xred | 09dcbc7aa3dd1e632ff4f3d4b50c200532f60867992a04d6985ec15fb78be003 | Triage

Sharing

General

Target

09dcbc7aa3dd1e632ff4f3d4b50c200532f60867992a04d6985ec15fb78be003
Size

379KB
Sample

241106-e43adatpav
MD5

535f39bf98fc0e292a225c9d6fe99e6e
SHA1

f4d055d19a7cac9b2815ead7869a991b33ebfb70
SHA256

09dcbc7aa3dd1e632ff4f3d4b50c200532f60867992a04d6985ec15fb78be003
SHA512

8816d2e854b0491410d5aba27adf4b6fb6f5ef0554f4ce617be927d7439e37b7f5a5da96b0c0fc866b436e6144a73c31bab1fbf64eb854cb25046f4cb675b7a3
SSDEEP

6144:AZcOmUCdtgsVghKD6KJ7ksVBkR86BYuy8KXxSIuA5GJb1LUb91SCB5lBMNRts3pt:AZcOmUCdtgsqnitVBk7wXxxKLS91S05F

Score

10^/10

xred adware backdoor discovery persistence stealer

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Targets

- Target
  
  InternetExplorer.exe
- Size
  
  855KB
- MD5
  
  c0fc5c9a5e085d4ceba2e938561f2cd7
- SHA1
  
  6e5d22ac8bc8db7822d1f7626a00f5525e4e74ef
- SHA256
  
  35607928da6aded83ef5a7261408406e3d80bb0a11ee5cfb29e24e91007d5f27
- SHA512
  
  30acb5d2fa54d7fcbf8a3253caf34a8e4d632c41cef73756128e506eeac3e8b66acc1c7cb93ccae355b215bf61b7473191624df11ca2ef1a9f67059d8b53c320
- SSDEEP
  
  12288:BMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9wvz8czTHkj:BnsJ39LyjbJkQFMhmC+6GD9o8czTHU
Score

10^/10

xred backdoor discovery persistence adware stealer
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Browser Extensions

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xredbackdoordiscoverypersistence

behavioral2

xredadwarebackdoordiscoverypersistencestealer