MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bff0da2fc8b10d1a3da3925cf30f07d04704f8a82ed5ab2f755395763dbb3cd1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XRed

Vendor detections: 17

Intelligence 17 IOCs YARA 13 File information Comments

SHA256 hash:	bff0da2fc8b10d1a3da3925cf30f07d04704f8a82ed5ab2f755395763dbb3cd1
SHA3-384 hash:	fd69981a0365d124e94eae32289b73084432b82575e0c9255f78a453619a04a18d38cb2cfd05b8e9c8960f0669a2a8a2
SHA1 hash:	29bbc20d4b1f6a4b198f659ac55df69daec6f8e9
MD5 hash:	e21b344cc7ac95f1a4c7d1e3b8958ff6
humanhash:	steak-lithium-juliet-pennsylvania
File name:	bff0da2fc8b10d1a3da3925cf30f07d04704f8a82ed5ab2f755395763dbb3cd1
Download:	download sample
Signature	XRed Create hunting rule
File size:	1'678'336 bytes
First seen:	2026-06-08 08:35:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	332f7ce65ead0adfb3d35147033aabe9 (100 x XRed, 18 x SnakeKeylogger, 9 x DarkComet)
ssdeep	49152:KnsHyjtk2MYC5GDi44jLRMqnbFIZFe7lnj9N7:Knsmtk2at4wLRMqnRIZ47Bjn
Threatray	3'134 similar samples on MalwareBazaar
TLSH	T11475C022F291C437D1631B784C66E3B85439BE502D24B64B7BF96E4FBE3A68138152D3
TrID	93.8% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58) 2.0% (.EXE) Win32 Executable Delphi generic (14182/79/4) 1.4% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2) 0.9% (.EXE) Win64 Executable (generic) (6522/11/2) 0.6% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	86c0d4dedef029c4 (1 x XRed)
Reporter	adrian__luca
Tags:	exe xred

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

MSO XRed

Details

Link:

https://research.acce.ciphertechsolutions.com/results/861432d0-8a5a-4b11-bccf-02ef4522d932/

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/69564/

Detection(s):

Win.Trojan.Emotet-9850453-0

Win.Trojan.Generic-9936029-0

Win.Malware.Delf-6899401-0

YARA.RUSSIANPANDA_Mal_Xred_Backdoor.UNOFFICIAL

YARA.COD3NYM_SUSP_NET_Shellcode_Loader_Indicators_Jan24.UNOFFICIAL

TwinWave.EvilDoc.PKILLDropboxMacroDirectDownload.20220331.UNOFFICIAL

SecuriteInfo.com.Other.Malware-gen.4213.13336.UNOFFICIAL

MiscreantPunch.EvilMacro.PVDISABLE.170819.UNOFFICIAL

TwinWave.EvilDoc.PolicyKillOnlyHappyWhenItRains.20210704.UNOFFICIAL

TwinWave.EvilDoc.HanciInterruptMyDayHandler.20210721.UNOFFICIAL

Xls.Dropper.Agent-7382066-0

PUA.Win.Packer.D1s1g-5

PUA.Win.Packer.D1s1g-1

PUA.Win.Packer.D1s1g-2

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a2680863e9eff6a6b68b381

Tags:

darkkomet delphi

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Creating a file

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Moving a recently created file

Searching for the window

Creating a file in the %temp% directory

Moving a file to the %temp% directory

Modifying an executable file

Deleting a recently created file

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Query of malicious DNS domain

Unauthorized injection to a recently created process by context flags manipulation

Stealing user critical data

Infecting executable files

Forced shutdown of a browser

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context anti-debug base64 borland_delphi cmd fingerprint installer-heuristic keylogger lolbin overlay packed reconnaissance unsafe

Link:

https://www.filescan.io/uploads/6a267f381f652d68656d959b/reports/52509cf1-97d9-4f46-a640-3d2450b4e271/overview

Verdict:

Malicious

Labled as:

Comet.A

Link:

https://www.hybrid-analysis.com/sample/bff0da2fc8b10d1a3da3925cf30f07d04704f8a82ed5ab2f755395763dbb3cd1

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-05-25T00:04:00Z UTC

Last seen:

2026-06-10T04:01:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/bff0da2fc8b10d1a3da3925cf30f07d04704f8a82ed5ab2f755395763dbb3cd1/results?tab=lookup

Malware family:

XRed

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dbb02f25-bb73-4655-a5a9-6e1068f2b2cd

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/bff0da2fc8b10d1a3da3925cf30f07d04704f8a82ed5ab2f755395763dbb3cd1

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bff0da2fc8b10d1a3da3925cf30f07d04704f8a82ed5ab2f755395763dbb3cd1/

Threat name:

Win32.Worm.AutoRun

Status:

Malicious

First seen:

2026-05-25 23:57:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

33 of 36 (91.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=x7ynul6iwegrupndsjopgdyh2bdqj6fif3k2wl3vkokxmpn3htiq._file

Verdict:

malicious

Label(s):

xredbackdoor

XRed

a30e49e1f71c70c4bc72f62e80be05b837c4a01a8fcc12e0c5a4c2cf52e270fa

XRed

b63f93e0815aa8f06565aec612aa0916b7ebf65efced3545e92bec450a01afdd

XRed

bff0da2fc8b10d1a3da3925cf30f07d04704f8a82ed5ab2f755395763dbb3cd1

XRed

error

XRed

faa2ffa4498542a73f97ca66525fe785788559665b0a553a322d5ccefa7bf473

XRed

fdd36a586f4979bb696ae7863c45e7332a6e318ef3a6189e1adec270fa698bb6

XRed

+ 3'124 additional samples on MalwareBazaar

Result

Malware family:

xred

Score:

10/10

Tags:

family:snakekeylogger family:xred backdoor collection discovery keylogger persistence spyware stealer

Link:

https://tria.ge/reports/260608-kh21daa14y/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Drops file in System32 directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Looks up external IP address via web service

Checks computer location settings

Executes dropped EXE

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Family: Snake Keylogger

Family: Xred

Snake Keylogger payload

Malware Config

C2 Extraction:

xred.mooo.com
https://api.telegram.org/bot8970622308:AAGfySlpWkmSJF5agnOtbVylBKVG2jd0yQM/sendMessage?chat_id=8728802329

Unpacked files

SH256 hash:

bff0da2fc8b10d1a3da3925cf30f07d04704f8a82ed5ab2f755395763dbb3cd1

MD5 hash:

e21b344cc7ac95f1a4c7d1e3b8958ff6

SHA1 hash:

29bbc20d4b1f6a4b198f659ac55df69daec6f8e9

Detections:

triage_xred_backdoor

Link:

https://www.unpac.me/results/19120e90-4516-45de-989c-f2480fa7b1c5/

SH256 hash:

b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2

MD5 hash:

c0ef4d6237d106bf51c8884d57953f92

SHA1 hash:

f1da7ecbbee32878c19e53c7528c8a7a775418eb

Link:

https://www.unpac.me/results/19120e90-4516-45de-989c-f2480fa7b1c5/

SH256 hash:

0ef211b6f1d69ec5617276f16bf3433f70e8736cb97703d84e11bdc438bb51f1

MD5 hash:

cd75fe232b3327b565d622088ff82c54

SHA1 hash:

9af125f66f587b71ee065435c4f257d23a1a2b08

Link:

https://www.unpac.me/results/19120e90-4516-45de-989c-f2480fa7b1c5/

SH256 hash:

da5dba78be66da201aa9adcf3e92a997c5744427c6c38f51917609c8850e4a4d

MD5 hash:

13caf94f8e7a8279fd3f0808cf4f8b20

SHA1 hash:

7541977f0b075a96bbb9d28a59241e871bd6d7b5

Link:

https://www.unpac.me/results/19120e90-4516-45de-989c-f2480fa7b1c5/

SH256 hash:

1f5ed6380c9a2ab92de9d8288d1475a9e065c3d9adc91410d54609d4641a9438

MD5 hash:

cd207ebaaa59dca92ba6ebeb68e55154

SHA1 hash:

af20ac67cb53387bf7640d9e92c15645bb270288

Detections:

win_404keylogger_g1

snake_keylogger

Link:

https://www.unpac.me/results/19120e90-4516-45de-989c-f2480fa7b1c5/

SH256 hash:

852eecfd5e22f7d65adac2f677219c137ae353c4cb5037041368fdadd517d0c6

MD5 hash:

1a86b7679db54cb46b20e488062d3eaa

SHA1 hash:

bf887015d3f8c627f9c1829d2f6d62c7bc16e098

Link:

https://www.unpac.me/results/19120e90-4516-45de-989c-f2480fa7b1c5/

Malware family:

XRed

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bff0da2fc8b1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bff0da2fc8b10d1a3da3925cf30f07d04704f8a82ed5ab2f755395763dbb3cd1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	D1S1Gv11betaD1N Create hunting rule
Author:	malware-lu

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	SUSP_NET_Shellcode_Loader_Indicators_Jan24 Create hunting rule
Author:	Jonathan Peters
Description:	Detects indicators of shellcode loaders in .NET binaries
Reference:	https://github.com/Workingdaturah/Payload-Generator/tree/main

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

Rule name:	vbaproject_bin Create hunting rule
Author:	CD_R0M_
Description:	{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/69564/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample