MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd5de75c019f00e5d890e5dca32e3dd0a70400679094f5e61db51d41bc76e423. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XRed

Vendor detections: 19

Intelligence 19 IOCs YARA 3 File information Comments

SHA256 hash:	fd5de75c019f00e5d890e5dca32e3dd0a70400679094f5e61db51d41bc76e423
SHA3-384 hash:	327a6488feb9b53287e0ebdd33f499d3648b39f4ccc93d082de2b1094fe67b032d960288dca14f073a416aba7e4d89c4
SHA1 hash:	11dc7ce98b52f18196b90f6b8465789993efdb0f
MD5 hash:	2c33ac3d486cc86a54a4f62f846b0a4a
humanhash:	hydrogen-bakerloo-stairway-wolfram
File name:	P.O.scr.exe
Download:	download sample
Signature	XRed Create hunting rule
File size:	1'285'632 bytes
First seen:	2025-10-07 19:18:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (49'070 x AgentTesla, 20'027 x Formbook, 12'352 x SnakeKeylogger)
ssdeep	24576:18jc14wWFCbNRWK8T5SrllBPAVr9uXeFbn73EArSOoF9moHp6P+vDcXL7FOv:18jI4wcA8tkprAF1Fbn7XrSOGg26P+rF
Threatray	3'097 similar samples on MalwareBazaar
TLSH	T13C55238C29AACA16E8631BF25E74E07457B07D889903C44BAFD33DCFB17AB554A40B47
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	James_inthe_box
Tags:	exe xred

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

P.O.scr.exe

Verdict:

Malicious activity

Analysis date:

2025-10-07 19:21:32 UTC

Tags:

xred backdoor redline stealer

Link:

https://app.any.run/tasks/94d56cee-a7b3-45df-8979-92edfaf2bfe6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/31047/

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68e567c8277c2bd8bc5d93d6

Tags:

infosteal redline

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

masquerade packed vbnet

Link:

https://www.filescan.io/uploads/68e567ea5a3bccf09ebbfe97/reports/934fff93-20e6-4402-a15a-ce0fd1377f6f/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/fd5de75c019f00e5d890e5dca32e3dd0a70400679094f5e61db51d41bc76e423

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-07T12:15:00Z UTC

Last seen:

2025-10-08T16:21:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/fd5de75c019f00e5d890e5dca32e3dd0a70400679094f5e61db51d41bc76e423/results?tab=lookup

Malware family:

XRed

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f86e7b56-ad84-4462-8bc6-42bd147e0eeb

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/fd5de75c019f00e5d890e5dca32e3dd0a70400679094f5e61db51d41bc76e423

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.48 Win 32 Exe x86

Link:

https://app.malva.re/file/2c33ac3d486cc86a54a4f62f846b0a4a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fd5de75c019f00e5d890e5dca32e3dd0a70400679094f5e61db51d41bc76e423/

Verdict:

Malicious

Threat:

Family.XRED

Link:

https://tip.neiki.dev/file/fd5de75c019f00e5d890e5dca32e3dd0a70400679094f5e61db51d41bc76e423

Threat name:

ByteCode-MSIL.Trojan.XWorm

Status:

Malicious

First seen:

2025-10-07 15:23:57 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7vo6oxabt4aolweq4xokglr52ctqiadhsckplzq5wuoudpdw4qrq._file

Verdict:

malicious

Label(s):

unc_loader_037

redlinestealer

xredbackdoor

XRed

4b6dcc799cd2d6c6b6ddcef43e8e29bf6fa4ddd676959bd713f093b7143c0b8b

XRed

7bed0eed3f423b22cecbfdd23aad0ca8c3b0e8fb5ff0c0402e19e0273f7c27d3

XRed

9fd0eaf75124db45051e5c3b0561b3e8c80af9459fcddf09289698b4acc42096

XRed

ab82c433b4a5e763de3427295657629780fa2157f0db9975c643ba4610b5d885

XRed

e439378ca0ca70865ce01d9e795927bd542ee929db1671509555c4fc82c3e65d

XRed

error

XRed

+ 3'087 additional samples on MalwareBazaar

Result

Malware family:

xred

Score:

10/10

Tags:

family:redline family:sectoprat family:xred botnet:cheat backdoor discovery infostealer persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/251007-x1y3na1r19/

Behaviour

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Executes dropped EXE

Reads user/profile data of web browsers

RedLine

RedLine payload

Redline family

SectopRAT

SectopRAT payload

Sectoprat family

Xred

Xred family

Malware Config

C2 Extraction:

xred.mooo.com
38.255.43.72:53666

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/c550d9b7-c9f1-43d5-a35c-30b1a5d38fa0

Unpacked files

SH256 hash:

fd5de75c019f00e5d890e5dca32e3dd0a70400679094f5e61db51d41bc76e423

MD5 hash:

2c33ac3d486cc86a54a4f62f846b0a4a

SHA1 hash:

11dc7ce98b52f18196b90f6b8465789993efdb0f

Link:

https://www.unpac.me/results/ffe3182b-0191-4549-b5d6-3e102722192e/

SH256 hash:

48d28b99ef01161e51eb4adbca98d5a4ac3528788b86fd4e618233f4c51b2971

MD5 hash:

2665bdbb315a67ff33bcb348b6be7ed3

SHA1 hash:

1ce153f8585175f1baed8294f9d8c9b096a8ea5a

Detections:

RedLine_a

mal_xred_backdoor

INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

MALWARE_Win_RedLine

Link:

https://www.unpac.me/results/ffe3182b-0191-4549-b5d6-3e102722192e/

Parent samples :

102f3695bcc747312ab744876f0558a1404b96a043fbfd90410d3c36930f1ac7
fd5de75c019f00e5d890e5dca32e3dd0a70400679094f5e61db51d41bc76e423

SH256 hash:

868f9844cd6f0ea25b1115f509044f21f71a787afe9b706eb44c11f4942cb563

MD5 hash:

55786c675054c44592975b5fa7f643fb

SHA1 hash:

851f36ec99a212528ee1d5070af0907aaa05c483

Link:

https://www.unpac.me/results/ffe3182b-0191-4549-b5d6-3e102722192e/

SH256 hash:

bc889fdebcbe896465f61bd37004bf964537562ef89df507b817d92796597391

MD5 hash:

4806eb21f5146017d8f7631506bea532

SHA1 hash:

ac492f8b86ed4315a6256f841bf887cd8ce1596d

Detections:

RedLine_a

INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

MALWARE_Win_RedLine

Link:

https://www.unpac.me/results/ffe3182b-0191-4549-b5d6-3e102722192e/

Parent samples :

bc889fdebcbe896465f61bd37004bf964537562ef89df507b817d92796597391
102f3695bcc747312ab744876f0558a1404b96a043fbfd90410d3c36930f1ac7
fd5de75c019f00e5d890e5dca32e3dd0a70400679094f5e61db51d41bc76e423

SH256 hash:

e33c2368260cad82da784eb8580b674896775f1137e463dfff7aef2f3286ea66

MD5 hash:

cd46784bfef21bc020edab21cd313581

SHA1 hash:

d624156ed8c53ce97d5d780ba58b697323afe1fe

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/ffe3182b-0191-4549-b5d6-3e102722192e/

SH256 hash:

b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2

MD5 hash:

c0ef4d6237d106bf51c8884d57953f92

SHA1 hash:

f1da7ecbbee32878c19e53c7528c8a7a775418eb

Link:

https://www.unpac.me/results/ffe3182b-0191-4549-b5d6-3e102722192e/

Malware family:

RedLine.A

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fd5de75c019f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fd5de75c019f00e5d890e5dca32e3dd0a70400679094f5e61db51d41bc76e423

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/31047/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample