Overview

overview

10

Static

static

3

38300f4225...33.exe

windows7-x64

10

38300f4225...33.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33

  • Size

    3.5MB

  • Sample

    240103-rqznjseebp

  • MD5

    9faace482045ab5df714a1e42ccca112

  • SHA1

    85156d4347decd70b060f7f90aea67fc7ca7bde8

  • SHA256

    38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33

  • SHA512

    874f04dfad6149d0635c84bf3e6c51caf74a7d5ae7ac62477d6760cfa19dfe8571c2da6e1b149e7f837407cc5e905b4767015e0608d3554ef2a9e05bb87ca083

  • SSDEEP

    49152:9YREXSVMDi34QnsHyjtk2MYC5GDsVN/wEwqq8u5zn:S2SVMD8dnsmtk2alWqTuxn

Score
10/10
gh0stratparallaxxredbackdoordiscoverypersistencerat

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33

    • Size

      3.5MB

    • MD5

      9faace482045ab5df714a1e42ccca112

    • SHA1

      85156d4347decd70b060f7f90aea67fc7ca7bde8

    • SHA256

      38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33

    • SHA512

      874f04dfad6149d0635c84bf3e6c51caf74a7d5ae7ac62477d6760cfa19dfe8571c2da6e1b149e7f837407cc5e905b4767015e0608d3554ef2a9e05bb87ca083

    • SSDEEP

      49152:9YREXSVMDi34QnsHyjtk2MYC5GDsVN/wEwqq8u5zn:S2SVMD8dnsmtk2alWqTuxn

    Score
    10/10
    gh0stratparallaxxredbackdoordiscoverypersistencerat

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Gh0strat family

      gh0strat

    • Parallax family

      parallax

    • ParallaxRat

      ParallaxRat is a multipurpose RAT written in MASM.

      ratparallax

    • ParallaxRat payload

      Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Server Software Component: Terminal Services DLL

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks