General

  • Target

    b0c9046c86091df27b548d62e9788080N

  • Size

    829KB

  • Sample

    240914-1b37vsxfjb

  • MD5

    b0c9046c86091df27b548d62e9788080

  • SHA1

    727782410016fde0bad9832c95d0930191339ca8

  • SHA256

    c43ec2685a469d8e2a00a3ed29dd861a850625324c9433161ea62345b9a8ec77

  • SHA512

    db372246d1b1e7384d37c862a843f1bc31e2ec6385f938afc86dc087e68b0273634ae67fad63b7badd3e9d756440f18e25320290297c7f9b677a1484875e7c7f

  • SSDEEP

    12288:DMSApJVYG5lDLyjsb0eOzkkBR7QnvswUilQ35+6G75X9IvhBjvrEH7C:DnsJ39LyjbJk6FMymC+6G99ArEH7C

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      b0c9046c86091df27b548d62e9788080N

    • Size

      829KB

    • MD5

      b0c9046c86091df27b548d62e9788080

    • SHA1

      727782410016fde0bad9832c95d0930191339ca8

    • SHA256

      c43ec2685a469d8e2a00a3ed29dd861a850625324c9433161ea62345b9a8ec77

    • SHA512

      db372246d1b1e7384d37c862a843f1bc31e2ec6385f938afc86dc087e68b0273634ae67fad63b7badd3e9d756440f18e25320290297c7f9b677a1484875e7c7f

    • SSDEEP

      12288:DMSApJVYG5lDLyjsb0eOzkkBR7QnvswUilQ35+6G75X9IvhBjvrEH7C:DnsJ39LyjbJk6FMymC+6G99ArEH7C

    • Floxif family

    • Floxif, Floodfix

      Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

    • Xred

      Xred is backdoor written in Delphi.

    • Xred family

    • Detects Floxif payload

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks