General

  • Target

    Discord-QR-Scam-main.zip

  • Size

    20.7MB

  • Sample

    240509-arax5sad64

  • MD5

    6ffc2cb41594223e5865e719440a2f7b

  • SHA1

    924a8a06ca0c80d89f24596f7398415a0496c5c6

  • SHA256

    a4317ec0949be6e48ed6523cae4245f7b48cdb40ffaf4a1d28ac9b96335065d1

  • SHA512

    4b11959ea831e0467c23910415e059c2f71f20fcace9e9a5406130a7b35401ab62fb1818aa77c68a33a328d2b6bc111174f5c3b570e4b9849f28900fc04faf28

  • SSDEEP

    393216:oO1oNLn/qgjznMw73iMl14DQRvMG/IOM2KWth9CAcaVfPxkjB65pu2KVl:yNegj4eiMYcmG8SQqPyB65cl

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      Discord-QR-Scam-main/QR_Generator.py

    • Size

      2KB

    • MD5

      04f204867e88175611d5a628bcbd77ff

    • SHA1

      1b220efa7d180e55b17dbe0b84ecacf612495b3b

    • SHA256

      cbdf089e2fe83e9c2c005e5dd68bcf657938569ddd16720f02e65a6bc11d6a7a

    • SHA512

      618c2909b7be365077dbf9c718f2964de275edd856c8767c2ed04f0f4619b3fbb2385683ccd09245db60b597f8e4269060a525027ca12e3a4a932d1682a65674

    Score
    3/10
    • Target

      Discord-QR-Scam-main/chromedriver.exe

    • Size

      10.9MB

    • MD5

      7ea504d903d99968259d71bd558287f6

    • SHA1

      c4e54d7343129dcaeb312bd64f71745aeb38a647

    • SHA256

      a2fa1d7a9964b960d840794c09835aed62254d2a34d85a485e6554779c67aaaf

    • SHA512

      a72006de8fa5b479862a1771815d1acf912c6b795d13cb9ca073166ae5325a5eddaa9d4f6887a39fdfb7a06776409472a35fe9d27d805219e7f6840810aa41b5

    • SSDEEP

      196608:PL70TLrXoGaJINYI5lEZSmdXhnDaATPz/VDnV0:Pf030GaUzEsKxnGATPz/VDV0

    • Xred

      Xred is backdoor written in Delphi.

    • Xred family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      Discord-QR-Scam-main/pip_install_requirements.bat

    • Size

      69B

    • MD5

      aa3e73cf17f8af46bf1e0f3345a937db

    • SHA1

      671504c86d73c270802717fb50c2f5101dc1d7c8

    • SHA256

      d00829f455bd02292de79963f5788ab964994fd01fbcdf07fd4d25e9e6e1f8d3

    • SHA512

      5faf44fe160615b7a65afedeb3424b5c99fb2fa129455866781427d53a5fc12389cc78cfea0f2ef81cb508f19e8948f2956972c718c92b123ac4c35dc69debce

    Score
    1/10
    • Target

      Discord-QR-Scam-main/run.bat

    • Size

      701B

    • MD5

      95c44bee320698db81bdc82c8c9f12ac

    • SHA1

      da342d2be4f9a164baeb5ddcd05e4f542a6a48f3

    • SHA256

      1eade222f649e4ada09b9c0bc1a25d4523dbb0f33ebe0c85648e021ee788e785

    • SHA512

      431a78d00032cbdb44e81fbbe0713f48e7b7eec4a4eddf1bac55f91a13c0dca84343b7113a241246457a768e691ae24436ba2413844fc5a22bb23e53cf7bec70

    Score
    1/10
    • Target

      Discord-QR-Scam-main/temp/run_script.bat

    • Size

      33.1MB

    • MD5

      d1a39d1fa53d8da2611ad91c91a1676e

    • SHA1

      140b8851213dce617a029a03f6823a68511f3e26

    • SHA256

      dbfc2291b18a27b4a17011028e88583f73c2fb3295858187dba4b768ff47b1ef

    • SHA512

      d80698b0c3575f2579c4ddf02f0411384d0aab0537ce2c482f1ee5577228f7470858cf049d16251f8acd522a1cadc0da7b02a698f79d78d041cff62fd1fb342f

    • SSDEEP

      393216:2QgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mgW96l+ZArYsFRlI:23on1HvSzxAMNWFZArYsA

    Score
    7/10
    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks