MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a30e49e1f71c70c4bc72f62e80be05b837c4a01a8fcc12e0c5a4c2cf52e270fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XRed


Vendor detections: 20


Intelligence 20 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a30e49e1f71c70c4bc72f62e80be05b837c4a01a8fcc12e0c5a4c2cf52e270fa
SHA3-384 hash: 08181bfdf837c539e10d91b879dd6941b0d2eec9f4e0ef34d9bf16f0aa09ec35ceb0b1a790e63ee5842d82d50d70c1d9
SHA1 hash: 159421122c613ed83cb106dfd2312823cf049adf
MD5 hash: b11a0f9a99d9201351ab763d19c216c7
humanhash: harry-muppet-wisconsin-green
File name:Purchase Order_2026.21 PARS_74100622654.xlsx.exe
Download: download sample
Signature XRed
Create hunting rule
File size:1'653'760 bytes
First seen:2026-05-21 10:24:21 UTC
Last seen:2026-06-08 10:03:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 332f7ce65ead0adfb3d35147033aabe9 (100 x XRed, 18 x SnakeKeylogger, 9 x DarkComet)
ssdeep 49152:VnsHyjtk2MYC5GDMwhE929/8yOk+176pfD:Vnsmtk2aR929vOn1769D
Threatray 3'059 similar samples on MalwareBazaar
TLSH T1BB75CF22B291D437D0721B7C8C67E2B55929BE512E34E60B7FE92E8F7E3934128152D3
TrID 93.8% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
2.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.4% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
0.9% (.EXE) Win64 Executable (generic) (6522/11/2)
0.6% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon e863eae6b696c6ee (3 x XRed, 2 x AsyncRAT, 2 x SnakeKeylogger)
Reporter threatcat_ch
Tags:exe xred

Intelligence

File Origin
# of uploads :
2
# of downloads :
161
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
MSO XRed
Details
MSO
extracted VBA Macros and, if observed, MS-OFORM variables/data are added to the knowledge base for usage in later parsing of the Macros
XRed
extracted components and server, download, gmail, client, and active configuration settings
XRed
url(s), filepath(s) and a user-agent
Link:
https://research.acce.ciphertechsolutions.com/results/32a3651b-5d9f-4710-b032-1ec3546c4ab3/
Malware family:
n/a
ID:
1
File name:
_a30e49e1f71c70c4bc72f62e80be05b837c4a01a8fcc12e0c5a4c2cf52e270fa.exe
Verdict:
Malicious activity
Analysis date:
2026-05-21 10:25:43 UTC
Tags:
xred backdoor auto-reg delphi netreactor dyndns ip-check evasion snake keylogger stealer
Link:
https://app.any.run/tasks/2646a3e3-3d8d-4541-a654-b031fd4ba447

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/67159/
Detection(s):
Win.Trojan.Emotet-9850453-0
Create hunting rule

Win.Trojan.Generic-9936029-0
Create hunting rule

Win.Malware.Delf-6899401-0
Create hunting rule

YARA.RUSSIANPANDA_Mal_Xred_Backdoor.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.PKILLDropboxMacroDirectDownload.20220331.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Other.Malware-gen.4213.13336.UNOFFICIAL
Create hunting rule

MiscreantPunch.EvilMacro.PVDISABLE.170819.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.PolicyKillOnlyHappyWhenItRains.20210704.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.HanciInterruptMyDayHandler.20210721.UNOFFICIAL
Create hunting rule

Xls.Dropper.Agent-7382066-0
Create hunting rule

PUA.Win.Packer.D1s1g-5
Create hunting rule

PUA.Win.Packer.D1s1g-1
Create hunting rule

PUA.Win.Packer.D1s1g-2
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a0edd684159ce11f602473a
Tags:
underscore delphi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Moving a recently created file
Searching for the window
Creating a file in the %temp% directory
Moving a file to the %temp% directory
Modifying an executable file
DNS request
Sending a custom TCP request
Connection attempt
Sending an HTTP GET request
Reading critical registry keys
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Infecting executable files
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug base64 borland_delphi cmd evasive fingerprint installer-heuristic keylogger lolbin masquerade overlay packed reconnaissance
Link:
https://www.filescan.io/uploads/6a0edd5cefbd399b39c2260f/reports/221ee381-7b5a-4306-b209-4b00d53e6085/overview
Verdict:
Malicious
Labled as:
Comet.A
Link:
https://www.hybrid-analysis.com/sample/a30e49e1f71c70c4bc72f62e80be05b837c4a01a8fcc12e0c5a4c2cf52e270fa
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-21T03:48:00Z UTC
Last seen:
2026-05-23T03:28:00Z UTC
Hits:
~1000
Detections:
Trojan-PSW.Win32.Stealer.sb HEUR:Trojan-PSW.MSIL.Agensla.gen Trojan-Dropper.Win32.Dorifel.sbd HEUR:Trojan-Ransom.Win32.Gen.gen HEUR:Trojan-Downloader.MSOffice.Agent.gen Trojan-Spy.MSIL.SnakeLogger.sb BSS:Trojan.Win32.Generic HEUR:Trojan.Script.Badur.genw HEUR:Trojan.Script.Generic Trojan.MSIL.Inject.sb Backdoor.Agent.HTTP.C&C VHO:Trojan.MSOffice.SAgent.gen Trojan.MSIL.Crypt.sb PDM:Trojan.Win32.Generic HEUR:Trojan-Spy.MSIL.Agent.sb Trojan.Win32.XRed.nt Trojan.Win32.XRed.mq Trojan.Win32.Agent.sb Trojan.MSOffice.SAgent.sb Trojan.Win32.XRed.mg HEUR:Trojan-Downloader.Script.Generic Trojan.Win32.XRed.ox Trojan.Win32.Agentb.jrhy BSS:Exploit.Win32.Generic Trojan.Win32.XRed.op Trojan.XRed.UDP.C&C VHO:Trojan-PSW.MSIL.Agensla.gen Trojan.Win32.XRed.sb Trojan.Win32.XRed.nd Backdoor.Win32.DarkKomet.hqxy
Link:
https://opentip.kaspersky.com/a30e49e1f71c70c4bc72f62e80be05b837c4a01a8fcc12e0c5a4c2cf52e270fa/results?tab=lookup
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1fbf2348-a40d-4ceb-bb06-63d61fe52201
Result
Threat name:
Snake Keylogger, XRed
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1917026
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops PE files to the document folder of the user
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Suspicious Double Extension File Execution
Sigma detected: Suspicious Double Extension Files
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected UAC Bypass using CMSTP
Yara detected XRed
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1917026 Sample: Purchase Order_2026.21 PARS... Startdate: 21/05/2026 Architecture: WINDOWS Score: 100 49 reallyfreegeoip.org 2->49 51 freedns.afraid.org 2->51 53 14 other IPs or domains 2->53 69 Suricata IDS alerts for network traffic 2->69 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 79 21 other signatures 2->79 8 Purchase Order_2026.21 PARS_74100622654.xlsx.exe 1 6 2->8         started        11 EXCEL.EXE 183 57 2->11         started        14 Synaptics.exe 2->14         started        signatures3 75 Tries to detect the country of the analysis system (by using the IP) 49->75 77 Uses dynamic DNS services 51->77 process4 dnsIp5 35 ._cache_Purchase O...4100622654.xlsx.exe, PE32 8->35 dropped 37 C:\ProgramData\Synaptics\Synaptics.exe, PE32 8->37 dropped 39 C:\ProgramData\Synaptics\RCX594C.tmp, PE32 8->39 dropped 41 C:\...\Synaptics.exe:Zone.Identifier, ASCII 8->41 dropped 16 Synaptics.exe 113 8->16         started        21 ._cache_Purchase Order_2026.21 PARS_74100622654.xlsx.exe 3 8->21         started        55 part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49743, 49784 MICROSOFT-CORP-MSN-AS-BLOCK-MicrosoftCorporationUS United States 11->55 23 splwow64.exe 11->23         started        file6 process7 dnsIp8 43 freedns.afraid.org 69.42.215.252, 49731, 80 OBJX-objxnetLLCUS United States 16->43 45 docs.google.com 142.251.211.110, 443, 49726, 49727 GOOGLE-GoogleLLCUS United States 16->45 47 drive.usercontent.google.com 142.251.211.161, 443, 49732, 49733 GOOGLE-GoogleLLCUS United States 16->47 31 C:\Users\user\DocumentsbehaviorgraphIGIYTFFYT\~$cache1, PE32 16->31 dropped 61 Antivirus detection for dropped file 16->61 63 Multi AV Scanner detection for dropped file 16->63 65 Drops PE files to the document folder of the user 16->65 25 WerFault.exe 16->25         started        33 ._cache_Purchase O...622654.xlsx.exe.log, ASCII 21->33 dropped 67 Injects a PE file into a foreign processes 21->67 27 ._cache_Purchase Order_2026.21 PARS_74100622654.xlsx.exe 21->27         started        file9 signatures10 process11 dnsIp12 57 checkip.dyndns.com 132.226.247.73, 49715, 49720, 49722 ORACLE-BMC-31898-OracleCorporationUS Brazil 27->57 59 reallyfreegeoip.org 172.67.177.134, 443, 49717, 49721 CLOUDFLARENET-CloudflareIncUS Canada 27->59 81 Tries to steal Mail credentials (via file / registry access) 27->81 83 Tries to harvest and steal browser information (history, passwords, etc) 27->83 signatures13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a30e49e1f71c70c4bc72f62e80be05b837c4a01a8fcc12e0c5a4c2cf52e270fa
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a30e49e1f71c70c4bc72f62e80be05b837c4a01a8fcc12e0c5a4c2cf52e270fa/
Verdict:
Malicious
Threat:
Family.XRED
Link:
https://tip.neiki.dev/file/a30e49e1f71c70c4bc72f62e80be05b837c4a01a8fcc12e0c5a4c2cf52e270fa
Threat name:
Win32.Worm.Zorex
Create hunting rule
Status:
Malicious
First seen:
2026-05-21 07:38:49 UTC
AV detection:
35 of 37 (94.59%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=umhetypxdrymjpds6yxibpqfxa34jia2r7gbfygfutbm6uxcod5a._file
Verdict:
malicious
Label(s):
zgrat
Create hunting rule
404keylogger
Create hunting rule
xredbackdoor
Create hunting rule
Similar samples:
01beb5ff303d761cfffc12ace47aa012fc86000382b04e1e2f9342c7b10657ae
XRed
1d164187b8c959a02f88ebe22a577fbfa70700a7b6679fa7815e654eed38d01e
XRed
a30e49e1f71c70c4bc72f62e80be05b837c4a01a8fcc12e0c5a4c2cf52e270fa
XRed
b63f93e0815aa8f06565aec612aa0916b7ebf65efced3545e92bec450a01afdd
XRed
error
XRed
faa2ffa4498542a73f97ca66525fe785788559665b0a553a322d5ccefa7bf473
XRed
fdd36a586f4979bb696ae7863c45e7332a6e318ef3a6189e1adec270fa698bb6
XRed
+ 3'049 additional samples on MalwareBazaar
Result
Malware family:
xred
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger family:xred backdoor collection discovery keylogger persistence spyware stealer
Link:
https://tria.ge/reports/260521-mfllqaat7q/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Family: Snake Keylogger
Family: Xred
Snake Keylogger payload
Malware Config
C2 Extraction:
xred.mooo.com
https://api.telegram.org/bot8998880555:AAF9XzUICVQocz8ESEFVLTTKbIn4Z6LEwvI/sendMessage?chat_id=8728802329
Unpacked files
SH256 hash:
a30e49e1f71c70c4bc72f62e80be05b837c4a01a8fcc12e0c5a4c2cf52e270fa
MD5 hash:
b11a0f9a99d9201351ab763d19c216c7
SHA1 hash:
159421122c613ed83cb106dfd2312823cf049adf
Detections:
triage_xred_backdoor
Create hunting rule
Link:
https://www.unpac.me/results/0bf45bd5-ab68-43f4-bd8e-fa0653f71fb8/
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/0bf45bd5-ab68-43f4-bd8e-fa0653f71fb8/
SH256 hash:
a36b978f5e5e1a2c42207c1fb62a091cbc26124423f51f33f08aa2823c43f74b
MD5 hash:
8ebe2492ed135fc469f240e7e73081e6
SHA1 hash:
6a03721fc62be4ceef353147048488fbbffcfdf7
Link:
https://www.unpac.me/results/0bf45bd5-ab68-43f4-bd8e-fa0653f71fb8/
SH256 hash:
a9cc84d37c2b5ebe169fd63a4058eee5c85f44fb375d201e9f1eea6a1cc17ea8
MD5 hash:
293f78d7524f776f30ecc5ac90715ea3
SHA1 hash:
0cb847eaf23e409c42169e6139b456a6129d8c12
Detections:
win_404keylogger_g1
Create hunting rule
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/0bf45bd5-ab68-43f4-bd8e-fa0653f71fb8/
Parent samples :
b63f93e0815aa8f06565aec612aa0916b7ebf65efced3545e92bec450a01afdd
a30e49e1f71c70c4bc72f62e80be05b837c4a01a8fcc12e0c5a4c2cf52e270fa
SH256 hash:
78f08b46dfc1ceccd2aa02263d0a891237b0a13a51eb9bde618be913f59cec5d
MD5 hash:
bf08c3c5d8a4da3e00119efd59c84f38
SHA1 hash:
34f901eb23bf1e1a868afddca56e85a79b7eec3c
Link:
https://www.unpac.me/results/0bf45bd5-ab68-43f4-bd8e-fa0653f71fb8/
SH256 hash:
30b8da6a6c14adb7188e67f556e4e4abdc4e0a47db4008b7a2930c21dbdf59c2
MD5 hash:
c25420b73d0fe1dd63cf91b94c810225
SHA1 hash:
8d54643580d5d5952e74ec53ebf93b91e398e9de
Link:
https://www.unpac.me/results/0bf45bd5-ab68-43f4-bd8e-fa0653f71fb8/
Malware family:
XRed
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a30e49e1f71c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a30e49e1f71c70c4bc72f62e80be05b837c4a01a8fcc12e0c5a4c2cf52e270fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:D1S1Gv11betaD1N
Create hunting rule
Author:malware-lu
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:vbaproject_bin
Create hunting rule
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XRed

Executable exe a30e49e1f71c70c4bc72f62e80be05b837c4a01a8fcc12e0c5a4c2cf52e270fa

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/67159/

Comments