Overview

overview

10

Static

static

3

60e26db129...eN.exe

windows7-x64

10

60e26db129...eN.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    60e26db1295e761743202849b2fc4e658997e1d6e427336fcd2ebedb344f3c3eN

  • Size

    3.8MB

  • Sample

    241002-brk9jszeql

  • MD5

    b76ee79acb617308714ce10c9694aaf0

  • SHA1

    96463bbfc64d062ae413944d54de71d032cfdb28

  • SHA256

    60e26db1295e761743202849b2fc4e658997e1d6e427336fcd2ebedb344f3c3e

  • SHA512

    0a1c786c5d89532378a74444c92cf30b3e9cdc2902d4a3db25a007f04c2a1ed5d2f8038fcf9ae44517035c94c09fbb039e86d5729e8f59e5fcbab3ad1ac77f04

  • SSDEEP

    49152:RnsHyjtk2MYC5GDou5ThGzaxEueKvnGrskbj4Vp75Y:Rnsmtk2awTc8G3om

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      60e26db1295e761743202849b2fc4e658997e1d6e427336fcd2ebedb344f3c3eN

    • Size

      3.8MB

    • MD5

      b76ee79acb617308714ce10c9694aaf0

    • SHA1

      96463bbfc64d062ae413944d54de71d032cfdb28

    • SHA256

      60e26db1295e761743202849b2fc4e658997e1d6e427336fcd2ebedb344f3c3e

    • SHA512

      0a1c786c5d89532378a74444c92cf30b3e9cdc2902d4a3db25a007f04c2a1ed5d2f8038fcf9ae44517035c94c09fbb039e86d5729e8f59e5fcbab3ad1ac77f04

    • SSDEEP

      49152:RnsHyjtk2MYC5GDou5ThGzaxEueKvnGrskbj4Vp75Y:Rnsmtk2awTc8G3om

    Score
    10/10
    xredbackdoordiscoverypersistence

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks