MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 feb58fc44addde8aad50c0f77bc29971e18454e894d90dd8a93a068835bbf5ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XRed


Vendor detections: 18


Intelligence 18 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: feb58fc44addde8aad50c0f77bc29971e18454e894d90dd8a93a068835bbf5ae
SHA3-384 hash: 7720cec292e362c74b075abb04745ba765f6e35c8d2bd11da675f6c85e9151bfd1d474dd5a99334ec196d75045238102
SHA1 hash: 6c562f5d1f9725b8365085b25131451bdfa56691
MD5 hash: bcae17862624a1cb0e22c699e89ae215
humanhash: seventeen-nine-failed-six
File name:msnm75.exe
Download: download sample
Signature XRed
Create hunting rule
File size:10'123'776 bytes
First seen:2025-08-29 21:38:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 332f7ce65ead0adfb3d35147033aabe9 (94 x XRed, 18 x SnakeKeylogger, 9 x DarkComet)
ssdeep 196608:2LxjV+/uto1qhrC06rf+KLR+9999999jyAvElf1kQZFbIQoSm7wtD0:2VjVcKCkKc9999999jjclf1dZFs3R6I
Threatray 130 similar samples on MalwareBazaar
TLSH T1EBA62331F2D18437D0731B395C7BA3A5983ABE411E387A0B37F51E8D5E7A28139642A7
TrID 88.0% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
5.7% (.EXE) InstallShield setup (43053/19/16)
1.8% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.3% (.EXE) Win64 Executable (generic) (10522/11/4)
1.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
Magika pebin
Reporter malwareanalayser
Tags:exe xred

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
CZ CZ
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
msnm75.exe
Verdict:
Malicious activity
Analysis date:
2025-08-29 21:40:21 UTC
Tags:
xred backdoor auto-reg delphi dyndns
Link:
https://app.any.run/tasks/45151493-a1ee-4b7d-913d-e81c36bda194

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/24172/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b21def3e988eb6ab82f4c6
Tags:
dropper delphi virus smtp
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Moving a recently created file
Creating a file in the %temp% subdirectories
Searching for the window
Modifying an executable file
DNS request
Connection attempt
Sending an HTTP GET request
Reading critical registry keys
Loading a suspicious library
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Infecting executable files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context borland_delphi cmd fingerprint installer keylogger lolbin obfuscated optix packed packed packer_detected remote rundll32 runonce threat
Link:
https://www.filescan.io/uploads/68b21de51c81c34281d87d06/reports/0f53234b-2d79-44f2-a1cc-8cf332df9dd8/overview
Verdict:
Malicious
Labled as:
Trojan.DarkKomet
Link:
https://www.hybrid-analysis.com/sample/feb58fc44addde8aad50c0f77bc29971e18454e894d90dd8a93a068835bbf5ae
Verdict:
Malicious
File Type:
PE
First seen:
2021-01-01T00:59:00Z UTC
Last seen:
2021-01-01T00:59:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/feb58fc44addde8aad50c0f77bc29971e18454e894d90dd8a93a068835bbf5ae/results?tab=lookup
Malware family:
XRed
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9fecb702-9148-4305-b83d-9ac904cea0af
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/feb58fc44addde8aad50c0f77bc29971e18454e894d90dd8a93a068835bbf5ae
Verdict:
Malware
YARA:
6 match(es)
Tags:
.Net ADODB.Stream Blacklist VBA CAB:COMPRESSION:LZX CAB:COMPRESSION:MSZIP CAB:COMPRESSION:NONE Corrupted Executable Office Document PDB Path PE (Portable Executable) PE File Layout scripting.filesystemobject Win 32 Exe WinHttp.WinHttpRequest.5 WinHttp.WinHttpRequest.5.1 WScript.Shell x86
Link:
https://app.malva.re/file/bcae17862624a1cb0e22c699e89ae215
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/feb58fc44addde8aad50c0f77bc29971e18454e894d90dd8a93a068835bbf5ae/
Threat name:
Win32.Worm.Zorex
Create hunting rule
Status:
Malicious
First seen:
2025-08-29 21:40:55 UTC
File Type:
PE (Exe)
Extracted files:
988
AV detection:
35 of 38 (92.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=722y7rck3xpivlkqyd3xxquzohqyivhistmq3wfjhidiqnn36wxa._file
Verdict:
malicious
Label(s):
xredbackdoor
Create hunting rule
Similar samples:
148a66e153761e6bc969fbc4f98a40ed0a27d52469901eefe8cd6965ab4d09c5
XRed
1e2dc8d95c5de085cde8fb90129bd3c3c38a742a5ce34ae07e536512abc51bc6
XRed
2093c40693b6684ea3eb4c6fccec07b765551b3c0f28cb6f14543aef86fdce3f
XRed
61437d273cb1204be0e52d3bc516ea98a6eadcfd044bdf034669773893b58a64
XRed
807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e
XRed
a0dcaaad349a927f3884901a3b0fee340241b07e5f2ad73dc008125a0b1bc0ee
XRed
error
XRed
+ 120 additional samples on MalwareBazaar
Result
Malware family:
xred
Create hunting rule
Score:
  10/10
Tags:
family:xred adware backdoor defense_evasion discovery macro persistence ransomware spyware stealer
Link:
https://tria.ge/reports/250829-1hfp5szsg1/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies Control Panel
Modifies Internet Explorer settings
Modifies Internet Explorer start page
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Modifies trusted root certificate store through registry
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Suspicious Office macro
Xred
Xred family
Malware Config
C2 Extraction:
xred.mooo.com
Verdict:
Malicious
Tags:
backdoor xred_backdoor Win.Trojan.Emotet-9850453-0
YARA:
mal_xred_backdoor
Link:
https://app.threat.zone/submission/5f5a7653-246d-44a1-b7fc-cd70a20f69e3
Unpacked files
SH256 hash:
feb58fc44addde8aad50c0f77bc29971e18454e894d90dd8a93a068835bbf5ae
MD5 hash:
bcae17862624a1cb0e22c699e89ae215
SHA1 hash:
6c562f5d1f9725b8365085b25131451bdfa56691
Link:
https://www.unpac.me/results/32636fce-9efc-4227-9f7d-9b5145ce47d3/
SH256 hash:
021759c7ff3acf47a76f761d0d4d314887bc59b0198b210a0f185d708f63e8b3
MD5 hash:
3d5d8e5e72ad8e9b403c2caca90767f2
SHA1 hash:
2549fcd45963efaf1476f0d46a1fee78f2892fa6
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/32636fce-9efc-4227-9f7d-9b5145ce47d3/
SH256 hash:
7a4fb0a6bf2858580fb75b7f2cc3a34b4e84fca2a79185d9ea93ab6b89fef911
MD5 hash:
73660a14ac3fbc01516e60f01a3d04a2
SHA1 hash:
bfb961a6c28fbe59ea3b792da301c50ddb268b14
Link:
https://www.unpac.me/results/32636fce-9efc-4227-9f7d-9b5145ce47d3/
SH256 hash:
0f05bcf466df339419e18b5b31037e11d41089c936b81d85b8461e8a9b42b8a9
MD5 hash:
48044c50340bd5cb283e76309fcc9656
SHA1 hash:
c89835be3c40cca80e0f6b92acd73a585a1194f4
Link:
https://www.unpac.me/results/32636fce-9efc-4227-9f7d-9b5145ce47d3/
SH256 hash:
3f1d3afb77bf2254551c44867ed59b96ee81436c8e0350047d61bbc16023ec01
MD5 hash:
24d93f6b42a29e78464e2ec5b0935fb4
SHA1 hash:
ddca47e38372cab6716200fbd4a4fd264cd28461
Link:
https://www.unpac.me/results/32636fce-9efc-4227-9f7d-9b5145ce47d3/
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/32636fce-9efc-4227-9f7d-9b5145ce47d3/
SH256 hash:
7a48b2a358d41d91525a7429aa53ec8c02e1edc034863852b578a7fd65e28010
MD5 hash:
3adadf4b309e41210d3c7f3998e4d8c3
SHA1 hash:
13a8409182721dab93b9baa01cd0a63549dd775c
Link:
https://www.unpac.me/results/32636fce-9efc-4227-9f7d-9b5145ce47d3/
SH256 hash:
abf60794121703f5433f12895bf6594ae2af65a018d3c796106876961ec0e0cc
MD5 hash:
240ebe4c39b0f46d189c338b17c49b9d
SHA1 hash:
2578efbe4a8d1f7540a07f9aeced72ed1487f0c6
Link:
https://www.unpac.me/results/32636fce-9efc-4227-9f7d-9b5145ce47d3/
SH256 hash:
b37ed7de7308d48b711556e239ec1eb0308fe43b5d089af4bbfe96e86a683b83
MD5 hash:
ec9e01e156231385a985b09d7922d3bb
SHA1 hash:
38dc2f5e4aced20834885f3f84692d0f578019de
Link:
https://www.unpac.me/results/32636fce-9efc-4227-9f7d-9b5145ce47d3/
SH256 hash:
3183035a64a9924578794b4d22ce0724ed51098d1ad6aaf7ee439db8d4e30feb
MD5 hash:
b8068337125358620e42d24bd29d3652
SHA1 hash:
c2c23264c637ad341d46e78c52b029f7a8ccf4c3
Link:
https://www.unpac.me/results/32636fce-9efc-4227-9f7d-9b5145ce47d3/
Malware family:
XRed
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/feb58fc44add/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/feb58fc44addde8aad50c0f77bc29971e18454e894d90dd8a93a068835bbf5ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:D1S1Gv11betaD1N
Create hunting rule
Author:malware-lu
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vbaproject_bin
Create hunting rule
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/24172/

Comments