MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b2dd6b539336506d71d98f840e902cdf0f60b1cabf3d163a725453a8eb97aca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XRed

Vendor detections: 17

Intelligence 17 IOCs YARA 13 File information Comments

SHA256 hash:	9b2dd6b539336506d71d98f840e902cdf0f60b1cabf3d163a725453a8eb97aca
SHA3-384 hash:	00fd4bbc746d761ce4077ce4c459de966bdf5de463fa3f117c55cefb65158d1ae32e3e99eadd0029cf3e4dd1dd8bc3f2
SHA1 hash:	21c362dc1ff693003579ea40b31def3a090220ee
MD5 hash:	d8a8ca91363c62c3def5ddbec5621494
humanhash:	romeo-social-xray-lion
File name:	通道账单错误b.exe
Download:	download sample
Signature	XRed Create hunting rule
File size:	1'160'704 bytes
First seen:	2026-03-15 15:52:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	332f7ce65ead0adfb3d35147033aabe9 (97 x XRed, 18 x SnakeKeylogger, 9 x DarkComet)
ssdeep	24576:InsJ39LyjbJkQFMhmC+6GD9zsDJ2C++XbhwMrZALFMYy6:InsHyjtk2MYC5GDe2C+kTez
Threatray	191 similar samples on MalwareBazaar
TLSH	T17235AF22B2D18437D1731A398CAB93B49839FF512E35A90B37F42E4C5F396816D25E93
TrID	88.5% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58) 5.7% (.EXE) InstallShield setup (43053/19/16) 1.8% (.EXE) Win32 Executable Delphi generic (14182/79/4) 1.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2) 0.8% (.EXE) Win64 Executable (generic) (6522/11/2)
Magika	pebin
dhash icon	71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter	Ling
Tags:	autorun exe Worm:Win32/AutoRun!atmn xred

CNGaoLing

Worm:Win32/AutoRun!atmn (Microsoft Defender)

XRed IOC (Domain xred.mooo.com)

Intelligence

File Origin

# of uploads :

# of downloads :

195

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

MSO XRed

Details

MSO

extracted VBA Macros and, if observed, MS-OFORM variables/data are added to the knowledge base for usage in later parsing of the Macros

XRed

extracted components and server, download, gmail, client, and active configuration settings

XRed

url(s), filepath(s) and a user-agent

Link:

https://research.acce.ciphertechsolutions.com/results/d747e9bc-31e0-4eba-8d80-97ee670e0470/

Malware family:

n/a

ID:

File name:

通道账单错误b.exe

Verdict:

Malicious activity

Analysis date:

2026-03-15 15:34:35 UTC

Tags:

xred backdoor delphi xor-url dyndns generic

Link:

https://app.any.run/tasks/33f19404-3b7f-43c4-8994-5c50c513c4b9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/57557/

Detection(s):

Win.Trojan.Emotet-9850453-0

Win.Trojan.Generic-9936029-0

Win.Malware.Delf-6899401-0

MiscreantPunch.SingleXOR.EXE.247.UNOFFICIAL

TwinWave.EvilDoc.PKILLDropboxMacroDirectDownload.20220331.UNOFFICIAL

SecuriteInfo.com.Other.Malware-gen.4213.13336.UNOFFICIAL

MiscreantPunch.EvilMacro.PVDISABLE.170819.UNOFFICIAL

TwinWave.EvilDoc.PolicyKillOnlyHappyWhenItRains.20210704.UNOFFICIAL

TwinWave.EvilDoc.HanciInterruptMyDayHandler.20210721.UNOFFICIAL

Xls.Dropper.Agent-7382066-0

PUA.Win.Packer.D1s1g-5

PUA.Win.Packer.D1s1g-2

PUA.Win.Packer.D1s1g-1

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69b6d5ea88c80c01586a7ab2

Tags:

vmdetect delphi madi

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context anti-debug base64 borland_delphi cmd darkkomet emotet evasive evasive exploit explorer explorer fingerprint installer-heuristic keylogger lolbin lolbin obfuscated packed soft-404 unsafe virus xor-pe

Link:

https://www.filescan.io/uploads/69b6d5e9493cb7d62dfe272d/reports/abf38d91-e1b0-46b7-8574-ae7b88f397c2/overview

Verdict:

Malicious

Labled as:

Comet.A

Link:

https://www.hybrid-analysis.com/sample/9b2dd6b539336506d71d98f840e902cdf0f60b1cabf3d163a725453a8eb97aca

Verdict:

Malicious

File Type:

exe x32

Detections:

Trojan.Win32.XRed.sb Trojan.Win32.Agentb.jrhy HEUR:Trojan-Ransom.Win32.Gen.gen HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan-Downloader.MSOffice.Agent.gen HEUR:Trojan.Script.Generic Backdoor.Win32.DarkKomet.hqxy

Link:

https://opentip.kaspersky.com/9b2dd6b539336506d71d98f840e902cdf0f60b1cabf3d163a725453a8eb97aca/results?tab=lookup

Malware family:

XRed

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3b97488c-8974-4e24-9718-831c69262d30

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/9b2dd6b539336506d71d98f840e902cdf0f60b1cabf3d163a725453a8eb97aca

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9b2dd6b539336506d71d98f840e902cdf0f60b1cabf3d163a725453a8eb97aca/

Verdict:

Malicious

Threat:

Family.XRED

Link:

https://tip.neiki.dev/file/9b2dd6b539336506d71d98f840e902cdf0f60b1cabf3d163a725453a8eb97aca

Threat name:

Win32.Trojan.Synaptics

Status:

Malicious

First seen:

2026-03-15 15:53:24 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 24 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tmw5nnjzgnsqnvy5td4eb2iczxypmcy4vpz5cy5hevctvdvzplfa._file

Verdict:

malicious

Label(s):

xredbackdoor

XRed

924a1f82d9119bdfe5cbb6a3eb843596869cf5f83740c631f4f373203156a363

XRed

df8d2aa31a1e622f675b28f46e5eb8d50e61606c5e182969b0376d0d1915062b

XRed

error

XRed

f97559f4ec80f28bd177d1a9e1d5208c5cadbf26e20cac4af374e6b1144a710c

XRed

fdd36a586f4979bb696ae7863c45e7332a6e318ef3a6189e1adec270fa698bb6

XRed

+ 181 additional samples on MalwareBazaar

Result

Malware family:

xred

Score:

10/10

Tags:

family:xred backdoor discovery persistence

Link:

https://tria.ge/reports/260315-tbqhfaew2z/

Behaviour

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Adds Run key to start application

Xred

Xred family

Malware Config

C2 Extraction:

xred.mooo.com

Unpacked files

SH256 hash:

9b2dd6b539336506d71d98f840e902cdf0f60b1cabf3d163a725453a8eb97aca

MD5 hash:

d8a8ca91363c62c3def5ddbec5621494

SHA1 hash:

21c362dc1ff693003579ea40b31def3a090220ee

Link:

https://www.unpac.me/results/11850163-08e9-4bba-bccb-8adb8bb56031/

SH256 hash:

f1d45405f2d2755cd5f3d62323fcdd77a3f529ee32a9dc40ac27e5221c3a04ea

MD5 hash:

a0f05d931f406151cf09e25ab9f2d344

SHA1 hash:

64281aa989f6af815f60282ed22ab419164084f1

Detections:

INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Link:

https://www.unpac.me/results/11850163-08e9-4bba-bccb-8adb8bb56031/

SH256 hash:

b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2

MD5 hash:

c0ef4d6237d106bf51c8884d57953f92

SHA1 hash:

f1da7ecbbee32878c19e53c7528c8a7a775418eb

Link:

https://www.unpac.me/results/11850163-08e9-4bba-bccb-8adb8bb56031/

SH256 hash:

073150e05fbbcfd6a785db31b2bb2793e83de2c6c793ae40ed0d5a038e40ec4c

MD5 hash:

3e5411a8da8411de37feb783888226aa

SHA1 hash:

a9dee505121828681deee7fa4d27380dc65bdfcb

Detections:

INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Link:

https://www.unpac.me/results/11850163-08e9-4bba-bccb-8adb8bb56031/

Malware family:

XRed

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9b2dd6b53933/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9b2dd6b539336506d71d98f840e902cdf0f60b1cabf3d163a725453a8eb97aca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	D1S1Gv11betaD1N Create hunting rule
Author:	malware-lu

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	SUSP_XORed_MSDOS_Stub_Message Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed MSDOS stub message
Reference:	https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

Rule name:	vbaproject_bin Create hunting rule
Author:	CD_R0M_
Description:	{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XRed

exe 9b2dd6b539336506d71d98f840e902cdf0f60b1cabf3d163a725453a8eb97aca

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/57557/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample