MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a380d3d69ccfa937fb1dacccfbf7cb91b74957bd14999ea9094f6f51c3209227. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XRed


Vendor detections: 17


Intelligence 17 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a380d3d69ccfa937fb1dacccfbf7cb91b74957bd14999ea9094f6f51c3209227
SHA3-384 hash: cd4ba4d47e19530e634d2b852ad8cdaa92cfe5640c3aaa73e7ff79a11e8c6f2e23be9f79f742c0c70b1499e96b502f73
SHA1 hash: aaa0efb51a36732c592b3217340af20caeeb131f
MD5 hash: 880a15ca0dcba93d0f93390af98e20d1
humanhash: venus-spaghetti-pennsylvania-cup
File name:Bomber.exe
Download: download sample
Signature XRed
Create hunting rule
File size:23'733'248 bytes
First seen:2026-02-28 11:44:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 332f7ce65ead0adfb3d35147033aabe9 (94 x XRed, 18 x SnakeKeylogger, 9 x DarkComet)
ssdeep 393216:rlPBC1lb8R765hM28vF9LnrsTlYYqxh5vSaArgxRXy91qR6tcevTBplr3JPXboB2:jkhMHzLnIlESrgrXcYclr5/boQ
Threatray 188 similar samples on MalwareBazaar
TLSH T19137332272D170B3C26766789DDBD365583DBE925D78F05F26E44E889F2E3822C142CB
TrID 36.9% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
24.1% (.EXE) Win64 Executable (generic) (6522/11/2)
16.6% (.EXE) Win32 Executable (generic) (4504/4/1)
7.4% (.EXE) OS/2 Executable (generic) (2029/13)
7.3% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter burger
Tags:exe RAT xred

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
EvilCoder MasonRAT MSO XRed
Details
EvilCoder
a mutex and AES-ECB decrypted component(s)
MasonRAT
a c2 socket address or dead-drop resolver url, a mutex, a filename, and an SPL value
MSO
extracted VBA Macros and, if observed, MS-OFORM variables/data are added to the knowledge base for usage in later parsing of the Macros
XRed
url(s), filepath(s) and a user-agent
XRed
extracted components and server, download, gmail, client, and active configuration settings
Link:
https://research.acce.ciphertechsolutions.com/results/d819fa74-3666-43ce-a016-b7d3202ac544/
Malware family:
n/a
ID:
1
File name:
https://gofile.io/d/2ignh0
Verdict:
Malicious activity
Analysis date:
2026-02-28 11:41:41 UTC
Tags:
fileshare xred backdoor delphi dyndns
Link:
https://app.any.run/tasks/a0dca483-ed24-4265-be84-8e1ef44bb547

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
R77
Create hunting rule
Link:
https://www.capesandbox.com/analysis/54999/
Detection(s):
Win.Trojan.Emotet-9850453-0
Create hunting rule

Win.Trojan.Generic-9936029-0
Create hunting rule

Win.Malware.Delf-6899401-0
Create hunting rule

TwinWave.EvilDoc.PKILLDropboxMacroDirectDownload.20220331.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Other.Malware-gen.4213.13336.UNOFFICIAL
Create hunting rule

MiscreantPunch.EvilMacro.PVDISABLE.170819.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.PolicyKillOnlyHappyWhenItRains.20210704.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.HanciInterruptMyDayHandler.20210721.UNOFFICIAL
Create hunting rule

Xls.Dropper.Agent-7382066-0
Create hunting rule

PUA.Win.Packer.D1s1g-5
Create hunting rule

PUA.Win.Packer.D1s1g-2
Create hunting rule

PUA.Win.Packer.D1s1g-1
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a2d4f4c950ab5d9ab278c8
Tags:
dropper delphi micro smtp
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug autorun base64 borland_delphi cmd darkkomet dropper evasive fingerprint installer-heuristic keylogger lolbin macros-on-open packed virus
Link:
https://www.filescan.io/uploads/69a2d55a97feb4afd66154f5/reports/f9af8759-afc8-487a-abec-731e3ead0e28/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a380d3d69ccfa937fb1dacccfbf7cb91b74957bd14999ea9094f6f51c3209227
Verdict:
Malicious
File Type:
exe x32
Detections:
Trojan.Win32.Agentb.jrhy Trojan.Win32.Agent.sb HEUR:Trojan-Downloader.Script.Generic HEUR:Exploit.MSIL.BypassUAC.gen HEUR:Trojan-Dropper.MSIL.Dapato.gen Trojan-Dropper.Win32.Injector VHO:Trojan.MSIL.Inject.gen Trojan.XRed.UDP.C&C Trojan.MSOffice.SAgent.sb HEUR:Trojan.Script.Generic HEUR:Rootkit.Win64.Agent.gen Backdoor.Win32.Androm.sb Trojan-Dropper.Win32.Dorifel.sbd PDM:Trojan.Win32.Generic Trojan.Win32.XRed.sb Trojan.MSIL.Crypt.sb Trojan.MSIL.Agent.sb Trojan-PSW.Win32.Stealer.sb Trojan-Dropper.Win32.Injector.sb Trojan.Win64.Agent.sb HEUR:Trojan-Ransom.Win32.Gen.gen HEUR:Trojan-Downloader.MSOffice.Agent.gen Backdoor.Win32.DarkKomet.hqxy VHO:Trojan.MSIL.Agent.gen Backdoor.Agent.HTTP.C&C Trojan.Win64.Reflo.sb HEUR:Trojan.Win32.Generic VHO:Trojan.MSOffice.SAgent.gen BSS:Exploit.Win32.Generic Trojan-Dropper.Win32.Agent.sb Backdoor.MSIL.Mason.sb Trojan.MSIL.Dnoper.sb Backdoor.Win32.Zegost.sb Backdoor.Agent.TCP.C&C Trojan.Win64.PhantomP.sb HEUR:Backdoor.MSIL.Mason.gen
Link:
https://opentip.kaspersky.com/a380d3d69ccfa937fb1dacccfbf7cb91b74957bd14999ea9094f6f51c3209227/results?tab=lookup
Result
Threat name:
XRed
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1876346
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large strings
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates files in the system32 config directory
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops PE files to the document folder of the user
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Hides threads from debuggers
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to evade analysis by execution special instruction (VM detection)
Unusual module load detection (module proxying)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Yara detected XRed
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1876346 Sample: Bomber.exe Startdate: 28/02/2026 Architecture: WINDOWS Score: 100 103 freedns.afraid.org 2->103 105 xred.mooo.com 2->105 107 8 other IPs or domains 2->107 141 Suricata IDS alerts for network traffic 2->141 143 Found malware configuration 2->143 145 Malicious sample detected (through community Yara rule) 2->145 149 23 other signatures 2->149 14 Bomber.exe 1 6 2->14         started        17 EXCEL.EXE 181 49 2->17         started        20 Synaptics.exe 2->20         started        22 Mason._cache_w.exe 2->22         started        signatures3 147 Uses dynamic DNS services 103->147 process4 dnsIp5 91 C:\Users\user\Desktop\._cache_Bomber.exe, PE32 14->91 dropped 93 C:\ProgramData\Synaptics\Synaptics.exe, PE32 14->93 dropped 95 C:\ProgramData\Synaptics\RCXF4C4.tmp, PE32 14->95 dropped 97 C:\...\Synaptics.exe:Zone.Identifier, ASCII 14->97 dropped 24 ._cache_Bomber.exe 4 14->24         started        28 Synaptics.exe 24 14->28         started        101 part-0041.t-0009.t-msedge.net 13.107.213.69, 443, 49767, 49770 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 17->101 file6 process7 dnsIp8 81 C:\Users\user\AppData\Roaming\w.exe, PE32 24->81 dropped 83 C:\Users\user\AppData\Roaming\99.exe, PE32 24->83 dropped 85 C:\Users\user\...\._cache_Bomber.exe.log, CSV 24->85 dropped 153 Antivirus detection for dropped file 24->153 155 Multi AV Scanner detection for dropped file 24->155 31 w.exe 24->31         started        35 99.exe 24->35         started        109 drive.usercontent.google.com 142.251.34.65, 443, 49730, 49731 GOOGLEUS United States 28->109 111 docs.google.com 142.251.40.110, 443, 49724, 49725 GOOGLEUS United States 28->111 113 freedns.afraid.org 69.42.215.252, 49729, 80 AWKNET-LLCUS United States 28->113 87 C:\Users\user\DocumentsIVQSAOTAQ\~$cache1, PE32 28->87 dropped 157 Drops PE files to the document folder of the user 28->157 37 WerFault.exe 28->37         started        file9 signatures10 process11 file12 99 C:\Users\user\Desktop\._cache_w.exe, PE32 31->99 dropped 117 Antivirus detection for dropped file 31->117 39 ._cache_w.exe 31->39         started        119 Multi AV Scanner detection for dropped file 35->119 121 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 35->121 123 Tries to evade analysis by execution special instruction (VM detection) 35->123 125 3 other signatures 35->125 signatures13 process14 file15 77 C:\Users\user\AppData\...\Mason._cache_w.exe, PE32 39->77 dropped 79 C:\Users\user\AppData\Local\...\MasonKit.exe, PE32 39->79 dropped 151 Antivirus detection for dropped file 39->151 43 MasonKit.exe 39->43         started        47 Mason._cache_w.exe 39->47         started        signatures16 process17 dnsIp18 89 C:\Users\user\AppData\...\MasonRootkit.exe, PE32 43->89 dropped 167 Multi AV Scanner detection for dropped file 43->167 50 MasonRootkit.exe 43->50         started        53 cmd.exe 43->53         started        115 x3shn4x-41446.portmap.host 193.161.193.99, 41446, 49722, 49742 BITREE-ASRU Russian Federation 47->115 169 Antivirus detection for dropped file 47->169 171 Contains functionality to inject code into remote processes 47->171 173 Uses schtasks.exe or at.exe to add and modify task schedules 47->173 55 schtasks.exe 47->55         started        file19 signatures20 process21 signatures22 127 Antivirus detection for dropped file 50->127 129 Multi AV Scanner detection for dropped file 50->129 131 Writes to foreign memory regions 50->131 133 4 other signatures 50->133 57 dllhost.exe 50->57         started        60 conhost.exe 53->60         started        62 timeout.exe 53->62         started        64 conhost.exe 55->64         started        process23 signatures24 159 Injects code into the Windows Explorer (explorer.exe) 57->159 161 Writes to foreign memory regions 57->161 163 Creates a thread in another existing process (thread injection) 57->163 165 2 other signatures 57->165 66 lsass.exe 57->66 injected 69 winlogon.exe 57->69 injected 71 svchost.exe 57->71         started        73 13 other processes 57->73 process25 signatures26 135 Creates files in the system32 config directory 66->135 137 Writes to foreign memory regions 66->137 139 Unusual module load detection (module proxying) 66->139 75 WerFault.exe 73->75         started        process27
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a380d3d69ccfa937fb1dacccfbf7cb91b74957bd14999ea9094f6f51c3209227
Gathering data
Gathering data
Verdict:
Malicious
Threat:
Family.XRED
Link:
https://tip.neiki.dev/file/a380d3d69ccfa937fb1dacccfbf7cb91b74957bd14999ea9094f6f51c3209227
Threat name:
Win32.Virus.Napwhich
Create hunting rule
Status:
Malicious
First seen:
2026-02-28 11:43:51 UTC
File Type:
PE (Exe)
Extracted files:
34
AV detection:
22 of 23 (95.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uoanhvu4z6utp6y5vtgpx56lsg3usv55csmz5kijj5xvdqzasitq._file
Verdict:
malicious
Label(s):
xredbackdoor
Create hunting rule
masonrat
Create hunting rule
unc_loader_063
Create hunting rule
Similar samples:
451fe418159b0826d1b007d8bba9b8374760b9eee8a99bcad38bb62375a049e7
XRed
a018a79a0a2ef5a2acf5c4039f2d805309c2bdade0ac3c893e017bab55b7f219
XRed
b511d6e13c1d4b90ebff10d21c6f6d689b9c07b8377a21f63d1c6895525ffbc8
XRed
e41eac343f994a3dd12ede81d19f570a7572702abc0fa35aba51f372a7432aaf
XRed
error
XRed
fdd36a586f4979bb696ae7863c45e7332a6e318ef3a6189e1adec270fa698bb6
XRed
+ 178 additional samples on MalwareBazaar
Result
Malware family:
xred
Create hunting rule
Score:
  10/10
Tags:
family:xred backdoor bootkit defense_evasion discovery execution macro persistence
Link:
https://tria.ge/reports/260228-nwzzqad18b/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Enumerates connected drives
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Indicator Removal: Clear Windows Event Logs
Sets service image path in registry
Suspicious Office macro
Suspicious use of NtCreateUserProcessOtherParentProcess
Xred
Xred family
Malware Config
C2 Extraction:
xred.mooo.com
Malware family:
XRed
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a380d3d69ccf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a380d3d69ccfa937fb1dacccfbf7cb91b74957bd14999ea9094f6f51c3209227

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:D1S1Gv11betaD1N
Create hunting rule
Author:malware-lu
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:vbaproject_bin
Create hunting rule
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/54999/

Comments