xred | 2cbf4a18cf8df6a631826a5006d13b3bf36d0971b8c96678b278fc99795a9386 | Triage

Submit
Reports

Overview

overview

Static

static

Stix_Advan...ak.exe

windows10-2004-x64

Sharing

General

Target

Stix_Advanced_Tweak.exe
Size

1.5MB
Sample

241111-tyzpmazqdt
MD5

43afea647840c9ed1d2888ce8c85ed32
SHA1

a9ca7722b5d49f42ae01dc20d3b7397f67647cd0
SHA256

2cbf4a18cf8df6a631826a5006d13b3bf36d0971b8c96678b278fc99795a9386
SHA512

ffe6cb55700d3e27544315998300c6d2532fa7b9085d9dd83088eb4579124579595c06ef9abe2fcc532468c5477a6fa13c57af2ae24df28b064050691ab48bc9
SSDEEP

24576:2nsJ39LyjbJkQFMhmC+6GD9k0TO7wx6RZrLSQeMeNyUc7nyWOqmpezMJQF:2nsHyjtk2MYC5GD60TO7JRZHSSr0py

Score

10^/10

xred backdoor discovery persistence phishing

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

Stix_Advanced_Tweak.exe

Resource

win10v2004-20241007-en

xred backdoor discovery persistence phishing

windows10-2004-x64

23 signatures

600 seconds

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Targets

- Target
  
  Stix_Advanced_Tweak.exe
- Size
  
  1.5MB
- MD5
  
  43afea647840c9ed1d2888ce8c85ed32
- SHA1
  
  a9ca7722b5d49f42ae01dc20d3b7397f67647cd0
- SHA256
  
  2cbf4a18cf8df6a631826a5006d13b3bf36d0971b8c96678b278fc99795a9386
- SHA512
  
  ffe6cb55700d3e27544315998300c6d2532fa7b9085d9dd83088eb4579124579595c06ef9abe2fcc532468c5477a6fa13c57af2ae24df28b064050691ab48bc9
- SSDEEP
  
  24576:2nsJ39LyjbJkQFMhmC+6GD9k0TO7wx6RZrLSQeMeNyUc7nyWOqmpezMJQF:2nsHyjtk2MYC5GD60TO7JRZHSSr0py
Score

10^/10

xred backdoor discovery persistence phishing
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- A potential corporate email address has been identified in the URL: currency-file@1
  phishing
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

xredbackdoordiscoverypersistencephishing

© 2018-2024

Terms | Privacy