 46->121 93 C:\Users\user\DocumentsIVQSAOTAQ\~$cache1, PE32 46->93 dropped 95 C:\Users\user\AppData\Local\...\RCXC5B3.tmp, PE32 46->95 dropped 97 C:\Users\user\AppData\Local\...\RCXC053.tmp, PE32 46->97 dropped 99 C:\Users\user\AppData\Local\...99nJ7oHjb.exe, PE32 46->99 dropped 151 Drops PE files to the document folder of the user 46->151 56 WerFault.exe 46->56         started        58 WerFault.exe 46->58         started        153 Uses ping.exe to sleep 49->153 155 Uses ping.exe to check the status of other devices and networks 49->155 60 PING.EXE 1 49->60         started        63 conhost.exe 49->63         started        file14 signatures15 process16 dnsIp17 133 Uses ping.exe to sleep 53->133 65 conhost.exe 53->65         started        67 PING.EXE 53->67         started        115 127.0.0.1 unknown unknown 60->115 signatures18 process19
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1a7fefa02913c1054e4f0e82c9de74e2fb526bd4a589e861fb4f7f57b31ef9c8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a7fefa02913c1054e4f0e82c9de74e2fb526bd4a589e861fb4f7f57b31ef9c8/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/1a7fefa02913c1054e4f0e82c9de74e2fb526bd4a589e861fb4f7f57b31ef9c8
Threat name:
Win32.Trojan.Synaptics
Create hunting rule
Status:
Malicious
First seen:
2025-06-13 20:31:09 UTC
File Type:
PE (Exe)
Extracted files:
200
AV detection:
34 of 37 (91.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dj767ibjcpaqktspb2bmtxtu4l5ve26uuwe6qyp3j57vpmy67hea._file
Verdict:
malicious
Label(s):
gh0strat
Create hunting rule
Similar samples:
394ed5e270bb760bee2b5ffea56421afb2a22aff35d78d29da92842f606b8d53
XRed
90c52141e31399449a689286fcf58c94584a75f1fd7ad3bd39b5aac09adff639
XRed
9c0116c29d031bc42faaa5e312c7c6b99378ed115b069b2d6c2d228ae563375b
XRed
bb5991cded52d75cc97376be8799f0d6e5d36ebf84b92c3d6f69946d131cab50
XRed
d62ee92b65a34ba6023b4f16dd7b8083a14a5d6bf4d99af6e82676f9d468b656
XRed
e119f126968b206ebfbf49923c1aac3dbe948461ff38d9f638b6cdf12ff47560
XRed
error
XRed
+ 28 additional samples on MalwareBazaar
Result
Malware family:
xred
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat family:purplefox family:xred discovery persistence rat rootkit trojan upx
Link:
https://tria.ge/reports/250613-zebfkshl7s/
Behaviour
Runs ping.exe
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in System32 directory
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Drivers directory
Server Software Component: Terminal Services DLL
Sets service image path in registry
Detect PurpleFox Rootkit
Gh0st RAT payload
Gh0strat
Gh0strat family
PurpleFox
Purplefox family
Malware Config
C2 Extraction:
xred.mooo.com
Verdict:
Malicious
Tags:
backdoor xred_backdoor trojan Win.Trojan.Zegost-9763840-0
YARA:
mal_xred_backdoor Windows_Generic_Threat_3f060b9c
Link:
https://app.threat.zone/submission/1bd1bce7-e485-44fa-a8f7-6bc432c56ab2
Unpacked files
SH256 hash:
1a7fefa02913c1054e4f0e82c9de74e2fb526bd4a589e861fb4f7f57b31ef9c8
MD5 hash:
845010e5afaff2737a34b9e53bacb2c5
SHA1 hash:
5af67dbf3da8aceea9dc6d30385cfbf594d534e3
Link:
https://www.unpac.me/results/80ead6dd-4820-493d-9a35-b0a9cb461fc0/
SH256 hash:
cac7320c0c27c473855ed825988a8c091c9d7fb822f4b9eff946861ee1eb8f47
MD5 hash:
0d92b5f7a0f338472d59c5f2208475a3
SHA1 hash:
088d253bb23f6222dcaf06f7a2430e3a059a35e7
Detections:
Hidden
Create hunting rule
cert_blocklist_5f78149eb4f75eb17404a8143aaeaed7
Create hunting rule
INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
Link:
https://www.unpac.me/results/80ead6dd-4820-493d-9a35-b0a9cb461fc0/
Parent samples :
364b087a1916c5f13675449a4470763adebd4977fc21ea2169d8d67b11e83ba7
089f7f88c1d64dcebf1042f481f17a7fb1fe6fc095cb5c9e10bbcb3f36a629ab
acb615b72532d8020f1fa9afa65c44bd67caa1ec83f39f4b029287e70c344d0b
37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad
3730e600a60fed05d20e23e9340e37e5f5f072e6d4801150326ff4e2a4fdb4c5
d3af6e62ef3ce968da90beb9be44b04948b996c3dda893ba425a1147eb7696ad
765e42948327b849c172f8c70617af6007e7f126c17bb56f490c10e12aa20492
dbaedcc548579a20fab98b28992301084fe27e91460fbdb2a6e00df5e58f52fe
e119f126968b206ebfbf49923c1aac3dbe948461ff38d9f638b6cdf12ff47560
502459f1d4325d917bf46a104cbc3255c29b88a787cd9f930462cfa1002134fd
fe8954c55b06912419f62ae4c04e19ba8d16a8d5098c28dfcc3c6ef04a154f49
ad7a76c684f1bd1910142d97a01fd6373a05872a0aefd213cf85e891428fdcc7
e65ce5d4d20836181fbc041ca28853c89946013e1ab7fcd7e0bb58442f274e0d
6d74ed0eda4cf7f7edb2f8982cc706e84a402008fc74f442d898da7d6be05143
0fca043ce6592269f8463ec4c803eabb3d09ff412401521090513e8310463fdb
179dab5fc5a32307466541f88cfc1992cb96664218711f6d525586976c9d44ad
f17af5296ff826f4199381574dccb3dcb8a5deeb811e40929f95c722ab70aeb7
9740fb71580a1e6809c694ebd1aa132e76d0dc985dbc0721ae6590f3bf5ed19b
1d83bdba4198a28193b93de0f88fa79bb7ff17249b54654c07cb11a27e708644
d8162221ce6d607b5fe77565f53c5310bfaff050b0c26abe2ca9b9ebdb9ad51f
cebf76deabb47efe7ad3769c0586815d1d45e2ef9718057de77abb46b554f6f4
794ec24e28f6351c9ad2c04101d774e9763f4f444cfb7c15da782922c6f07e69
48956128660f7a745aa918eac38e5baacdae1bc0809503f2a2c3f2b79507e3ff
f036b3031238597750e077c2d03b2bc41d089f9db461244059db8485fac28e63
57eff460128e65204d46aa5a0012f8ba4758fa76a74d9dabe5d4b4b0bd1b11cc
613a829a972efe001e9f1a4e067b560db96acd44161d91d6daf5d6489f686938
94beb32181e321ef10e85ee652f1ef1e602c252d6c7d4593c556a6bfcec1d4f0
fda844b16b91a38417af25d13bd0992c3344de12ebcd0283732a3e0a6e91811d
bef42fdae71eff14767b54c660a42d7ab6fedf56ce74f8faa304a0e1b526fe4a
a2b98d6820777aaacdb0646a2836b3ebc809b3fe9eef65d201e2ff343580721c
0cb5c8e6987f74a213353851dc12b7b3a08130fd5ebb18f4455c659e8f46442f
b9d338ff7f7d63d28c765007e9e150b3c30a9acac1e16bfd0317d375b4fc6166
df60b74ff96bb320d1cf8d1a511c56bae2ca8d94ebb6566eca7b51c3521c0171
394ed5e270bb760bee2b5ffea56421afb2a22aff35d78d29da92842f606b8d53
9c0116c29d031bc42faaa5e312c7c6b99378ed115b069b2d6c2d228ae563375b
76a236349c0820e4dfba81e3382e50833ee238452c0c271d6a0cf83b4fcca235
1b6b8aa0a500b965193144be54ffe030e84f8e2936c3e92d4a2b05a8759944d3
2090bdae4d49cc0a20526b8d57c5928500eadab334764b89810e0b08f907308a
1a7fefa02913c1054e4f0e82c9de74e2fb526bd4a589e861fb4f7f57b31ef9c8
00c1314504b05c7fc7cc7280405f31165b9722c704520afef26aa88ff566b871
1fe21e70078942fa8dc7bccb5362e86b0e6340c533eb8e01b59e34a0dd61bd05
580e6c64ba71bf32dc63c34204dc48d17ff8de949c916f101e89472222b41a88
19e59830b3b6742b26575bc2b1ec3276a5d7d75a7f3c92bf0cf5762f07e9f660
c0839998e41d029efd4bb304440cd029acf32ce8f541be6f813c5c4d935e9350
1f8cdb119164550161cddba78f7d30f36cd3304dc4c127c37b15d3030b743b4b
SH256 hash:
6cce28b275d5ec20992bb13790976caf434ab46ddbfd5cfd431d33424943122b
MD5 hash:
4e34c068e764ad0ff0cb58bc4f143197
SHA1 hash:
1a392a469fc8c65d80055c1a7aaee27bf5ebe7c4
Detections:
Hidden
Create hunting rule
cert_blocklist_5f78149eb4f75eb17404a8143aaeaed7
Create hunting rule
INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
Link:
https://www.unpac.me/results/80ead6dd-4820-493d-9a35-b0a9cb461fc0/
Parent samples :
364b087a1916c5f13675449a4470763adebd4977fc21ea2169d8d67b11e83ba7
089f7f88c1d64dcebf1042f481f17a7fb1fe6fc095cb5c9e10bbcb3f36a629ab
acb615b72532d8020f1fa9afa65c44bd67caa1ec83f39f4b029287e70c344d0b
37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad
3730e600a60fed05d20e23e9340e37e5f5f072e6d4801150326ff4e2a4fdb4c5
d3af6e62ef3ce968da90beb9be44b04948b996c3dda893ba425a1147eb7696ad
765e42948327b849c172f8c70617af6007e7f126c17bb56f490c10e12aa20492
dbaedcc548579a20fab98b28992301084fe27e91460fbdb2a6e00df5e58f52fe
e119f126968b206ebfbf49923c1aac3dbe948461ff38d9f638b6cdf12ff47560
502459f1d4325d917bf46a104cbc3255c29b88a787cd9f930462cfa1002134fd
fe8954c55b06912419f62ae4c04e19ba8d16a8d5098c28dfcc3c6ef04a154f49
ad7a76c684f1bd1910142d97a01fd6373a05872a0aefd213cf85e891428fdcc7
e65ce5d4d20836181fbc041ca28853c89946013e1ab7fcd7e0bb58442f274e0d
6d74ed0eda4cf7f7edb2f8982cc706e84a402008fc74f442d898da7d6be05143
0fca043ce6592269f8463ec4c803eabb3d09ff412401521090513e8310463fdb
179dab5fc5a32307466541f88cfc1992cb96664218711f6d525586976c9d44ad
f17af5296ff826f4199381574dccb3dcb8a5deeb811e40929f95c722ab70aeb7
9740fb71580a1e6809c694ebd1aa132e76d0dc985dbc0721ae6590f3bf5ed19b
1d83bdba4198a28193b93de0f88fa79bb7ff17249b54654c07cb11a27e708644
d8162221ce6d607b5fe77565f53c5310bfaff050b0c26abe2ca9b9ebdb9ad51f
cebf76deabb47efe7ad3769c0586815d1d45e2ef9718057de77abb46b554f6f4
794ec24e28f6351c9ad2c04101d774e9763f4f444cfb7c15da782922c6f07e69
48956128660f7a745aa918eac38e5baacdae1bc0809503f2a2c3f2b79507e3ff
f036b3031238597750e077c2d03b2bc41d089f9db461244059db8485fac28e63
57eff460128e65204d46aa5a0012f8ba4758fa76a74d9dabe5d4b4b0bd1b11cc
613a829a972efe001e9f1a4e067b560db96acd44161d91d6daf5d6489f686938
94beb32181e321ef10e85ee652f1ef1e602c252d6c7d4593c556a6bfcec1d4f0
fda844b16b91a38417af25d13bd0992c3344de12ebcd0283732a3e0a6e91811d
bef42fdae71eff14767b54c660a42d7ab6fedf56ce74f8faa304a0e1b526fe4a
a2b98d6820777aaacdb0646a2836b3ebc809b3fe9eef65d201e2ff343580721c
0cb5c8e6987f74a213353851dc12b7b3a08130fd5ebb18f4455c659e8f46442f
b9d338ff7f7d63d28c765007e9e150b3c30a9acac1e16bfd0317d375b4fc6166
df60b74ff96bb320d1cf8d1a511c56bae2ca8d94ebb6566eca7b51c3521c0171
394ed5e270bb760bee2b5ffea56421afb2a22aff35d78d29da92842f606b8d53
9c0116c29d031bc42faaa5e312c7c6b99378ed115b069b2d6c2d228ae563375b
76a236349c0820e4dfba81e3382e50833ee238452c0c271d6a0cf83b4fcca235
1b6b8aa0a500b965193144be54ffe030e84f8e2936c3e92d4a2b05a8759944d3
2090bdae4d49cc0a20526b8d57c5928500eadab334764b89810e0b08f907308a
1a7fefa02913c1054e4f0e82c9de74e2fb526bd4a589e861fb4f7f57b31ef9c8
00c1314504b05c7fc7cc7280405f31165b9722c704520afef26aa88ff566b871
1fe21e70078942fa8dc7bccb5362e86b0e6340c533eb8e01b59e34a0dd61bd05
c0839998e41d029efd4bb304440cd029acf32ce8f541be6f813c5c4d935e9350
1f8cdb119164550161cddba78f7d30f36cd3304dc4c127c37b15d3030b743b4b
SH256 hash:
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
MD5 hash:
4a36a48e58829c22381572b2040b6fe0
SHA1 hash:
f09d30e44ff7e3f20a5de307720f3ad148c6143b
Link:
https://www.unpac.me/results/80ead6dd-4820-493d-9a35-b0a9cb461fc0/
SH256 hash:
cb372c805bb0e50c63496e94ff9b648d3fa614b3b9cc6381fbcf4c8e6f6cee55
MD5 hash:
7e1080f5288e2e034680a9fcaf5f4f90
SHA1 hash:
c02499c76a81211e44def9dbcf9f92785b28e029
Link:
https://www.unpac.me/results/80ead6dd-4820-493d-9a35-b0a9cb461fc0/
SH256 hash:
9eb98a9b96ac5d9c53cec336c4d60ec3766a127086173344d41dd77f3c5e9417
MD5 hash:
db4bc55b3f0bfe912b2cca9f380dcd4e
SHA1 hash:
4e4d23b2959f0f95a7b969ca2342c6ce96482e5c
Detections:
mal_xred_backdoor
Create hunting rule
Link:
https://www.unpac.me/results/80ead6dd-4820-493d-9a35-b0a9cb461fc0/
SH256 hash:
bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
MD5 hash:
8dc3adf1c490211971c1e2325f1424d2
SHA1 hash:
4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
Link:
https://www.unpac.me/results/80ead6dd-4820-493d-9a35-b0a9cb461fc0/
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/80ead6dd-4820-493d-9a35-b0a9cb461fc0/
SH256 hash:
fe04dd20c27d483e0ed1f07f39f2cf8f54f1e1af9ad794c9dfc4773a8fae7f60
MD5 hash:
8b1eda0bf1e445f16b910bc00b57d9b9
SHA1 hash:
5bbc680644c09a94d865c2440242a2eed1243d7f
Detections:
Hidden
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
Mimikatz_Strings
Create hunting rule
INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
MALWARE_Win_PCRat
Create hunting rule
check_installed_software
Create hunting rule
Link:
https://www.unpac.me/results/80ead6dd-4820-493d-9a35-b0a9cb461fc0/
Parent samples :
d62ee92b65a34ba6023b4f16dd7b8083a14a5d6bf4d99af6e82676f9d468b656
9f61a3757f737404c25a2837ddd1ff6c14dfe394127c8a94c5c10f00dfa34811
5830e0703e93cc2d8a1ba6377650ff5f7b8cbb36d58122c613fa56930f71a88d
90c52141e31399449a689286fcf58c94584a75f1fd7ad3bd39b5aac09adff639
dbaedcc548579a20fab98b28992301084fe27e91460fbdb2a6e00df5e58f52fe
e119f126968b206ebfbf49923c1aac3dbe948461ff38d9f638b6cdf12ff47560
502459f1d4325d917bf46a104cbc3255c29b88a787cd9f930462cfa1002134fd
394ed5e270bb760bee2b5ffea56421afb2a22aff35d78d29da92842f606b8d53
9c0116c29d031bc42faaa5e312c7c6b99378ed115b069b2d6c2d228ae563375b
1a7fefa02913c1054e4f0e82c9de74e2fb526bd4a589e861fb4f7f57b31ef9c8
19e59830b3b6742b26575bc2b1ec3276a5d7d75a7f3c92bf0cf5762f07e9f660
Malware family:
XRed
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1a7fefa02913/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a7fefa02913c1054e4f0e82c9de74e2fb526bd4a589e861fb4f7f57b31ef9c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:D1S1Gv11betaD1N
Create hunting rule
Author:malware-lu
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vbaproject_bin
Create hunting rule
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time
Rule name:Windows_Generic_Threat_3f060b9c
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XRed

Executable exe 1a7fefa02913c1054e4f0e82c9de74e2fb526bd4a589e861fb4f7f57b31ef9c8

(this sample)

anyrun
any.run
https://app.any.run/tasks/27070026-fb21-4a46-87dd-7e8bab40880e
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/9400/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
MULTIMEDIA_APICan Play MultimediaWINMM.dll::midiOutPrepareHeader
WINMM.dll::midiOutReset
WINMM.dll::midiOutUnprepareHeader
WINMM.dll::midiStreamClose
WINMM.dll::midiStreamOpen
WINMM.dll::midiStreamOut
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WinExec
KERNEL32.dll::SetStdHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::FindWindowA
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA

Comments