xred | 75d273cc64cecf71e838ac7c78292775a0422b752911b152600cb115416dee51

General

Target

Code Stealer dll For Hd PLAYER.vmp.exe
Size

5.0MB
MD5

e84c6027daaea05c5c965f5f6062ba2c
SHA1

b6a04707a087125031a7d2b14a6b7493b5022168
SHA256

8d215ea18cb15661a37b9eeb4abc861670c39ea8b6e98b0f62b43763e6bce63f
SHA512

6e1351c090989846d888bdea4ac7ea716c507ab6b89b1154cf76b0b622ea09bd0c50ca1036db056f578bea362d3d360f00be50a0e92e3637f6ff5626ecdbfb50
SSDEEP

98304:eadFE3ZtxlzJtME/CFNeETYhj17tSVvgkZ28MsMNULbXZof/nuy:eadaXjzzM/eETYhj1g28zZE9

Score

10^/10

xred xworm backdoor discovery persistence rat trojan

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

xworm

C2

147.185.221.23:10012

Attributes

Install_directory
%Userprofile%
install_file
svchost.exe

Signatures

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\._cache_Code Stealer dll For Hd PLAYER.vmp.exe	family_xworm
behavioral1/memory/2868-59-0x0000000001140000-0x000000000115C000-memory.dmp	family_xworm
behavioral1/memory/1156-121-0x0000000000EA0000-0x0000000000EBC000-memory.dmp	family_xworm

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Executes dropped EXE 3 IoCs

Processes:

._cache_Code Stealer dll For Hd PLAYER.vmp.exeSynaptics.exe._cache_Synaptics.exe

pid process

2868 ._cache_Code Stealer dll For Hd PLAYER.vmp.exe
2876 Synaptics.exe
1156 ._cache_Synaptics.exe

pid	process
2868	._cache_Code Stealer dll For Hd PLAYER.vmp.exe
2876	Synaptics.exe
1156	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

Processes:

Code Stealer dll For Hd PLAYER.vmp.exeSynaptics.exe

pid	process
3044	Code Stealer dll For Hd PLAYER.vmp.exe
3044	Code Stealer dll For Hd PLAYER.vmp.exe
3044	Code Stealer dll For Hd PLAYER.vmp.exe
2876	Synaptics.exe
2876	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Code Stealer dll For Hd PLAYER.vmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Code Stealer dll For Hd PLAYER.vmp.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

Code Stealer dll For Hd PLAYER.vmp.exeSynaptics.exe

pid process

3044 Code Stealer dll For Hd PLAYER.vmp.exe
3044 Code Stealer dll For Hd PLAYER.vmp.exe
2876 Synaptics.exe
2876 Synaptics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
5	ip-api.com

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Code Stealer dll For Hd PLAYER.vmp.exeSynaptics.exeEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Code Stealer dll For Hd PLAYER.vmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1928 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Code Stealer dll For Hd PLAYER.vmp.exeSynaptics.exe

pid process

3044 Code Stealer dll For Hd PLAYER.vmp.exe
2876 Synaptics.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

._cache_Code Stealer dll For Hd PLAYER.vmp.exe._cache_Synaptics.exe

description pid process

Token: SeDebugPrivilege 2868 ._cache_Code Stealer dll For Hd PLAYER.vmp.exe
Token: SeDebugPrivilege 1156 ._cache_Synaptics.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid process

1928 EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1928	EXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	2868	._cache_Code Stealer dll For Hd PLAYER.vmp.exe
Token: SeDebugPrivilege	1156	._cache_Synaptics.exe

pid	process
1928	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Code Stealer dll For Hd PLAYER.vmp.exeSynaptics.exe

description	pid	process	target process
PID 3044 wrote to memory of 2868	3044	Code Stealer dll For Hd PLAYER.vmp.exe	._cache_Code Stealer dll For Hd PLAYER.vmp.exe
PID 3044 wrote to memory of 2868	3044	Code Stealer dll For Hd PLAYER.vmp.exe	._cache_Code Stealer dll For Hd PLAYER.vmp.exe
PID 3044 wrote to memory of 2868	3044	Code Stealer dll For Hd PLAYER.vmp.exe	._cache_Code Stealer dll For Hd PLAYER.vmp.exe
PID 3044 wrote to memory of 2868	3044	Code Stealer dll For Hd PLAYER.vmp.exe	._cache_Code Stealer dll For Hd PLAYER.vmp.exe
PID 3044 wrote to memory of 2876	3044	Code Stealer dll For Hd PLAYER.vmp.exe	Synaptics.exe
PID 3044 wrote to memory of 2876	3044	Code Stealer dll For Hd PLAYER.vmp.exe	Synaptics.exe
PID 3044 wrote to memory of 2876	3044	Code Stealer dll For Hd PLAYER.vmp.exe	Synaptics.exe
PID 3044 wrote to memory of 2876	3044	Code Stealer dll For Hd PLAYER.vmp.exe	Synaptics.exe
PID 2876 wrote to memory of 1156	2876	Synaptics.exe	._cache_Synaptics.exe
PID 2876 wrote to memory of 1156	2876	Synaptics.exe	._cache_Synaptics.exe
PID 2876 wrote to memory of 1156	2876	Synaptics.exe	._cache_Synaptics.exe
PID 2876 wrote to memory of 1156	2876	Synaptics.exe	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\Code Stealer dll For Hd PLAYER.vmp.exe
"C:\Users\Admin\AppData\Local\Temp\Code Stealer dll For Hd PLAYER.vmp.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\._cache_Code Stealer dll For Hd PLAYER.vmp.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_Code Stealer dll For Hd PLAYER.vmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2868
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1156

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
5.0MB

MD5
e84c6027daaea05c5c965f5f6062ba2c

SHA1
b6a04707a087125031a7d2b14a6b7493b5022168

SHA256
8d215ea18cb15661a37b9eeb4abc861670c39ea8b6e98b0f62b43763e6bce63f

SHA512
6e1351c090989846d888bdea4ac7ea716c507ab6b89b1154cf76b0b622ea09bd0c50ca1036db056f578bea362d3d360f00be50a0e92e3637f6ff5626ecdbfb50

Download Submit
C:\Users\Admin\AppData\Local\Temp\dneocMkV.xlsm

Filesize
23KB

MD5
fe2f26a4bf3f7cf77f5fa3f01289db7b

SHA1
6e547873f945ac533afbd8baa34e8ca04fa11e29

SHA256
f281e4fc53a61843449e9e978a96f1cb4245982ad7af6e55d25d157ed0a92691

SHA512
ea419000b5eeb7eadf9f4f375fa5b0a491fe6a527cad84ca8005569df93081dce63ded3d19755a80c07a3b5cd45e3e99df76f47aa4fe6faaa6e5ecaf999406fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dneocMkV.xlsm

Filesize
27KB

MD5
c757d5f23e6f48f02d4fef6432233813

SHA1
397fa1b9a64f97887fb6cc6e02e9a276900a24bb

SHA256
e82da9ea960bcf3ab5a917d1f4757433f2e4f1c4ba40ae2162cf0d09f44c0052

SHA512
4502e6c65103a9d1bec032e6da09cc90d9f5b8b750da708654898329fbe8aaf2133fbd3825e2b70be1ec3fccb73e9c0b8acb67fc58f3bf0ec6e00e4498b27304

Download Submit
C:\Users\Admin\AppData\Local\Temp\dneocMkV.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\dneocMkV.xlsm

Filesize
28KB

MD5
277161658044d8866c2bba1f8b636fbf

SHA1
4e57938ba311596d37ba7f5fbc88020ffb4cf18d

SHA256
3a7cf1f00b2dad8223f23731e28810203badc8ddb5dfc00826be19ec5675b241

SHA512
58866f39cbf70f696410881c9cecd04f37b47b82f1608406bac15fe05de5e8fcd743c5e7016a4a3ab54d7de0f05eb4e9df6c6b4aac96cca4a5f7719139d54278

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Code Stealer dll For Hd PLAYER.vmp.exe

Filesize
85KB

MD5
868fcf3d54b2a67208b6b3f2ab8423f3

SHA1
b711bbdd1592658a7e5db4198088ef0b82fb5f5f

SHA256
5558383b3d4edee25acd4b00be2238a3f9275b9d00c840721655cc82db7f832c

SHA512
3e3bb105c669e08248aaa27d6dc148d18004bfce724036bd5d793675ab0275f504b4eb67892ebcbf6620cac57d2f6f6b6de8f5c42996eb8beae89fb2938788a8

Download Submit
memory/1156-121-0x0000000000EA0000-0x0000000000EBC000-memory.dmp

Filesize
112KB

Download
memory/2868-59-0x0000000001140000-0x000000000115C000-memory.dmp

Filesize
112KB

Download
memory/2876-88-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2876-90-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3044-30-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/3044-3-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3044-23-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/3044-20-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/3044-18-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/3044-16-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/3044-15-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3044-13-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3044-11-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3044-10-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3044-8-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3044-6-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3044-5-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3044-25-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/3044-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3044-46-0x0000000000400000-0x0000000000C95000-memory.dmp

Filesize
8.6MB

Download
memory/3044-28-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/3044-0-0x00000000004A5000-0x000000000078A000-memory.dmp

Filesize
2.9MB

Download
memory/3044-33-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/3044-70-0x0000000000400000-0x0000000000C95000-memory.dmp

Filesize
8.6MB

Download
memory/3044-68-0x00000000004A5000-0x000000000078A000-memory.dmp

Filesize
2.9MB

Download
memory/3044-35-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/3044-38-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/3044-40-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/3044-42-0x0000000000400000-0x0000000000C95000-memory.dmp

Filesize
8.6MB

Download
memory/3044-41-0x0000000000400000-0x0000000000C95000-memory.dmp

Filesize
8.6MB

Download
memory/3044-45-0x0000000000400000-0x0000000000C95000-memory.dmp

Filesize
8.6MB

Download
memory/3044-44-0x0000000000400000-0x0000000000C95000-memory.dmp

Filesize
8.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads