MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e41eac343f994a3dd12ede81d19f570a7572702abc0fa35aba51f372a7432aaf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkComet


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e41eac343f994a3dd12ede81d19f570a7572702abc0fa35aba51f372a7432aaf
SHA3-384 hash: 22e04bdc8d29c15a07bf8dc0b5d373b81d6637a3f16a2ee15236edb12fbc6f5afd9b35fac0d035c8f3e3657ef7944cf3
SHA1 hash: 34b84e36ff7fc45a814e31044fcc980e8b6e3a68
MD5 hash: 95e20a4b5c7f7decfd1257100a0457e2
humanhash: princess-princess-blossom-asparagus
File name:XY Cursor-Setup-2.3.2-x64 (2).exe
Download: download sample
Signature DarkComet
Create hunting rule
File size:87'342'592 bytes
First seen:2026-02-08 17:34:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 332f7ce65ead0adfb3d35147033aabe9 (94 x XRed, 18 x SnakeKeylogger, 9 x DarkComet)
ssdeep 1572864:+Ue4hdV6xfgwHHcynQ3Y9GF0J2/3M4fvHLTkEY68xsqBJV5:+Ue4DoxfZ7I/0A/3/vHLosEr5
Threatray 911 similar samples on MalwareBazaar
TLSH T151183333B96144BBD1A27B7D8C1F52E4891B7C4B2E2D219E33ED1E5DADB8A021D211C7
TrID 77.5% (.EXE) Inno Setup installer (107240/4/30)
7.6% (.EXE) Win64 Executable (generic) (10522/11/4)
7.2% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
3.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Ling
Tags:autorun DarkComet exe worm Worm:Win32/AutoRun!pz


Avatar
CNGaoLing
Worm:Win32/AutoRun!pz

Intelligence

File Origin
# of uploads :
1
# of downloads :
175
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/6809e099-f490-4343-aad0-e98c5d5f5d90/
Malware family:
n/a
ID:
1
File name:
XY Cursor-Setup-2.3.2-x64 (2).exe
Verdict:
Malicious activity
Analysis date:
2026-02-08 17:36:21 UTC
Tags:
xred backdoor auto-reg delphi dyndns
Link:
https://app.any.run/tasks/1b24f698-66cc-4010-8bc6-e870bef52585

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6988c96f4c8b031249cd7de5
Tags:
darkkomet delphi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Moving a recently created file
Searching for the window
Creating a file in the %temp% subdirectories
Modifying an executable file
DNS request
Connection attempt
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Infecting executable files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug base64 blackhole borland_delphi cmd darkkomet fingerprint lolbin soft-404 virus
Link:
https://www.filescan.io/uploads/6988c964981ff1d38a4d4e7f/reports/b31a3d9b-f407-461d-8626-3f9e65dd6e43/overview
Verdict:
Malicious
Labled as:
Comet.A
Link:
https://www.hybrid-analysis.com/sample/e41eac343f994a3dd12ede81d19f570a7572702abc0fa35aba51f372a7432aaf
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-02-08T12:17:00Z UTC
Last seen:
2026-02-08T23:07:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.XRed.nt Trojan.Win32.XRed.mq HEUR:Trojan.Script.Generic Trojan.MSOffice.SAgent.sb Trojan.Win32.XRed.sb Trojan.Win32.XRed.nd Trojan.Win32.XRed.mg HEUR:Trojan-Downloader.Script.Generic Backdoor.Win32.DarkKomet.hqxy BSS:Exploit.Win32.Generic Trojan.Win32.XRed.op Trojan.Win32.Agent.sb VHO:Trojan.MSOffice.SAgent.gen PDM:Trojan.Win32.Generic Trojan.Win32.XRed.ox Trojan.Win32.Agentb.jrhy HEUR:Worm.Win32.Generic HEUR:Trojan-Ransom.Win32.Gen.gen HEUR:Trojan-Downloader.MSOffice.Agent.gen Backdoor.Win32.Zegost.sb
Link:
https://opentip.kaspersky.com/e41eac343f994a3dd12ede81d19f570a7572702abc0fa35aba51f372a7432aaf/results?tab=lookup
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e41eac343f994a3dd12ede81d19f570a7572702abc0fa35aba51f372a7432aaf
Gathering data
Verdict:
Malicious
Threat:
Family.XRED
Link:
https://tip.neiki.dev/file/e41eac343f994a3dd12ede81d19f570a7572702abc0fa35aba51f372a7432aaf
Threat name:
Win32.Worm.Zorex
Create hunting rule
Status:
Malicious
First seen:
2026-02-08 17:35:47 UTC
File Type:
PE (Exe)
Extracted files:
432
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4qpkynb7tffd3ujo32a5dh2xbj2xe4bkxqh2gwv2khzxfj2dfkxq._file
Verdict:
malicious
Label(s):
xredbackdoor
Create hunting rule
Similar samples:
148a66e153761e6bc969fbc4f98a40ed0a27d52469901eefe8cd6965ab4d09c5
DarkComet
2093c40693b6684ea3eb4c6fccec07b765551b3c0f28cb6f14543aef86fdce3f
DarkComet
807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e
DarkComet
a018a79a0a2ef5a2acf5c4039f2d805309c2bdade0ac3c893e017bab55b7f219
DarkComet
error
DarkComet
f97559f4ec80f28bd177d1a9e1d5208c5cadbf26e20cac4af374e6b1144a710c
DarkComet
fdd36a586f4979bb696ae7863c45e7332a6e318ef3a6189e1adec270fa698bb6
DarkComet
+ 901 additional samples on MalwareBazaar
Result
Malware family:
xred
Create hunting rule
Score:
  10/10
Tags:
family:xred backdoor discovery macro persistence
Link:
https://tria.ge/reports/260208-v59zlsdv9f/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Suspicious Office macro
Xred
Xred family
Malware Config
C2 Extraction:
xred.mooo.com
Malware family:
XRed
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e41eac343f99/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkComet

Executable exe e41eac343f994a3dd12ede81d19f570a7572702abc0fa35aba51f372a7432aaf

(this sample)

  
Delivery method
Distributed via web download

Comments