MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b511d6e13c1d4b90ebff10d21c6f6d689b9c07b8377a21f63d1c6895525ffbc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XRed


Vendor detections: 18


Intelligence 18 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b511d6e13c1d4b90ebff10d21c6f6d689b9c07b8377a21f63d1c6895525ffbc8
SHA3-384 hash: 4a381e5c35c508d27ed241288d62a2f5eb89065c74a4018c0f6b4f9086ee26da1197c774a38894064238a85a1db00254
SHA1 hash: 0dc1b2aa1b7e628c2c85dfda891683dd13af845a
MD5 hash: 17f9f21ed23c68b5452945d6595ba589
humanhash: jersey-nuts-carpet-twelve
File name:SB360.exe
Download: download sample
Signature XRed
Create hunting rule
File size:5'571'584 bytes
First seen:2026-02-27 09:02:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 332f7ce65ead0adfb3d35147033aabe9 (94 x XRed, 18 x SnakeKeylogger, 9 x DarkComet)
ssdeep 98304:Rnsmtk2aiskDP1dOcdGnsmtk2aY1VVv28DO0r:tLxOVL3F
Threatray 206 similar samples on MalwareBazaar
TLSH T139469D266B924172C3613738CC76A6A455252F031F18D57A6EB46D4C7D3238EFC23ABE
TrID 88.5% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
5.7% (.EXE) InstallShield setup (43053/19/16)
1.8% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
0.8% (.EXE) Win64 Executable (generic) (6522/11/2)
Magika pebin
Reporter Ling
Tags:autorun exe Worm:Win32/AutoRun!atmn xred


Avatar
CNGaoLing
Worm:Win32/AutoRun!atmn (Microsoft Defender)

XRed IOC (Domain xred.mooo.com)

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
Gh0stRat MSO XRed
Details
MSO
extracted VBA Macros and, if observed, MS-OFORM variables/data are added to the knowledge base for usage in later parsing of the Macros
XRed
url(s), filepath(s) and a user-agent
XRed
extracted components and server, download, gmail, client, and active configuration settings
Link:
https://research.acce.ciphertechsolutions.com/results/aae9c892-8b7d-4cb7-8530-bf83ef8ff240/
Malware family:
n/a
ID:
1
File name:
SB360.exe
Verdict:
Malicious activity
Analysis date:
2026-02-27 03:06:27 UTC
Tags:
xred backdoor jeefo peinfector delphi dyndns
Link:
https://app.any.run/tasks/3fcf7e31-f389-4d10-8118-2954168fba06

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
PCRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/54842/
Detection(s):
Win.Trojan.Jeefo-1
Create hunting rule

Win.Malware.Farfli-9832713-0
Create hunting rule

Win.Trojan.Emotet-9850453-0
Create hunting rule

Win.Trojan.Generic-9936029-0
Create hunting rule

Win.Keylogger.Gh0stRAT-9937444-1
Create hunting rule

Win.Keylogger.Gh0stRAT-9937448-1
Create hunting rule

Win.Malware.Generickdz-10032432-0
Create hunting rule

Win.Trojan.Generic-6305873-0
Create hunting rule

Win.Malware.Delf-6899401-0
Create hunting rule

Win.Trojan.Jeefo-3
Create hunting rule

Win.Adware.Downware-406
Create hunting rule

Win.Trojan.Jeefo-18
Create hunting rule

TwinWave.EvilDoc.PKILLDropboxMacroDirectDownload.20220331.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Other.Malware-gen.4213.13336.UNOFFICIAL
Create hunting rule

MiscreantPunch.EvilMacro.PVDISABLE.170819.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.PolicyKillOnlyHappyWhenItRains.20210704.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.HanciInterruptMyDayHandler.20210721.UNOFFICIAL
Create hunting rule

Xls.Dropper.Agent-7382066-0
Create hunting rule

PUA.Win.Packer.Devcpp-2
Create hunting rule

PUA.Win.Packer.D1s1g-5
Create hunting rule

PUA.Win.Packer.D1s1g-2
Create hunting rule

PUA.Win.Packer.D1s1g-1
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a15dd18fffa866e3b2b053
Tags:
darkkomet delphi jeefo lien
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug autorun base64 borland_delphi cmd crypt darkkomet dropper evasive fingerprint hdlocker installer-heuristic keylogger lolbin macros-on-open packed packed unsafe virus windows
Link:
https://www.filescan.io/uploads/69a15dcecd25bfe1dfdbc497/reports/bccfcd67-97fe-44e6-aba5-e53c20299309/overview
Verdict:
Malicious
Labled as:
Dump:Jeefo.D
Link:
https://www.hybrid-analysis.com/sample/b511d6e13c1d4b90ebff10d21c6f6d689b9c07b8377a21f63d1c6895525ffbc8
Verdict:
Malicious
File Type:
exe x32
Detections:
Virus.Win32.Hidrag.a Trojan.Win32.XRed.nt HEUR:Backdoor.Win32.Generic HEUR:Trojan-Downloader.MSOffice.Agent.gen Trojan.XRed.UDP.C&C Trojan-Downloader.Win32.VB.sb Trojan-Downloader.Win32.Upatre.sb Trojan-Banker.Win32.Banbra.sb Trojan.Win32.Reconyc.sb Rootkit.Win64.Agent.bgp Backdoor.Win32.Poison.sb Trojan.Win32.Comei.sb Trojan.Win32.Blamon.sb Trojan.Win32.Agentb.jrhy HEUR:Trojan-Ransom.Win32.Gen.gen HEUR:Trojan.Script.Generic Backdoor.Win32.Lotok.sbc Backdoor.Win32.Farfli.sb Backdoor.Win32.DarkKomet.hqxy BSS:Exploit.Win32.Generic Trojan-Dropper.MSOffice.SDrop.sb Trojan-Downloader.Win32.Blamon.sb Trojan-Clicker.Win32.Cycler.sb HEUR:Backdoor.Win32.Lotok.gen Trojan.Win32.Comei.ukc Trojan.MSOffice.SAgent.sb BSS:Trojan.Win32.Generic.nblk Trojan.Win32.XRed.op Trojan.Win32.XRed.mg HEUR:Backdoor.Win32.Zegost.gen Backdoor.Win32.Farfli.bwkx HEUR:Trojan-Downloader.Script.Generic Trojan-Dropper.Win32.Daws.sb Worm.Win32.VBNA.sb Trojan.Win32.XRed.nd Trojan.Win32.XRed.mq Trojan.Win32.Agent.sb HEUR:Trojan.Win32.Generic Trojan.Win32.XRed.ox Trojan-Dropper.Win32.Daws.sba Trojan-Spy.Win64.Agent.sb Trojan-Spy.Win32.Agent Trojan.Win32.XRed.sb Backdoor.Win32.Zegost.sb Trojan-Spy.Win32.Agent.sb Trojan.Comei.UDP.C&C Trojan.Win32.Farfli.sb Backdoor.Agent.HTTP.C&C Trojan.Win32.Antavmu.sb PDM:Trojan.Win32.Generic HEUR:Worm.Win32.Generic HEUR:Trojan.Win32.Agent.gen VHO:Trojan.MSOffice.SAgent.gen BSS:Trojan.Win32.Generic not-a-virus:RiskTool.Win32.FlyStudio.sb
Link:
https://opentip.kaspersky.com/b511d6e13c1d4b90ebff10d21c6f6d689b9c07b8377a21f63d1c6895525ffbc8/results?tab=lookup
Malware family:
Swrort
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4e165ebf-6ef1-40a5-ad6f-520acc32fd23
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b511d6e13c1d4b90ebff10d21c6f6d689b9c07b8377a21f63d1c6895525ffbc8
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b511d6e13c1d4b90ebff10d21c6f6d689b9c07b8377a21f63d1c6895525ffbc8/
Verdict:
Malicious
Threat:
Family.BLACKMOON
Link:
https://tip.neiki.dev/file/b511d6e13c1d4b90ebff10d21c6f6d689b9c07b8377a21f63d1c6895525ffbc8
Threat name:
Win32.Virus.Jeefo
Create hunting rule
Status:
Malicious
First seen:
2026-02-27 09:03:17 UTC
File Type:
PE (Exe)
Extracted files:
256
AV detection:
24 of 24 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wui5nyj4dvfzb277cdjby33nncnzyb5yg55cd5r5drujkus77pea._file
Verdict:
malicious
Label(s):
xredbackdoor
Create hunting rule
krbanker
Create hunting rule
Similar samples:
322225ecdeac0d8a220c363b04cab052411917311caea6edd1fec8075973fc50
XRed
72ae820b13a8e8f73da2770b9c0bd9d0a6a42e2ba3dcaf1279359e2b2b221b12
XRed
8d11ec5c3f5b3d5eb57e75469ffc10721aee94ae56b3d432fafdee189bb0d6e8
XRed
a74ee1dbb1120582708462beadf602396c36e9738b150bbf21bdfce09ecd7538
XRed
ee3d3e0d8a196911117148b3cc2fc93ed6ae1e3afbdc3031e4ffa727a98ff83d
XRed
error
XRed
+ 196 additional samples on MalwareBazaar
Result
Malware family:
xred
Create hunting rule
Score:
  10/10
Tags:
family:blackmoon family:gh0strat family:purplefox family:xred backdoor banker discovery persistence rat rootkit trojan
Link:
https://tria.ge/reports/260227-kz4kjaaz3a/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Drops file in Drivers directory
Server Software Component: Terminal Services DLL
Sets service image path in registry
Blackmoon family
Blackmoon, KrBanker
Detect Blackmoon payload
Detect PurpleFox Rootkit
Gh0st RAT payload
Gh0strat
Gh0strat family
PurpleFox
Purplefox family
Xred
Xred family
Malware Config
C2 Extraction:
xred.mooo.com
Unpacked files
SH256 hash:
b511d6e13c1d4b90ebff10d21c6f6d689b9c07b8377a21f63d1c6895525ffbc8
MD5 hash:
17f9f21ed23c68b5452945d6595ba589
SHA1 hash:
0dc1b2aa1b7e628c2c85dfda891683dd13af845a
Link:
https://www.unpac.me/results/651da335-17f4-4715-b84b-acea4f0715c3/
SH256 hash:
cac7320c0c27c473855ed825988a8c091c9d7fb822f4b9eff946861ee1eb8f47
MD5 hash:
0d92b5f7a0f338472d59c5f2208475a3
SHA1 hash:
088d253bb23f6222dcaf06f7a2430e3a059a35e7
Detections:
Hidden
Create hunting rule
cert_blocklist_5f78149eb4f75eb17404a8143aaeaed7
Create hunting rule
INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
Link:
https://www.unpac.me/results/651da335-17f4-4715-b84b-acea4f0715c3/
Parent samples :
364b087a1916c5f13675449a4470763adebd4977fc21ea2169d8d67b11e83ba7
089f7f88c1d64dcebf1042f481f17a7fb1fe6fc095cb5c9e10bbcb3f36a629ab
acb615b72532d8020f1fa9afa65c44bd67caa1ec83f39f4b029287e70c344d0b
37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad
3730e600a60fed05d20e23e9340e37e5f5f072e6d4801150326ff4e2a4fdb4c5
d3af6e62ef3ce968da90beb9be44b04948b996c3dda893ba425a1147eb7696ad
765e42948327b849c172f8c70617af6007e7f126c17bb56f490c10e12aa20492
dbaedcc548579a20fab98b28992301084fe27e91460fbdb2a6e00df5e58f52fe
e119f126968b206ebfbf49923c1aac3dbe948461ff38d9f638b6cdf12ff47560
502459f1d4325d917bf46a104cbc3255c29b88a787cd9f930462cfa1002134fd
fe8954c55b06912419f62ae4c04e19ba8d16a8d5098c28dfcc3c6ef04a154f49
ad7a76c684f1bd1910142d97a01fd6373a05872a0aefd213cf85e891428fdcc7
e65ce5d4d20836181fbc041ca28853c89946013e1ab7fcd7e0bb58442f274e0d
6d74ed0eda4cf7f7edb2f8982cc706e84a402008fc74f442d898da7d6be05143
0fca043ce6592269f8463ec4c803eabb3d09ff412401521090513e8310463fdb
179dab5fc5a32307466541f88cfc1992cb96664218711f6d525586976c9d44ad
f17af5296ff826f4199381574dccb3dcb8a5deeb811e40929f95c722ab70aeb7
9740fb71580a1e6809c694ebd1aa132e76d0dc985dbc0721ae6590f3bf5ed19b
1d83bdba4198a28193b93de0f88fa79bb7ff17249b54654c07cb11a27e708644
d8162221ce6d607b5fe77565f53c5310bfaff050b0c26abe2ca9b9ebdb9ad51f
cebf76deabb47efe7ad3769c0586815d1d45e2ef9718057de77abb46b554f6f4
794ec24e28f6351c9ad2c04101d774e9763f4f444cfb7c15da782922c6f07e69
48956128660f7a745aa918eac38e5baacdae1bc0809503f2a2c3f2b79507e3ff
f036b3031238597750e077c2d03b2bc41d089f9db461244059db8485fac28e63
57eff460128e65204d46aa5a0012f8ba4758fa76a74d9dabe5d4b4b0bd1b11cc
613a829a972efe001e9f1a4e067b560db96acd44161d91d6daf5d6489f686938
94beb32181e321ef10e85ee652f1ef1e602c252d6c7d4593c556a6bfcec1d4f0
fda844b16b91a38417af25d13bd0992c3344de12ebcd0283732a3e0a6e91811d
bef42fdae71eff14767b54c660a42d7ab6fedf56ce74f8faa304a0e1b526fe4a
a2b98d6820777aaacdb0646a2836b3ebc809b3fe9eef65d201e2ff343580721c
0cb5c8e6987f74a213353851dc12b7b3a08130fd5ebb18f4455c659e8f46442f
b9d338ff7f7d63d28c765007e9e150b3c30a9acac1e16bfd0317d375b4fc6166
df60b74ff96bb320d1cf8d1a511c56bae2ca8d94ebb6566eca7b51c3521c0171
394ed5e270bb760bee2b5ffea56421afb2a22aff35d78d29da92842f606b8d53
9c0116c29d031bc42faaa5e312c7c6b99378ed115b069b2d6c2d228ae563375b
76a236349c0820e4dfba81e3382e50833ee238452c0c271d6a0cf83b4fcca235
1b6b8aa0a500b965193144be54ffe030e84f8e2936c3e92d4a2b05a8759944d3
2090bdae4d49cc0a20526b8d57c5928500eadab334764b89810e0b08f907308a
1a7fefa02913c1054e4f0e82c9de74e2fb526bd4a589e861fb4f7f57b31ef9c8
00c1314504b05c7fc7cc7280405f31165b9722c704520afef26aa88ff566b871
1fe21e70078942fa8dc7bccb5362e86b0e6340c533eb8e01b59e34a0dd61bd05
580e6c64ba71bf32dc63c34204dc48d17ff8de949c916f101e89472222b41a88
19e59830b3b6742b26575bc2b1ec3276a5d7d75a7f3c92bf0cf5762f07e9f660
c0839998e41d029efd4bb304440cd029acf32ce8f541be6f813c5c4d935e9350
1f8cdb119164550161cddba78f7d30f36cd3304dc4c127c37b15d3030b743b4b
b511d6e13c1d4b90ebff10d21c6f6d689b9c07b8377a21f63d1c6895525ffbc8
d8ae95705379f6f0233c294d5d9d841ebccb6dae75736aadd0ff25d6d350b9ed
SH256 hash:
6cce28b275d5ec20992bb13790976caf434ab46ddbfd5cfd431d33424943122b
MD5 hash:
4e34c068e764ad0ff0cb58bc4f143197
SHA1 hash:
1a392a469fc8c65d80055c1a7aaee27bf5ebe7c4
Detections:
Hidden
Create hunting rule
cert_blocklist_5f78149eb4f75eb17404a8143aaeaed7
Create hunting rule
INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
Link:
https://www.unpac.me/results/651da335-17f4-4715-b84b-acea4f0715c3/
Parent samples :
364b087a1916c5f13675449a4470763adebd4977fc21ea2169d8d67b11e83ba7
089f7f88c1d64dcebf1042f481f17a7fb1fe6fc095cb5c9e10bbcb3f36a629ab
acb615b72532d8020f1fa9afa65c44bd67caa1ec83f39f4b029287e70c344d0b
37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad
3730e600a60fed05d20e23e9340e37e5f5f072e6d4801150326ff4e2a4fdb4c5
d3af6e62ef3ce968da90beb9be44b04948b996c3dda893ba425a1147eb7696ad
765e42948327b849c172f8c70617af6007e7f126c17bb56f490c10e12aa20492
dbaedcc548579a20fab98b28992301084fe27e91460fbdb2a6e00df5e58f52fe
e119f126968b206ebfbf49923c1aac3dbe948461ff38d9f638b6cdf12ff47560
502459f1d4325d917bf46a104cbc3255c29b88a787cd9f930462cfa1002134fd
fe8954c55b06912419f62ae4c04e19ba8d16a8d5098c28dfcc3c6ef04a154f49
ad7a76c684f1bd1910142d97a01fd6373a05872a0aefd213cf85e891428fdcc7
e65ce5d4d20836181fbc041ca28853c89946013e1ab7fcd7e0bb58442f274e0d
6d74ed0eda4cf7f7edb2f8982cc706e84a402008fc74f442d898da7d6be05143
0fca043ce6592269f8463ec4c803eabb3d09ff412401521090513e8310463fdb
179dab5fc5a32307466541f88cfc1992cb96664218711f6d525586976c9d44ad
f17af5296ff826f4199381574dccb3dcb8a5deeb811e40929f95c722ab70aeb7
9740fb71580a1e6809c694ebd1aa132e76d0dc985dbc0721ae6590f3bf5ed19b
1d83bdba4198a28193b93de0f88fa79bb7ff17249b54654c07cb11a27e708644
d8162221ce6d607b5fe77565f53c5310bfaff050b0c26abe2ca9b9ebdb9ad51f
cebf76deabb47efe7ad3769c0586815d1d45e2ef9718057de77abb46b554f6f4
794ec24e28f6351c9ad2c04101d774e9763f4f444cfb7c15da782922c6f07e69
48956128660f7a745aa918eac38e5baacdae1bc0809503f2a2c3f2b79507e3ff
f036b3031238597750e077c2d03b2bc41d089f9db461244059db8485fac28e63
57eff460128e65204d46aa5a0012f8ba4758fa76a74d9dabe5d4b4b0bd1b11cc
613a829a972efe001e9f1a4e067b560db96acd44161d91d6daf5d6489f686938
94beb32181e321ef10e85ee652f1ef1e602c252d6c7d4593c556a6bfcec1d4f0
fda844b16b91a38417af25d13bd0992c3344de12ebcd0283732a3e0a6e91811d
bef42fdae71eff14767b54c660a42d7ab6fedf56ce74f8faa304a0e1b526fe4a
a2b98d6820777aaacdb0646a2836b3ebc809b3fe9eef65d201e2ff343580721c
0cb5c8e6987f74a213353851dc12b7b3a08130fd5ebb18f4455c659e8f46442f
b9d338ff7f7d63d28c765007e9e150b3c30a9acac1e16bfd0317d375b4fc6166
df60b74ff96bb320d1cf8d1a511c56bae2ca8d94ebb6566eca7b51c3521c0171
394ed5e270bb760bee2b5ffea56421afb2a22aff35d78d29da92842f606b8d53
9c0116c29d031bc42faaa5e312c7c6b99378ed115b069b2d6c2d228ae563375b
76a236349c0820e4dfba81e3382e50833ee238452c0c271d6a0cf83b4fcca235
1b6b8aa0a500b965193144be54ffe030e84f8e2936c3e92d4a2b05a8759944d3
2090bdae4d49cc0a20526b8d57c5928500eadab334764b89810e0b08f907308a
1a7fefa02913c1054e4f0e82c9de74e2fb526bd4a589e861fb4f7f57b31ef9c8
00c1314504b05c7fc7cc7280405f31165b9722c704520afef26aa88ff566b871
1fe21e70078942fa8dc7bccb5362e86b0e6340c533eb8e01b59e34a0dd61bd05
c0839998e41d029efd4bb304440cd029acf32ce8f541be6f813c5c4d935e9350
1f8cdb119164550161cddba78f7d30f36cd3304dc4c127c37b15d3030b743b4b
b511d6e13c1d4b90ebff10d21c6f6d689b9c07b8377a21f63d1c6895525ffbc8
SH256 hash:
9c6add96efb7cb8f468cce91f8900b645d4632091970c19a35f474daeca29b2e
MD5 hash:
0b3e90a563d16e243004882712742cdd
SHA1 hash:
4863932ba4b38a6d04bdc3a493067cdd0efd1246
Link:
https://www.unpac.me/results/651da335-17f4-4715-b84b-acea4f0715c3/
SH256 hash:
18d55d1adf3dcc4870cb22fc529ec344288e19c3a4913a1133d11eec5447dcb5
MD5 hash:
b2b3e4f523b4a033bc7264b661ee729b
SHA1 hash:
88aac5597eac832fe89ee45623b9aa18c22eab4b
Link:
https://www.unpac.me/results/651da335-17f4-4715-b84b-acea4f0715c3/
SH256 hash:
4857c81520665cdf32134ac67d29fc501e06990dbf9c054e0e9352914ec22c08
MD5 hash:
cd250fec34ec14409328973688623264
SHA1 hash:
d02e463bcb25142ede55826b376620478d1d2809
Link:
https://www.unpac.me/results/651da335-17f4-4715-b84b-acea4f0715c3/
SH256 hash:
4cc9f81836ce27226f2b4a795a44772148c8515892770e8811411a92298568fb
MD5 hash:
d23614451ec39a4fe0e40d06ea2f4545
SHA1 hash:
51bdcda5d84f8704693fa06b66811803dc71c131
Link:
https://www.unpac.me/results/651da335-17f4-4715-b84b-acea4f0715c3/
SH256 hash:
338bdff4eebe5ed384ee35f3afde056c3e8d27a526801d2605d19010d310f9df
MD5 hash:
7531e72f8ee7ade6afec8a35283ccc25
SHA1 hash:
7ce0fa271b154e48ebc14aaf81f9fbe4ecb382f7
Link:
https://www.unpac.me/results/651da335-17f4-4715-b84b-acea4f0715c3/
SH256 hash:
334e8e7c65b087985766d652f70b710bdba6aea55a2fa17b97ba2961e8eee9df
MD5 hash:
b8e58a96761799f4ad0548dba39d650c
SHA1 hash:
c00032d40cfbe4ccfd3ce3e4c8defb2a2ef9fc1f
Link:
https://www.unpac.me/results/651da335-17f4-4715-b84b-acea4f0715c3/
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/651da335-17f4-4715-b84b-acea4f0715c3/
SH256 hash:
8736a2c7479249b062063b6425f27a3c26ed75a6c81cbafdd0150e74e6ab1650
MD5 hash:
1e1b21a875c3df1dac092845fdea5cb1
SHA1 hash:
e16cee5fb88c72b92c0089a08ead4cf947c7ab1d
Link:
https://www.unpac.me/results/651da335-17f4-4715-b84b-acea4f0715c3/
SH256 hash:
e729e0d5037e20f78e1b9665ca29e6355c6f80ae1c6078135c8b5eac4549c4f7
MD5 hash:
78d82a5020250476fa22b2bf47ec2834
SHA1 hash:
4291ce7e33e5c75f10c19308dd79772da45f2b45
Detections:
Hidden
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
Mimikatz_Strings
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
MALWARE_Win_PCRat
Create hunting rule
check_installed_software
Create hunting rule
Link:
https://www.unpac.me/results/651da335-17f4-4715-b84b-acea4f0715c3/
Parent samples :
5058d869c59bfb3480d1dc6f8f51d191adb890039c89ff9fd668fe7b481099b8
364b087a1916c5f13675449a4470763adebd4977fc21ea2169d8d67b11e83ba7
089f7f88c1d64dcebf1042f481f17a7fb1fe6fc095cb5c9e10bbcb3f36a629ab
acb615b72532d8020f1fa9afa65c44bd67caa1ec83f39f4b029287e70c344d0b
37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad
3730e600a60fed05d20e23e9340e37e5f5f072e6d4801150326ff4e2a4fdb4c5
d3af6e62ef3ce968da90beb9be44b04948b996c3dda893ba425a1147eb7696ad
fe8954c55b06912419f62ae4c04e19ba8d16a8d5098c28dfcc3c6ef04a154f49
6d74ed0eda4cf7f7edb2f8982cc706e84a402008fc74f442d898da7d6be05143
0fca043ce6592269f8463ec4c803eabb3d09ff412401521090513e8310463fdb
179dab5fc5a32307466541f88cfc1992cb96664218711f6d525586976c9d44ad
f17af5296ff826f4199381574dccb3dcb8a5deeb811e40929f95c722ab70aeb7
9740fb71580a1e6809c694ebd1aa132e76d0dc985dbc0721ae6590f3bf5ed19b
fda844b16b91a38417af25d13bd0992c3344de12ebcd0283732a3e0a6e91811d
bef42fdae71eff14767b54c660a42d7ab6fedf56ce74f8faa304a0e1b526fe4a
a2b98d6820777aaacdb0646a2836b3ebc809b3fe9eef65d201e2ff343580721c
b9d338ff7f7d63d28c765007e9e150b3c30a9acac1e16bfd0317d375b4fc6166
76a236349c0820e4dfba81e3382e50833ee238452c0c271d6a0cf83b4fcca235
00c1314504b05c7fc7cc7280405f31165b9722c704520afef26aa88ff566b871
580e6c64ba71bf32dc63c34204dc48d17ff8de949c916f101e89472222b41a88
c0839998e41d029efd4bb304440cd029acf32ce8f541be6f813c5c4d935e9350
1f8cdb119164550161cddba78f7d30f36cd3304dc4c127c37b15d3030b743b4b
b511d6e13c1d4b90ebff10d21c6f6d689b9c07b8377a21f63d1c6895525ffbc8
d8ae95705379f6f0233c294d5d9d841ebccb6dae75736aadd0ff25d6d350b9ed
SH256 hash:
acbc7e23ef388be1612d28c5d7befd3c395833a6c3fb07478386fbf252c8f9b4
MD5 hash:
30710f6adab404c64ed2e916d753f220
SHA1 hash:
2c29812e7bc52380d82f12def88655e605367c7d
Detections:
APT_ArtraDownloader2_Aug19_1
Create hunting rule
Link:
https://www.unpac.me/results/651da335-17f4-4715-b84b-acea4f0715c3/
Malware family:
XRed
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b511d6e13c1d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b511d6e13c1d4b90ebff10d21c6f6d689b9c07b8377a21f63d1c6895525ffbc8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:D1S1Gv11betaD1N
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:DevCv4
Create hunting rule
Author:malware-lu
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Suspicious_Process
Create hunting rule
Author:Security Research Team
Description:Suspicious process creation
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:TH_Generic_MassHunt_Win_Malware_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Windows malware mass-hunt rule - 2025
Reference:https://cyfare.net/
Rule name:vbaproject_bin
Create hunting rule
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time
Rule name:Windows_Generic_Threat_3f060b9c
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Generic_9e4bb0ce
Create hunting rule
Author:Elastic Security
Rule name:without_attachments
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any attachment
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XRed

Executable exe b511d6e13c1d4b90ebff10d21c6f6d689b9c07b8377a21f63d1c6895525ffbc8

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/54842/

Comments