Resubmissions
23-05-2024 18:26
240523-w3nh9sbg96 10General
-
Target
d34b300dea4cb02902be18e5ffac2d219948671c06052ae1b8b4e3301c255dca
-
Size
7.2MB
-
Sample
240523-w3nh9sbg96
-
MD5
880814a8c2304729007fa0a008587dc5
-
SHA1
1adc9fc4d58e6271f1db89187e3918bd36147887
-
SHA256
d34b300dea4cb02902be18e5ffac2d219948671c06052ae1b8b4e3301c255dca
-
SHA512
500dfa0d04dee632f0f6733f244e52126c5ff671c459d9705cb9507acbdaa262fbc474d72dc6459d0ce254662e8c2ca7d7afb68ca60a938a1352a9e2252e158e
-
SSDEEP
98304:9ws2ANnKXOaeOgmhM3nsmtk2aTigPzUYm9uALfprsQunQf7UORs:nKXbeO7QLKsuAdty
Static task
static1
Behavioral task
behavioral1
Sample
d34b300dea4cb02902be18e5ffac2d219948671c06052ae1b8b4e3301c255dca.exe
Resource
win7-20231129-en
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Targets
-
-
Target
d34b300dea4cb02902be18e5ffac2d219948671c06052ae1b8b4e3301c255dca
-
Size
7.2MB
-
MD5
880814a8c2304729007fa0a008587dc5
-
SHA1
1adc9fc4d58e6271f1db89187e3918bd36147887
-
SHA256
d34b300dea4cb02902be18e5ffac2d219948671c06052ae1b8b4e3301c255dca
-
SHA512
500dfa0d04dee632f0f6733f244e52126c5ff671c459d9705cb9507acbdaa262fbc474d72dc6459d0ce254662e8c2ca7d7afb68ca60a938a1352a9e2252e158e
-
SSDEEP
98304:9ws2ANnKXOaeOgmhM3nsmtk2aTigPzUYm9uALfprsQunQf7UORs:nKXbeO7QLKsuAdty
-
Gh0st RAT payload
-
Gh0strat family
-
Purplefox family
-
Xred family
-
Drops file in Drivers directory
-
Server Software Component: Terminal Services DLL
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1