MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b63f93e0815aa8f06565aec612aa0916b7ebf65efced3545e92bec450a01afdd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XRed


Vendor detections: 20


Intelligence 20 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b63f93e0815aa8f06565aec612aa0916b7ebf65efced3545e92bec450a01afdd
SHA3-384 hash: 6de2f1ab9490c36a53383df379481e6dff409ffc78b04d6c93358f8f6d7593b5e73c057519491ad6ffafdaeefccc9305
SHA1 hash: f89c582c0d70a9bffe6f1517d83e1be8d640396e
MD5 hash: 2d1d57d90b779a8706d0993a8dcded54
humanhash: lima-south-muppet-batman
File name:2026-20-05T1250135.540.pdf.exe
Download: download sample
Signature XRed
Create hunting rule
File size:1'648'128 bytes
First seen:2026-05-20 09:18:01 UTC
Last seen:2026-06-08 10:01:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 332f7ce65ead0adfb3d35147033aabe9 (100 x XRed, 18 x SnakeKeylogger, 9 x DarkComet)
ssdeep 24576:9nsJ39LyjbJkQFMhmC+6GD9+TIMwE1Xr3echseq6SDvmoiD:9nsHyjtk2MYC5GDMf17u0KDvm1D
Threatray 3'044 similar samples on MalwareBazaar
TLSH T1E775D032B2D18437D1721B3C8D6BE3B55939BE512E34A90E7BE52E8E7E3974128142D3
TrID 93.8% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
2.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.4% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
0.9% (.EXE) Win64 Executable (generic) (6522/11/2)
0.6% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon e863eae6b696c6ee (3 x XRed, 2 x AsyncRAT, 2 x SnakeKeylogger)
Reporter threatcat_ch
Tags:exe xred

Intelligence

File Origin
# of uploads :
2
# of downloads :
184
Origin country :
CH CH
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/83208d8c-4d9f-456a-9b22-1cececa3ecf7/
Malware family:
n/a
ID:
1
File name:
exe
Verdict:
Malicious activity
Analysis date:
2026-05-20 09:19:48 UTC
Tags:
xred backdoor auto-reg delphi dyndns ip-check evasion snake keylogger stealer
Link:
https://app.any.run/tasks/fa7ddc43-b8b1-43e8-9837-29dd9d434953

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/66580/
Detection(s):
Win.Trojan.Emotet-9850453-0
Create hunting rule

Win.Trojan.Generic-9936029-0
Create hunting rule

Win.Malware.Delf-6899401-0
Create hunting rule

YARA.RUSSIANPANDA_Mal_Xred_Backdoor.UNOFFICIAL
Create hunting rule

YARA.COD3NYM_SUSP_NET_Shellcode_Loader_Indicators_Jan24.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.PKILLDropboxMacroDirectDownload.20220331.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Other.Malware-gen.4213.13336.UNOFFICIAL
Create hunting rule

MiscreantPunch.EvilMacro.PVDISABLE.170819.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.PolicyKillOnlyHappyWhenItRains.20210704.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.HanciInterruptMyDayHandler.20210721.UNOFFICIAL
Create hunting rule

Xls.Dropper.Agent-7382066-0
Create hunting rule

PUA.Win.Packer.D1s1g-5
Create hunting rule

PUA.Win.Packer.D1s1g-1
Create hunting rule

PUA.Win.Packer.D1s1g-2
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a0d7c614f2b29ce0401a59a
Tags:
underscore delphi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Moving a recently created file
Searching for the window
Creating a file in the %temp% directory
Moving a file to the %temp% directory
Modifying an executable file
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Unauthorized injection to a recently created process by context flags manipulation
Infecting executable files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug base64 borland_delphi cmd evasive fingerprint installer-heuristic keylogger lolbin masquerade overlay packed reconnaissance
Link:
https://www.filescan.io/uploads/6a0d7c53efbd399b39be3bd9/reports/aeca5f33-57b8-4b15-8603-b71e292518b8/overview
Verdict:
Malicious
Labled as:
Comet.A
Link:
https://www.hybrid-analysis.com/sample/b63f93e0815aa8f06565aec612aa0916b7ebf65efced3545e92bec450a01afdd
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-20T03:19:00Z UTC
Last seen:
2026-05-21T12:26:00Z UTC
Hits:
~1000
Detections:
Backdoor.Agent.HTTP.C&C Trojan.Win32.XRed.sb Trojan.Win32.XRed.mg BSS:Exploit.Win32.Generic VHO:Trojan-Spy.MSIL.SnakeLogger.gen HEUR:Trojan.Script.Badur.genw Trojan.Win32.Agent.sb Backdoor.Win32.DarkKomet.hqxy HEUR:Trojan-Spy.MSIL.SnakeLogger.gen Trojan.XRed.UDP.C&C HEUR:Trojan.Script.Generic HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan-Downloader.MSOffice.Agent.gen Trojan.MSOffice.SAgent.sb Trojan.Win32.XRed.mq Trojan.Win32.Agentb.jrhy HEUR:Trojan-Ransom.Win32.Gen.gen Trojan-Spy.MSIL.SnakeLogger.sb Trojan-PSW.Win32.Stealer.sb HEUR:Trojan-Spy.MSIL.Agent.sb Trojan-Dropper.Win32.Dorifel.sbd Trojan.MSIL.Crypt.sb PDM:Trojan.Win32.Generic Trojan.Win32.XRed.ox Trojan.Win32.XRed.op Trojan.Win32.XRed.nd Trojan.MSIL.Inject.sb BSS:Trojan.Win32.Generic VHO:Trojan.MSOffice.SAgent.gen Trojan.Win32.XRed.nt
Link:
https://opentip.kaspersky.com/b63f93e0815aa8f06565aec612aa0916b7ebf65efced3545e92bec450a01afdd/results?tab=lookup
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/512d5d81-7b3c-4a4e-8db3-5ca5d4b06e93
Result
Threat name:
Snake Keylogger, XRed
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1916212
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Drops PE files to the document folder of the user
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Suspicious Double Extension File Execution
Sigma detected: Suspicious Double Extension Files
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected UAC Bypass using CMSTP
Yara detected XRed
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1916212 Sample: 2026-20-05T1250135.540.pdf.exe Startdate: 20/05/2026 Architecture: WINDOWS Score: 100 46 reallyfreegeoip.org 2->46 48 freedns.afraid.org 2->48 50 13 other IPs or domains 2->50 72 Suricata IDS alerts for network traffic 2->72 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 82 16 other signatures 2->82 8 2026-20-05T1250135.540.pdf.exe 1 6 2->8         started        12 EXCEL.EXE 220 58 2->12         started        15 Synaptics.exe 2->15         started        signatures3 78 Tries to detect the country of the analysis system (by using the IP) 46->78 80 Uses dynamic DNS services 48->80 process4 dnsIp5 38 C:\...\._cache_2026-20-05T1250135.540.pdf.exe, PE32 8->38 dropped 40 C:\ProgramData\Synaptics\Synaptics.exe, PE32 8->40 dropped 42 C:\ProgramData\Synaptics\RCX2269.tmp, PE32 8->42 dropped 44 C:\...\Synaptics.exe:Zone.Identifier, ASCII 8->44 dropped 84 Contains functionality to detect sleep reduction / modifications 8->84 17 ._cache_2026-20-05T1250135.540.pdf.exe 3 8->17         started        21 Synaptics.exe 41 8->21         started        62 13.107.213.40, 443, 49747, 49748 MICROSOFT-CORP-MSN-AS-BLOCK-MicrosoftCorporationUS United States 12->62 24 splwow64.exe 12->24         started        file6 signatures7 process8 dnsIp9 34 ._cache_2026-20-05...135.540.pdf.exe.log, ASCII 17->34 dropped 64 Multi AV Scanner detection for dropped file 17->64 66 Injects a PE file into a foreign processes 17->66 26 ._cache_2026-20-05T1250135.540.pdf.exe 15 2 17->26         started        30 ._cache_2026-20-05T1250135.540.pdf.exe 17->30         started        52 freedns.afraid.org 69.42.215.252, 49707, 80 OBJX-objxnetLLCUS United States 21->52 54 docs.google.com 142.251.211.78, 443, 49699, 49700 GOOGLE-GoogleLLCUS United States 21->54 56 drive.usercontent.google.com 142.251.45.193, 443, 49702, 49703 GOOGLE-GoogleLLCUS United States 21->56 36 C:\Users\user\Documents\CURQNKVOIX\~$cache1, PE32 21->36 dropped 68 Antivirus detection for dropped file 21->68 70 Drops PE files to the document folder of the user 21->70 32 WerFault.exe 21->32         started        file10 signatures11 process12 dnsIp13 58 checkip.dyndns.com 132.226.247.73, 49693, 49701, 49708 ORACLE-BMC-31898-OracleCorporationUS Brazil 26->58 60 reallyfreegeoip.org 172.67.177.134, 443, 49695, 49698 CLOUDFLARENET-CloudflareIncUS Canada 26->60 86 Tries to steal Mail credentials (via file / registry access) 26->86 88 Tries to harvest and steal browser information (history, passwords, etc) 26->88 signatures14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b63f93e0815aa8f06565aec612aa0916b7ebf65efced3545e92bec450a01afdd
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b63f93e0815aa8f06565aec612aa0916b7ebf65efced3545e92bec450a01afdd/
Verdict:
Malicious
Threat:
Family.XRED
Link:
https://tip.neiki.dev/file/b63f93e0815aa8f06565aec612aa0916b7ebf65efced3545e92bec450a01afdd
Threat name:
Win32.Worm.AutoRun
Create hunting rule
Status:
Malicious
First seen:
2026-05-20 08:36:07 UTC
File Type:
PE (Exe)
Extracted files:
72
AV detection:
35 of 38 (92.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wy7zhyeblkupazlfv3dbfkqjc236x5s67twtkrpjfpwekcqbv7oq._file
Verdict:
malicious
Label(s):
404keylogger
Create hunting rule
xredbackdoor
Create hunting rule
wannacryptor
Create hunting rule
Similar samples:
01beb5ff303d761cfffc12ace47aa012fc86000382b04e1e2f9342c7b10657ae
XRed
1d164187b8c959a02f88ebe22a577fbfa70700a7b6679fa7815e654eed38d01e
XRed
b63f93e0815aa8f06565aec612aa0916b7ebf65efced3545e92bec450a01afdd
XRed
b7e0271a56ea4badec51b169b272ee381c74a5b9f07a03c80469f4c058931b88
XRed
error
XRed
faa2ffa4498542a73f97ca66525fe785788559665b0a553a322d5ccefa7bf473
XRed
fdd36a586f4979bb696ae7863c45e7332a6e318ef3a6189e1adec270fa698bb6
XRed
+ 3'034 additional samples on MalwareBazaar
Result
Malware family:
xred
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger family:xred backdoor collection discovery keylogger persistence spyware stealer
Link:
https://tria.ge/reports/260520-k9rzgsdx2l/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in System32 directory
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Family: Snake Keylogger
Family: Xred
Snake Keylogger payload
Malware Config
C2 Extraction:
xred.mooo.com
https://api.telegram.org/bot8998880555:AAF9XzUICVQocz8ESEFVLTTKbIn4Z6LEwvI/sendMessage?chat_id=8728802329
Unpacked files
SH256 hash:
b63f93e0815aa8f06565aec612aa0916b7ebf65efced3545e92bec450a01afdd
MD5 hash:
2d1d57d90b779a8706d0993a8dcded54
SHA1 hash:
f89c582c0d70a9bffe6f1517d83e1be8d640396e
Detections:
triage_xred_backdoor
Create hunting rule
Link:
https://www.unpac.me/results/29ac26ca-823a-4265-b416-cef977443702/
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/29ac26ca-823a-4265-b416-cef977443702/
SH256 hash:
1eee310521b4a4ad99fbec3e984ad2585e459198cd85df286fef6312ef48acfc
MD5 hash:
64fe1225027386736fb7e7be57a1bc76
SHA1 hash:
c43c52e42ba4015f278e552b5425e59062609420
Link:
https://www.unpac.me/results/29ac26ca-823a-4265-b416-cef977443702/
SH256 hash:
a9cc84d37c2b5ebe169fd63a4058eee5c85f44fb375d201e9f1eea6a1cc17ea8
MD5 hash:
293f78d7524f776f30ecc5ac90715ea3
SHA1 hash:
0cb847eaf23e409c42169e6139b456a6129d8c12
Detections:
win_404keylogger_g1
Create hunting rule
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/29ac26ca-823a-4265-b416-cef977443702/
Parent samples :
b63f93e0815aa8f06565aec612aa0916b7ebf65efced3545e92bec450a01afdd
a30e49e1f71c70c4bc72f62e80be05b837c4a01a8fcc12e0c5a4c2cf52e270fa
SH256 hash:
7e5e42651838afcb21918d7c4cec7d2a3352a51bd32f572a8a889e47cedb7c89
MD5 hash:
bc5c24037c01c45d357e78aae1457f88
SHA1 hash:
8b6115e53004c4330550467a4d67c509dc98452b
Link:
https://www.unpac.me/results/29ac26ca-823a-4265-b416-cef977443702/
SH256 hash:
fe2d91378aca9304059ee0b73683796f2a9b42140bdc28e95222b2b7cb70f86e
MD5 hash:
7012c9d52e009173082e0324321b4a41
SHA1 hash:
d161ab5781ef9b2cc59f405001f2486b8b7c6007
Link:
https://www.unpac.me/results/29ac26ca-823a-4265-b416-cef977443702/
Malware family:
XRed
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b63f93e0815a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b63f93e0815aa8f06565aec612aa0916b7ebf65efced3545e92bec450a01afdd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:D1S1Gv11betaD1N
Create hunting rule
Author:malware-lu
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:SUSP_NET_Shellcode_Loader_Indicators_Jan24
Create hunting rule
Author:Jonathan Peters
Description:Detects indicators of shellcode loaders in .NET binaries
Reference:https://github.com/Workingdaturah/Payload-Generator/tree/main
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:vbaproject_bin
Create hunting rule
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XRed

Executable exe b63f93e0815aa8f06565aec612aa0916b7ebf65efced3545e92bec450a01afdd

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/66580/

Comments