Overview

overview

10

Static

static

3

39b71735c2...2N.exe

windows7-x64

10

39b71735c2...2N.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    39b71735c29ae5e9ec286aae7d645109d241a76007c23db531878d5daad2f9a2N

  • Size

    4.8MB

  • Sample

    241107-r9egqawrdk

  • MD5

    51ecdc2470c3d74fd02ae636ede8ea50

  • SHA1

    699c18118bf2181ad2a4107c018380bde7bf959d

  • SHA256

    39b71735c29ae5e9ec286aae7d645109d241a76007c23db531878d5daad2f9a2

  • SHA512

    0ed1942659cb5a942d7831bb2edc25a5a350743766aec97236311adf9d35bb58aa9a51ad1f0d2ff52b81eb28d04c715c9de4d00d9d2f5296ad6e1223838a6614

  • SSDEEP

    98304:A9+lCU89BjJMZoVbn9+lCU89BjJMZoVbJ9+lCU89BjJMZoVb:XlCUIBjslCUIBjalCUIBj

Score
10/10
darkcloudxredbackdoordiscoverypersistencestealer

Malware Config

Extracted

Family

darkcloud

C2

https://api.telegram.org/bot7791323838:AAE3VAK5D-6z6zW2W49g82tPlNqRUAWW6SI/sendMessage?chat_id=6595599138

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      39b71735c29ae5e9ec286aae7d645109d241a76007c23db531878d5daad2f9a2N

    • Size

      4.8MB

    • MD5

      51ecdc2470c3d74fd02ae636ede8ea50

    • SHA1

      699c18118bf2181ad2a4107c018380bde7bf959d

    • SHA256

      39b71735c29ae5e9ec286aae7d645109d241a76007c23db531878d5daad2f9a2

    • SHA512

      0ed1942659cb5a942d7831bb2edc25a5a350743766aec97236311adf9d35bb58aa9a51ad1f0d2ff52b81eb28d04c715c9de4d00d9d2f5296ad6e1223838a6614

    • SSDEEP

      98304:A9+lCU89BjJMZoVbn9+lCU89BjJMZoVbJ9+lCU89BjJMZoVb:XlCUIBjslCUIBjalCUIBj

    Score
    10/10
    darkcloudxredbackdoordiscoverypersistencestealer

    • DarkCloud

      An information stealer written in Visual Basic.

      stealerdarkcloud

    • Darkcloud family

      darkcloud

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks