MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f561ab384d65db9ee11a49b2f9d0a1e6758f9d0c6082f1e65821f6984fa2c71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XRed


Vendor detections: 20


Intelligence 20 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f561ab384d65db9ee11a49b2f9d0a1e6758f9d0c6082f1e65821f6984fa2c71
SHA3-384 hash: 1d825d902664f7f5854aebbd7578d6efdadddf85b86d4a07e52f54b62b512a104e6a587a8ab062876fde6ce28f757f45
SHA1 hash: 49f8fd5564751f4666f788b1792df0b903a8fef6
MD5 hash: fb7a0795cb78244f1bf3dca74dd54022
humanhash: chicken-iowa-utah-potato
File name:file
Download: download sample
Signature XRed
Create hunting rule
File size:11'507'200 bytes
First seen:2025-12-10 22:55:13 UTC
Last seen:2025-12-10 22:57:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 332f7ce65ead0adfb3d35147033aabe9 (94 x XRed, 18 x SnakeKeylogger, 9 x DarkComet)
ssdeep 196608:nLIm4FXJv9lvJiYiH7WGSGiYyXD1Jw09vcj6YWgHqJpcdGTTpgq3edU8Fd62tp3c:nsrFVvJiY670HD/9/d2dGCq3mUedD3dq
Threatray 153 similar samples on MalwareBazaar
TLSH T1C3C63322F2D19437D1325A7DDC2BA2A45429FF103E24B94F7BE42E8C5F7968239641E3
TrID 93.3% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
1.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.4% (.EXE) Win64 Executable (generic) (10522/11/4)
1.4% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
0.6% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543 xred


Avatar
Bitsight
url: http://178.16.55.189/files/6456764503/Y511yIT.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
134
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/f9f08721-9c76-4d3d-96d3-c46b46f4114d/
Malware family:
njrat
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2025-12-10 22:57:46 UTC
Tags:
xred backdoor auto-reg auto-sch delphi dyndns ms-smartcard stealer github rat njrat bladabindi winring0-sys vuln-driver auto-startup susp-powershell salatstealer golang upx
Link:
https://app.any.run/tasks/7abdcc28-474a-400c-a6a8-6bf70e84d5fa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/44247/
Detection(s):
Win.Trojan.Emotet-9850453-0
Create hunting rule

Win.Trojan.Generic-9936029-0
Create hunting rule

Win.Packed.Packy-10033570-0
Create hunting rule

Win.Malware.Delf-6899401-0
Create hunting rule

TwinWave.EvilDoc.PKILLDropboxMacroDirectDownload.20220331.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Other.Malware-gen.4213.13336.UNOFFICIAL
Create hunting rule

MiscreantPunch.EvilMacro.PVDISABLE.170819.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.PolicyKillOnlyHappyWhenItRains.20210704.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.HanciInterruptMyDayHandler.20210721.UNOFFICIAL
Create hunting rule

Xls.Dropper.Agent-7382066-0
Create hunting rule

SecuriteInfo.com.Win32.HLLW.Siggen.10555.UNOFFICIAL
Create hunting rule

PUA.Win.Packer.D1s1g-5
Create hunting rule

PUA.Win.Packer.D1s1g-2
Create hunting rule

PUA.Win.Packer.D1s1g-1
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6939fa60bde6a3e59710097c
Tags:
darkkomet autorun delphi
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug autorun base64 borland_delphi cmd darkcomet darkkomet dllhost dropper evasive fingerprint installer-heuristic keylogger lolbin macros-on-open obfuscated optix packed reconnaissance schtasks virus
Link:
https://www.filescan.io/uploads/6939fa5b1eac7b9b76a4b5f2/reports/e6b129b1-c43c-4c13-941e-4bf5e57ddb58/overview
Verdict:
Malicious
Labled as:
Trojan.DarkKomet
Link:
https://www.hybrid-analysis.com/sample/6f561ab384d65db9ee11a49b2f9d0a1e6758f9d0c6082f1e65821f6984fa2c71
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-10T20:02:00Z UTC
Last seen:
2025-12-10T20:33:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Agentb.jrhy HEUR:Trojan-Ransom.Win32.Gen.gen Trojan-Dropper.Win32.VB Trojan-Downloader.MSIL.Agent.sb Trojan.XRed.UDP.C&C Trojan.Win32.XRed.nd HEUR:Trojan.Win64.Reflo.pef VHO:Trojan.MSOffice.SAgent.gen Trojan.Agent.TCP.C&C Backdoor.Win32.DarkKomet.hqxy Trojan-Dropper.Win32.Agent.sb Trojan.Win32.Comei.sb Trojan.Win32.Agent.sb HEUR:Trojan.Win32.Generic Trojan-PSW.PureLogs.TCP.C&C Trojan.Win64.PhantomP.sb Trojan.MSOffice.SAgent.sb Backdoor.Bladabindi.TCP.C&C Trojan.Win32.XRed.sb HEUR:Trojan-Downloader.Script.Generic BSS:Exploit.Win32.Generic Backdoor.Win32.Androm Trojan.Win32.XRed.ox Trojan.Win32.XRed.op Trojan.Win32.XRed.mq Trojan.Win32.Miner.sb Trojan.Win32.CoinMiner.sb PDM:Trojan.Win32.Generic Backdoor.Win32.Zegost.sb Trojan.Win32.XRed.mg HEUR:Trojan-Spy.MSIL.Bobik.gen HEUR:Trojan-Dropper.MSIL.FrauDrop.gen HEUR:Trojan-Downloader.MSOffice.Agent.gen Trojan-PSW.Win32.Stealer.sb Trojan.Win32.XRed.nt HEUR:Trojan.Script.Generic HEUR:Trojan.MSIL.Crypt.gen Trojan-PSW.Win64.Salat.sb Trojan-PSW.Win32.Coins.sb Trojan-Dropper.Win32.Injector.sb Trojan.Win32.Agent.rnd Backdoor.Agent.TCP.C&C Backdoor.Agent.HTTP.C&C RiskTool.BitCoinMiner.TCP.C&C RiskTool.Miner.UDP.C&C
Link:
https://opentip.kaspersky.com/6f561ab384d65db9ee11a49b2f9d0a1e6758f9d0c6082f1e65821f6984fa2c71/results?tab=lookup
Malware family:
XRed
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4df6218e-620f-49bb-aac6-590b70c4b2fb
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6f561ab384d65db9ee11a49b2f9d0a1e6758f9d0c6082f1e65821f6984fa2c71
Verdict:
Malware
YARA:
7 match(es)
Tags:
.Net ADODB.Stream Blacklist VBA Corrupted Executable Managed .NET Office Document PE (Portable Executable) PE File Layout scripting.filesystemobject SOS: 0.21 Win 32 Exe WinHttp.WinHttpRequest.5 WinHttp.WinHttpRequest.5.1 WScript.Shell x86
Link:
https://app.malva.re/file/fb7a0795cb78244f1bf3dca74dd54022
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6f561ab384d65db9ee11a49b2f9d0a1e6758f9d0c6082f1e65821f6984fa2c71/
Verdict:
Malicious
Threat:
Family.XRED
Link:
https://tip.neiki.dev/file/6f561ab384d65db9ee11a49b2f9d0a1e6758f9d0c6082f1e65821f6984fa2c71
Threat name:
Win32.Worm.AutoRun
Create hunting rule
Status:
Malicious
First seen:
2025-12-10 22:56:22 UTC
File Type:
PE (Exe)
Extracted files:
73
AV detection:
24 of 24 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n5lbvm4e2zo3t3qrusns7hikdztvr6oqyyec6htfqipwtbh2fryq._file
Verdict:
malicious
Label(s):
salatstealer
Create hunting rule
xredbackdoor
Create hunting rule
Similar samples:
148a66e153761e6bc969fbc4f98a40ed0a27d52469901eefe8cd6965ab4d09c5
XRed
61437d273cb1204be0e52d3bc516ea98a6eadcfd044bdf034669773893b58a64
XRed
924a1f82d9119bdfe5cbb6a3eb843596869cf5f83740c631f4f373203156a363
XRed
df8d2aa31a1e622f675b28f46e5eb8d50e61606c5e182969b0376d0d1915062b
XRed
error
XRed
fdd36a586f4979bb696ae7863c45e7332a6e318ef3a6189e1adec270fa698bb6
XRed
+ 143 additional samples on MalwareBazaar
Result
Malware family:
xred
Create hunting rule
Score:
  10/10
Tags:
family:salatstealer family:sheetrat family:xmrig family:xred backdoor credential_access defense_evasion discovery execution miner persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/251210-2waayssqdl/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Creates new service(s)
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Stops running service(s)
Unsecured Credentials: Credentials In Files
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
XMRig Miner payload
Detect SalatStealer payload
Detects Sheetrat obfuscated V2.0 and higher
Salatstealer family
Sheetrat family
Sheetrat, NonEuclid rat
Xmrig family
Xred
Xred family
salatstealer
xmrig
Malware Config
C2 Extraction:
xred.mooo.com
64.188.66.7:3765
V_^K[a+/7FQ 61.\DAu'BlOg&$=Nm iRx%fHGXy
Verdict:
Malicious
Tags:
backdoor xred_backdoor Win.Trojan.Emotet-9850453-0
YARA:
mal_xred_backdoor
Link:
https://app.threat.zone/submission/4a9af458-1e5c-4416-aecf-9b0a5fbda35d
Unpacked files
SH256 hash:
6f561ab384d65db9ee11a49b2f9d0a1e6758f9d0c6082f1e65821f6984fa2c71
MD5 hash:
fb7a0795cb78244f1bf3dca74dd54022
SHA1 hash:
49f8fd5564751f4666f788b1792df0b903a8fef6
Link:
https://www.unpac.me/results/916e7fb7-00dd-4fb2-ba37-b0ff98a626ff/
SH256 hash:
b8879bf8c74c79cca504d7cf7741e268f462eff31c2c59c2aedb69ee444e17f8
MD5 hash:
7664afbc5f773b4fcc85a070c7e48f01
SHA1 hash:
b945f710856277f6d8a434a11bfb538f08ce70fc
Detections:
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Link:
https://www.unpac.me/results/916e7fb7-00dd-4fb2-ba37-b0ff98a626ff/
SH256 hash:
9307d8ef2b92c7dead78c6b7ef13fa450cd8ba7a6ad8b46f5b3cd22cce2212e7
MD5 hash:
74bccfc0008baedfa98126f6e00d9c8e
SHA1 hash:
4d562062737995ed3e6a2454712601a9faa7b19a
Link:
https://www.unpac.me/results/916e7fb7-00dd-4fb2-ba37-b0ff98a626ff/
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/916e7fb7-00dd-4fb2-ba37-b0ff98a626ff/
SH256 hash:
e6a0497cdbefe54cf5af8668f279ac5a5fc732aff519cd55e163b2a793e05da9
MD5 hash:
cf8b50644ec5d0093e32096c8f0fb720
SHA1 hash:
00e88eac18972527c43aaf78b6e6ca26754d958b
Link:
https://www.unpac.me/results/916e7fb7-00dd-4fb2-ba37-b0ff98a626ff/
SH256 hash:
5a0b7a17bb2c6373b500c074574e837aab5a77ca61a0cdedb9a694b47e2b4025
MD5 hash:
8382ddbe9c80177afc0247125df6048d
SHA1 hash:
ead3b364f9dac3c6485907dbd5d3b66d9dd9b2b7
Link:
https://www.unpac.me/results/916e7fb7-00dd-4fb2-ba37-b0ff98a626ff/
SH256 hash:
0648307b9113632c468e9d0e61d468cd4cfe6aeaba2ccd20fedf1349518c0888
MD5 hash:
73c3b900d4a5a29013a9872702f77371
SHA1 hash:
2e37d0356e6d078cb19f2ce83a9045be6af71a67
Link:
https://www.unpac.me/results/916e7fb7-00dd-4fb2-ba37-b0ff98a626ff/
SH256 hash:
7b241abbb3d75f1bd97df19ff304c18f9c1401fadc37159ba6ecd41a37f1c41a
MD5 hash:
0fdbcbf0af119921265e392a9570b1ae
SHA1 hash:
627f26569ba0b7fef8de2907404b1df1056f2ef3
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/916e7fb7-00dd-4fb2-ba37-b0ff98a626ff/
Malware family:
XRed
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6f561ab384d6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:D1S1Gv11betaD1N
Create hunting rule
Author:malware-lu
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:TH_Generic_MassHunt_Win_Malware_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Windows malware mass-hunt rule - 2025
Reference:https://cyfare.net/
Rule name:vbaproject_bin
Create hunting rule
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XRed

Executable exe 6f561ab384d65db9ee11a49b2f9d0a1e6758f9d0c6082f1e65821f6984fa2c71

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/44247/
  
URLhaus
https://urlhaus.abuse.ch/url/3731303/

Comments