Resubmissions

18-11-2024 08:44

241118-kncbxatalp 10

12-11-2024 03:15

241112-dry7hstepg 10

General

  • Target

    Munzy Temp Spoofer.exe

  • Size

    1.1MB

  • Sample

    241112-dry7hstepg

  • MD5

    9ecc5c00e6ef385d71f87f66da559241

  • SHA1

    f0f1bec3a9ae9214bb2daa3574f6dd064f6c2451

  • SHA256

    f5855524bf79d214423b91be83872ebf9674fe277175b6ab28b6c48be3d07f3e

  • SHA512

    b8cd2b51a42d30257b9bbf3cec0326ed933d1f0a1a824159551b92d244d6d3790bbb1b0e465bfa6a7251c7e95a7eedbb2eddc2d4635a89a248a95088b3865dc1

  • SSDEEP

    24576:onsJ39LyjbJkQFMhmC+6GD9tMhriNgMJ+/n:onsHyjtk2MYC5GDkhriin

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      Munzy Temp Spoofer.exe

    • Size

      1.1MB

    • MD5

      9ecc5c00e6ef385d71f87f66da559241

    • SHA1

      f0f1bec3a9ae9214bb2daa3574f6dd064f6c2451

    • SHA256

      f5855524bf79d214423b91be83872ebf9674fe277175b6ab28b6c48be3d07f3e

    • SHA512

      b8cd2b51a42d30257b9bbf3cec0326ed933d1f0a1a824159551b92d244d6d3790bbb1b0e465bfa6a7251c7e95a7eedbb2eddc2d4635a89a248a95088b3865dc1

    • SSDEEP

      24576:onsJ39LyjbJkQFMhmC+6GD9tMhriNgMJ+/n:onsHyjtk2MYC5GDkhriin

    • Xred

      Xred is backdoor written in Delphi.

    • Xred family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks