MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5bcc445ac2d4f58aee6bf7c5c10f34136cdee1228f0faa3ded35f88b2c5d1073. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XRed


Vendor detections: 16


Intelligence 16 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5bcc445ac2d4f58aee6bf7c5c10f34136cdee1228f0faa3ded35f88b2c5d1073
SHA3-384 hash: 23537025605915ad7dc6aaf358343a971ebd27a56519910b53db60af2a038220c1574b28264cface446803e417f4b9e0
SHA1 hash: d1cf497e77bd69a15cfce114284c0d8f3b2bb7c7
MD5 hash: ab75f20fe261dbe11a6db55c76e98f6e
humanhash: timing-hot-iowa-river
File name:PC900-1new.exe
Download: download sample
Signature XRed
Create hunting rule
File size:3'289'088 bytes
First seen:2025-03-24 03:23:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 332f7ce65ead0adfb3d35147033aabe9 (82 x XRed, 18 x SnakeKeylogger, 7 x DarkComet)
ssdeep 49152:snsHyjtk2MYC5GDB5U+jOuia/5LKqLhI8JbWYBiCKhSOoSvbJw5T4Dx:snsmtk2a6pjOpahKqLhx8BKewGx
Threatray 322 similar samples on MalwareBazaar
TLSH T185E5DF12FB92447BC2538935AF2B9BB99E76BC925E34631B77D93E0C1E701809936307
TrID 77.6% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
6.9% (.EXE) Win32 EXE PECompact compressed (v2.x) (59069/9/14)
5.0% (.EXE) InstallShield setup (43053/19/16)
4.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
1.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
Magika pebin
dhash icon 89adace1e18e0183 (1 x XRed)
Reporter qux_bbb
Tags:DarkKomet exe Synares xred

Intelligence

File Origin
# of uploads :
1
# of downloads :
384
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PC900-1new.exe
Verdict:
Malicious activity
Analysis date:
2025-03-24 03:26:35 UTC
Tags:
xred backdoor delphi dyndns
Link:
https://app.any.run/tasks/c363bd0a-5908-4339-9201-520d537420bd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e197fdbb84e066269e9277
Tags:
dropper delphi virus smtp
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Moving a recently created file
Creating a file in the %temp% subdirectories
Searching for the window
Moving a file to the %temp% subdirectory
Modifying an executable file
DNS request
Connection attempt
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Infecting executable files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context autorun borland_delphi cmd darkkomet dropper emotet evasive explorer fingerprint fingerprint hacktool keylogger lolbin macros-on-open optix packed packed packer_detected remote
Link:
https://www.filescan.io/uploads/67e0d074a175d31773464c06/reports/5971f48d-c7f2-49ea-ad2a-865d6b4768f1/overview
Verdict:
Malicious
Labled as:
Trojan.DarkKomet
Link:
https://www.hybrid-analysis.com/sample/5bcc445ac2d4f58aee6bf7c5c10f34136cdee1228f0faa3ded35f88b2c5d1073
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XRed
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/02f89999-c4e1-4580-a5ff-9e6ceeaa512e
Result
Threat name:
XRed
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
66 / 100
Link:
https://www.joesandbox.com/analysis/1646503
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops PE files to the document folder of the user
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Suricata IDS alerts for network traffic
Uses dynamic DNS services
Yara detected XRed
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1646503 Sample: PC900-1new.exe Startdate: 24/03/2025 Architecture: WINDOWS Score: 66 49 freedns.afraid.org 2->49 51 xred.mooo.com 2->51 53 7 other IPs or domains 2->53 63 Suricata IDS alerts for network traffic 2->63 65 Found malware configuration 2->65 67 Antivirus detection for dropped file 2->67 71 11 other signatures 2->71 8 PC900-1new.exe 1 6 2->8         started        11 EXCEL.EXE 229 56 2->11         started        signatures3 69 Uses dynamic DNS services 49->69 process4 dnsIp5 25 C:\Users\user\...\._cache_PC900-1new.exe, PE32 8->25 dropped 27 C:\ProgramData\Synaptics\Synaptics.exe, PE32 8->27 dropped 29 C:\ProgramData\Synaptics\RCXA661.tmp, PE32 8->29 dropped 31 C:\...\Synaptics.exe:Zone.Identifier, ASCII 8->31 dropped 14 ._cache_PC900-1new.exe 57 8->14         started        17 Synaptics.exe 77 8->17         started        55 s-part-0044.t-0009.t-msedge.net 13.107.246.72, 443, 49887, 49888 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 11->55 file6 process7 dnsIp8 33 C:\Users\user~1\AppData\...\isrt.dll (copy), PE32 14->33 dropped 35 C:\Users\user~1\AppData\...\_IsRes.dll (copy), PE32 14->35 dropped 37 C:\Users\user~1\...\_ISUser.dll (copy), PE32 14->37 dropped 41 12 other malicious files 14->41 dropped 21 ISBEW64.exe 14->21         started        43 docs.google.com 142.251.40.142, 443, 49684, 49685 GOOGLEUS United States 17->43 45 drive.usercontent.google.com 142.251.40.97, 443, 49688, 49689 GOOGLEUS United States 17->45 47 freedns.afraid.org 69.42.215.252, 49691, 80 AWKNET-LLCUS United States 17->47 39 C:\Users\user\DocumentsIVQSAOTAQ\~$cache1, PE32 17->39 dropped 57 Antivirus detection for dropped file 17->57 59 Multi AV Scanner detection for dropped file 17->59 61 Drops PE files to the document folder of the user 17->61 23 WerFault.exe 21 16 17->23         started        file9 signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5bcc445ac2d4f58aee6bf7c5c10f34136cdee1228f0faa3ded35f88b2c5d1073
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5bcc445ac2d4f58aee6bf7c5c10f34136cdee1228f0faa3ded35f88b2c5d1073/
Threat name:
Win32.Worm.Zorex
Create hunting rule
Status:
Malicious
First seen:
2025-02-05 13:30:44 UTC
File Type:
PE (Exe)
Extracted files:
472
AV detection:
24 of 24 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lpgeiwwc2t2yv3tl67c4cdzucnwn5yjcr4h2uppngx4iwlc5cbzq._file
Verdict:
malicious
Label(s):
darkcomet
Create hunting rule
Similar samples:
2093c40693b6684ea3eb4c6fccec07b765551b3c0f28cb6f14543aef86fdce3f
XRed
22d71939ba6e7ed1949625c1ba4e8a40b1bf96c222445a94fd2a94bcb26cffb8
XRed
2a2ad63697f1d33e2369939accea85001bd6e496acbf5dda317f92ee6add5148
XRed
3c80fd894036f549fb831d271595df775ebaba7d98fdeea579bfae3c9d42ec53
XRed
5bcc445ac2d4f58aee6bf7c5c10f34136cdee1228f0faa3ded35f88b2c5d1073
XRed
82a431e9bc593e7ad45c6a18462ff518ab2b15128a8560638dc799677547177f
XRed
error
XRed
+ 312 additional samples on MalwareBazaar
Result
Malware family:
xred
Create hunting rule
Score:
  10/10
Tags:
family:xred backdoor discovery macro persistence privilege_escalation
Link:
https://tria.ge/reports/250324-dx26csvxg1/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Suspicious Office macro
Xred
Xred family
Malware Config
C2 Extraction:
xred.mooo.com
Verdict:
Malicious
Tags:
backdoor xred_backdoor Win.Trojan.Emotet-9850453-0
YARA:
mal_xred_backdoor
Link:
https://app.threat.zone/submission/4655ae36-c675-4d40-b860-e44222a6cdaf
Unpacked files
SH256 hash:
5bcc445ac2d4f58aee6bf7c5c10f34136cdee1228f0faa3ded35f88b2c5d1073
MD5 hash:
ab75f20fe261dbe11a6db55c76e98f6e
SHA1 hash:
d1cf497e77bd69a15cfce114284c0d8f3b2bb7c7
Link:
https://www.unpac.me/results/02eeb88c-cdc2-41ee-9276-ae04e715e355/
SH256 hash:
e66e553b21648a8a91527c86647f2a5e458949e35fc396d93b3c72f7eb973350
MD5 hash:
617a53d746b624709ab8ca5619cffd3f
SHA1 hash:
667562d3f069db5beb93205d24d7df8061a77f8d
Link:
https://www.unpac.me/results/02eeb88c-cdc2-41ee-9276-ae04e715e355/
SH256 hash:
dee17752338d90f779bed594dd779d716424d7d4d1a81054f39f9295f17b7361
MD5 hash:
370b39a15697d0fedb0fd5810aa2e4fb
SHA1 hash:
9a074d81105c79b2675aff664ea0ac4dae8bfe76
Link:
https://www.unpac.me/results/02eeb88c-cdc2-41ee-9276-ae04e715e355/
SH256 hash:
b4a6ba0f5cf828c5577c60a15e488db5573303bfecdba0f02193f6d3b8825324
MD5 hash:
6c0bbc1dcb7898b35ac33a0ab77d31d3
SHA1 hash:
c929da0b734db68df5629da1269629bfded66b9a
Link:
https://www.unpac.me/results/02eeb88c-cdc2-41ee-9276-ae04e715e355/
SH256 hash:
dd85cdadeec8d9578aae60b0d03285f2276d061df8597ab6a5e59e567627394f
MD5 hash:
34741223a357acb94499d7fa4d8d60e7
SHA1 hash:
ccb21fc1475e1536d256b648070dd5100845fec2
Link:
https://www.unpac.me/results/02eeb88c-cdc2-41ee-9276-ae04e715e355/
SH256 hash:
e2603a1b707d145cb62642b73330f8c156972da1652a1118b99fbabacacb2020
MD5 hash:
af1116b68bc7ab26b6343a9bc476ec82
SHA1 hash:
1dbfa9b6bf5ee53cb07896dac5f23352d4cb878c
Link:
https://www.unpac.me/results/02eeb88c-cdc2-41ee-9276-ae04e715e355/
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/02eeb88c-cdc2-41ee-9276-ae04e715e355/
SH256 hash:
b7a82904d92b096cb6ab537365f9c7f24b1ecefaa6ea7974c24e8102b1746f4b
MD5 hash:
6f58a1d8e7b031c6f2a60ba04d1a0b7d
SHA1 hash:
64ced7781de492d15f0d443faffd2d0244b43e56
Link:
https://www.unpac.me/results/02eeb88c-cdc2-41ee-9276-ae04e715e355/
SH256 hash:
13223e7fbeb3dac968de77e6be974a36f86dc07884cc0e80eabf8b817ccb4a04
MD5 hash:
6c48e05107eb494620ab0dc96d3c5b80
SHA1 hash:
e6ced277de082bd8e2ccbfad7a1d5cd1e9db85ab
Link:
https://www.unpac.me/results/02eeb88c-cdc2-41ee-9276-ae04e715e355/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5bcc445ac2d4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5bcc445ac2d4f58aee6bf7c5c10f34136cdee1228f0faa3ded35f88b2c5d1073

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:D1S1Gv11betaD1N
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vbaproject_bin
Create hunting rule
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://www.huorong.cn/document/tech/vir_report/1813
  
Delivery method
Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteExA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessA
advapi32.dll::OpenProcessToken
kernel32.dll::OpenProcess
kernel32.dll::CloseHandle
wininet.dll::InternetCloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::TerminateProcess
kernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetDriveTypeA
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CopyFileA
kernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileA
kernel32.dll::CreateFileMappingA
kernel32.dll::DeleteFileA
kernel32.dll::MoveFileA
WIN_BASE_USER_APIRetrieves Account Informationkernel32.dll::GetComputerNameA
advapi32.dll::GetUserNameA
advapi32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegCreateKeyExA
advapi32.dll::RegNotifyChangeKeyValue
advapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
advapi32.dll::RegSetValueExA
WIN_SVC_APICan Manipulate Windows Servicesadvapi32.dll::OpenSCManagerA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments