Resubmissions

23-05-2024 18:26

240523-w3nh9sbg96 10

General

  • Target

    d34b300dea4cb02902be18e5ffac2d219948671c06052ae1b8b4e3301c255dca

  • Size

    7.2MB

  • Sample

    240523-w3nh9sbg96

  • MD5

    880814a8c2304729007fa0a008587dc5

  • SHA1

    1adc9fc4d58e6271f1db89187e3918bd36147887

  • SHA256

    d34b300dea4cb02902be18e5ffac2d219948671c06052ae1b8b4e3301c255dca

  • SHA512

    500dfa0d04dee632f0f6733f244e52126c5ff671c459d9705cb9507acbdaa262fbc474d72dc6459d0ce254662e8c2ca7d7afb68ca60a938a1352a9e2252e158e

  • SSDEEP

    98304:9ws2ANnKXOaeOgmhM3nsmtk2aTigPzUYm9uALfprsQunQf7UORs:nKXbeO7QLKsuAdty

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      d34b300dea4cb02902be18e5ffac2d219948671c06052ae1b8b4e3301c255dca

    • Size

      7.2MB

    • MD5

      880814a8c2304729007fa0a008587dc5

    • SHA1

      1adc9fc4d58e6271f1db89187e3918bd36147887

    • SHA256

      d34b300dea4cb02902be18e5ffac2d219948671c06052ae1b8b4e3301c255dca

    • SHA512

      500dfa0d04dee632f0f6733f244e52126c5ff671c459d9705cb9507acbdaa262fbc474d72dc6459d0ce254662e8c2ca7d7afb68ca60a938a1352a9e2252e158e

    • SSDEEP

      98304:9ws2ANnKXOaeOgmhM3nsmtk2aTigPzUYm9uALfprsQunQf7UORs:nKXbeO7QLKsuAdty

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Gh0strat family

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Purplefox family

    • Xred

      Xred is backdoor written in Delphi.

    • Xred family

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks