MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44d5e912b8ef69914ba4ba6064dcded455f65e53ae2cfe4addee0f597b51e2c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XRed


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44d5e912b8ef69914ba4ba6064dcded455f65e53ae2cfe4addee0f597b51e2c1
SHA3-384 hash: 3399124a817fb05044c238fa9e4fdc59d0028a50fdde4900eff0beeea3aed0b58d8aafceb91daec36d467a689ed4e08f
SHA1 hash: 7a469f97c2e5d0dc1b786d89fc90c11a413275a5
MD5 hash: 2bf2f38caab1fe7c657d29984c228b71
humanhash: sierra-may-neptune-juliet
File name:Open Purchase Order Summary Sheet.vbs
Download: download sample
Signature XRed
Create hunting rule
File size:641 bytes
First seen:2024-12-30 10:27:14 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/x-asm
ssdeep 12:qDTRPhvAHZsAbs1vWdEV7wsk/CxbDNfb852ms2/bFNQHJ5xDzVs4vl7iajIlEjv:OTRPm9bs1AwkIbDNDSbbFNQvxDq4d7vP
Threatray 2'114 similar samples on MalwareBazaar
TLSH T166F0230ADC00DAE6063BF5E07552B429D5E30449B2B862252681DD5E5E0C3C91C0089B
Magika vba
Reporter JAMESWT_WT
Tags:knkbkk212 vbs xred

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VBS.DownLoader.1289.7982.23925.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6772771f75fb913a147941ed
Tags:
autorun autoit delphi emotet
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autoit cmd dropper fingerprint keylogger lolbin masquerade packed persistence remote
Link:
https://www.filescan.io/uploads/677275b5509459c7f806a5c0/reports/ddfb8b61-612b-4120-be33-dca3c9c4ba9b/overview
Verdict:
Malicious
Labled as:
Valyria
Link:
https://www.hybrid-analysis.com/sample/44d5e912b8ef69914ba4ba6064dcded455f65e53ae2cfe4addee0f597b51e2c1
Result
Verdict:
UNKNOWN
Result
Threat name:
LodaRAT, XRed
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1582355
Signature
AI detected suspicious sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Found API chain indicative of sandbox detection
Found malware configuration
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (has network functionality)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected LodaRAT
Yara detected XRed
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1582355 Sample: Open Purchase Order Summary... Startdate: 30/12/2024 Architecture: WINDOWS Score: 100 69 freedns.afraid.org 2->69 71 xred.mooo.com 2->71 73 5 other IPs or domains 2->73 85 Suricata IDS alerts for network traffic 2->85 87 Found malware configuration 2->87 89 Antivirus detection for URL or domain 2->89 93 20 other signatures 2->93 10 wscript.exe 15 2->10         started        15 TCPKPY.exe 2->15         started        17 Synaptics.exe 2->17         started        19 10 other processes 2->19 signatures3 91 Uses dynamic DNS services 69->91 process4 dnsIp5 75 filedn.com 23.109.93.100, 443, 49705 SERVERS-COMUS Netherlands 10->75 55 C:\Users\user\AppData\Roaming\...behaviorgraphoogle.exe, PE32 10->55 dropped 57 C:\Users\user\AppData\...\Machine-PO[1].exe, PE32 10->57 dropped 101 System process connects to network (likely due to code injection or exploit) 10->101 103 Benign windows process drops PE files 10->103 105 VBScript performs obfuscated calls to suspicious functions 10->105 115 2 other signatures 10->115 21 Google.exe 1 5 10->21         started        107 Antivirus detection for dropped file 15->107 109 Multi AV Scanner detection for dropped file 15->109 111 Machine Learning detection for dropped file 15->111 113 Found API chain indicative of sandbox detection 15->113 59 C:\Users\user\Documents\LSBIHQFDVT\~$cache1, PE32 17->59 dropped 25 WerFault.exe 17->25         started        61 C:\Users\user\AppData\...\._cache_Google.exe, PE32 19->61 dropped 27 ._cache_Google.exe 19->27         started        file6 signatures7 process8 file9 49 C:\Users\user\AppData\...\._cache_Google.exe, PE32 21->49 dropped 51 C:\ProgramData\Synaptics\Synaptics.exe, PE32 21->51 dropped 53 C:\ProgramData\Synaptics\RCX4FAD.tmp, PE32 21->53 dropped 99 Creates multiple autostart registry keys 21->99 29 ._cache_Google.exe 2 5 21->29         started        34 Synaptics.exe 27 21->34         started        signatures10 process11 dnsIp12 77 172.111.138.100, 49720, 49747, 49753 VOXILITYGB United States 29->77 63 C:\Users\user\AppData\Roaming\...\TCPKPY.exe, PE32 29->63 dropped 65 C:\Users\user\AppData\Local\Temp\UAINOJ.vbs, ASCII 29->65 dropped 117 Antivirus detection for dropped file 29->117 119 Multi AV Scanner detection for dropped file 29->119 121 Machine Learning detection for dropped file 29->121 123 Creates multiple autostart registry keys 29->123 36 cmd.exe 1 29->36         started        39 wscript.exe 29->39         started        79 drive.usercontent.google.com 142.250.185.161, 443, 49724, 49725 GOOGLEUS United States 34->79 81 docs.google.com 142.250.185.78, 443, 49714, 49715 GOOGLEUS United States 34->81 83 freedns.afraid.org 69.42.215.252, 49718, 49755, 80 AWKNET-LLCUS United States 34->83 67 C:\Users\user\Documents\IPKGELNTQY\~$cache1, PE32 34->67 dropped 125 Drops PE files to the document folder of the user 34->125 41 WerFault.exe 34->41         started        43 WerFault.exe 34->43         started        file13 signatures14 process15 signatures16 95 Uses schtasks.exe or at.exe to add and modify task schedules 36->95 45 conhost.exe 36->45         started        47 schtasks.exe 36->47         started        97 Windows Scripting host queries suspicious COM object (likely to drop second stage) 39->97 process17
Score:
14%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/44d5e912b8ef69914ba4ba6064dcded455f65e53ae2cfe4addee0f597b51e2c1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/44d5e912b8ef69914ba4ba6064dcded455f65e53ae2cfe4addee0f597b51e2c1/
Threat name:
Win32.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2024-12-30 10:16:12 UTC
File Type:
Text (VBS)
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=itk6sevy55uzcs5exjqgjxg62rk7mxstvywp4sw55yhvs62r4laq._file
Verdict:
malicious
Label(s):
autoit
Create hunting rule
darkcomet
Create hunting rule
Similar samples:
007d4a581f70c7d0a86307123df5d769c3d948dd9b7d5c4ec3b274f2b0bf3647
XRed
1bfbe3e1ad1988b74e65a9675a05c796d71fa728440afbcccc7afd12c92104ef
XRed
5299286271c1c282edf70bd8bd6d640cfd4925f34b7d1c803bf1c1b15077144d
XRed
9293b62e82e8e0d8e3bc41a3e0551e29a7186b9a1767bfcdfbedd205a0fc268f
XRed
a1cf662c445e81ec27bf49d85200cc1142ef655d4a80326e7940c5f9944569ca
XRed
e245330a5d75a51b97373eaae07ca976cfadac2b5814557c1a5551345b921418
XRed
e6f8edcbe69419008b7e54f8554fc1aec66208de10c26a982d624ea91aed8092
XRed
ef0446d3b042668d828d7e17c74ec1f35f2d7d9840df196de16bcb5ad78dd3c1
XRed
error
XRed
f3724bf49bfd8d11ef1f81b4c6aebc4d3281cecfa357d4fb3ae388a4add242e6
XRed
+ 2'104 additional samples on MalwareBazaar
Result
Malware family:
xred
Create hunting rule
Score:
  10/10
Tags:
family:xred backdoor discovery macro persistence
Link:
https://tria.ge/reports/241230-ml33ysxmgx/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Modifies system certificate store
NTFS ADS
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
AutoIT Executable
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Suspicious Office macro
Xred
Xred family
Malware Config
C2 Extraction:
xred.mooo.com
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/44d5e912b8ef69914ba4ba6064dcded455f65e53ae2cfe4addee0f597b51e2c1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments