General

  • Target

    Stix_Advanced_Tweak.exe

  • Size

    1.5MB

  • Sample

    241111-tyzpmazqdt

  • MD5

    43afea647840c9ed1d2888ce8c85ed32

  • SHA1

    a9ca7722b5d49f42ae01dc20d3b7397f67647cd0

  • SHA256

    2cbf4a18cf8df6a631826a5006d13b3bf36d0971b8c96678b278fc99795a9386

  • SHA512

    ffe6cb55700d3e27544315998300c6d2532fa7b9085d9dd83088eb4579124579595c06ef9abe2fcc532468c5477a6fa13c57af2ae24df28b064050691ab48bc9

  • SSDEEP

    24576:2nsJ39LyjbJkQFMhmC+6GD9k0TO7wx6RZrLSQeMeNyUc7nyWOqmpezMJQF:2nsHyjtk2MYC5GD60TO7JRZHSSr0py

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      Stix_Advanced_Tweak.exe

    • Size

      1.5MB

    • MD5

      43afea647840c9ed1d2888ce8c85ed32

    • SHA1

      a9ca7722b5d49f42ae01dc20d3b7397f67647cd0

    • SHA256

      2cbf4a18cf8df6a631826a5006d13b3bf36d0971b8c96678b278fc99795a9386

    • SHA512

      ffe6cb55700d3e27544315998300c6d2532fa7b9085d9dd83088eb4579124579595c06ef9abe2fcc532468c5477a6fa13c57af2ae24df28b064050691ab48bc9

    • SSDEEP

      24576:2nsJ39LyjbJkQFMhmC+6GD9k0TO7wx6RZrLSQeMeNyUc7nyWOqmpezMJQF:2nsHyjtk2MYC5GD60TO7JRZHSSr0py

    • Xred

      Xred is backdoor written in Delphi.

    • Xred family

    • A potential corporate email address has been identified in the URL: currency-file@1

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks