xred | e820e5072dddccf820e043634f226ee0223fb5d0473c575f39eb88fce647d477 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

KoalageddonInstaller.exe
Size

3.6MB
Sample

240905-a988na1bld
MD5

8409990c16c5003e804b40bb4f8d8fa7
SHA1

2d6d5458bc2caade8019a09f9cdc8cb9bbc59620
SHA256

e820e5072dddccf820e043634f226ee0223fb5d0473c575f39eb88fce647d477
SHA512

b5da43ad3d24d8c23603af8ef7c78b108f2cdd253464347c844a552a4f213895cf0955a67147c384538ac1b069254e2af535064130b44219962fa12debfcd8f9
SSDEEP

98304:cnsmtk2aLSilkJ/FKZvpG+H++f+DidXvh6d204OOR5q2S:yLtuZvvH+XgJ6M8YYV

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Targets

- Target
  
  KoalageddonInstaller.exe
- Size
  
  3.6MB
- MD5
  
  8409990c16c5003e804b40bb4f8d8fa7
- SHA1
  
  2d6d5458bc2caade8019a09f9cdc8cb9bbc59620
- SHA256
  
  e820e5072dddccf820e043634f226ee0223fb5d0473c575f39eb88fce647d477
- SHA512
  
  b5da43ad3d24d8c23603af8ef7c78b108f2cdd253464347c844a552a4f213895cf0955a67147c384538ac1b069254e2af535064130b44219962fa12debfcd8f9
- SSDEEP
  
  98304:cnsmtk2aLSilkJ/FKZvpG+H++f+DidXvh6d204OOR5q2S:yLtuZvvH+XgJ6M8YYV
Score

10^/10

xred backdoor discovery persistence
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xredbackdoordiscoverypersistence