xred

Sharing

Copy URL

Twitter E-mail

General

Target

3955d531f93ca45363fb6685cb9b1da74a76ee1cee3362f657229e4ec1f5aa66
Size

9.8MB
Sample

241112-p4vkmsshrn
MD5

6e46945527ec07dca2aab9ed4f1fdcc1
SHA1

a520062f3637b1665fef60a5310e10c85319e341
SHA256

3955d531f93ca45363fb6685cb9b1da74a76ee1cee3362f657229e4ec1f5aa66
SHA512

5b4c79ace50e91ed65d3162af2e5df735efd36d8f4a2b7e0bd19941c3dd5fea449dbfb87c0c7e5aed8f253a57ffedf8fed22502ccdae755c2379a7335816cdb3
SSDEEP

196608:QZhIT+MlbcTJQsaBGRneBbN3qJePxwp7MLivKht0ogllriQ1KOIUh2zn64KX51Ay:QTI3wUGu3qMPuMLiSht0ogllriQ13gS

Score

10^/10

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Targets

- Target
  
  ._cache_语音投影圣经无声版.exe
- Size
  
  992KB
- MD5
  
  31fe511406b34ab828f59b2f83a34cd6
- SHA1
  
  6289753d84161b8262db001512a964abf099faac
- SHA256
  
  8d26ea240ab0ad93dbddd87611f2073d9169c89f901ab6410fc67a3a9bb67676
- SHA512
  
  f2252e5f62c7a7b9651298e50bd86f829051d36511010a78c6fc6b03d002dc1eea3855946b8734aa5ee9ee0e8cbe290c5b6d113e634e7d2eb2918f1efc442be7
- SSDEEP
  
  12288:MNDMnDn1jzF7TpRQR+VSXxGQegVC8Gz1+H5sJlpsLmkyUt1hqJF4e6M+VyWK:ADgn1jNrQkVSXcl8GBG5epsL0uo+k
Score

6^/10

discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2
- Target
  
  COMDLG32.OCX
- Size
  
  137KB
- MD5
  
  d76f0eab36f83a31d411aeaf70da7396
- SHA1
  
  9bc145b54500fb6fbea9be61fbdd90f65fd1bc14
- SHA256
  
  46f4fdb12c30742ff4607876d2f36cf432cdc7ec3d2c99097011448fc57e997c
- SHA512
  
  9c22bc6b2e7dbcd344809085894b768cfa76e8512062c5bbf3caeaa2771c6b7ce128bd5a0b6e385a5da777d0d822a5b2191773cc0ddb05abe1fa935fa853d79d
- SSDEEP
  
  3072:VESIiWD8uq4hCqUt6mqD1gRshBgH/voqJrwo2CocrJbQN6N2TRqEydzXS0:VETz566VgRyOJ0oDxQRHf
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  MSCOMCTL.OCX
- Size
  
  1.0MB
- MD5
  
  f7bbb7d79adb9e3adc13f3b3c33d3d4d
- SHA1
  
  cacb4b31d22419e6a9ddbffcf61ae42da0d5fb8a
- SHA256
  
  18a83d7a420a17fcb6f56eb3ba5362c975d32e5ded7553c6fd407f07bdb7b006
- SHA512
  
  4870ddbdf283d7f7f64d3f4bf556600a78804f6a94fc2ca7eb778e85d70b6d2d017aa35cbddf773b6a1b6d9a2813cd67fe54ede7859050a254a3e3c05616ae0e
- SSDEEP
  
  24576:mnt4M/pL1wAEIqSBanK6CC33VTj+1R8xRFLqqmbD1kWIAqPA:mPL15EIqS1e6q3FmKbt4
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  MSDATGRD.OCX
- Size
  
  254KB
- MD5
  
  fa8de5f76ba59bc4190fde2c78401d40
- SHA1
  
  8704a57a8b9f3a55242b9eae710c2645286c6e64
- SHA256
  
  1582418d27088049bb8ce628f87f9243f8e3c949508a69a509f2462de9db943b
- SHA512
  
  5015dbf7c7d6fd8cc147f16d09cfadbbd9a97b028da4b6f6424b74e442358bc605a71c1a9e2e14d40dc3d116403ea5808c88e445c808cbcd434b451ba8a19c1e
- SSDEEP
  
  6144:4IlSW5FgJwxytkYUstwbk1jbubxayEPTPL9rXnK9i1dTlQn7:pj5FgJwzst2ejbecyErL9Yn7
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  MSINET.OCX
- Size
  
  112KB
- MD5
  
  7bec181a21753498b6bd001c42a42722
- SHA1
  
  3249f233657dc66632c0539c47895bfcee5770cc
- SHA256
  
  73da54b69911bdd08ea8bbbd508f815ef7cfa59c4684d75c1c602252ec88ee31
- SHA512
  
  d671e25ae5e02a55f444d253f0e4a42af6a5362d9759fb243ad6d2c333976ab3e98669621ec0850ad915ee06acbe8e70d77b084128fc275462223f4f5ab401bc
- SSDEEP
  
  3072:i4QYXpLZaH+kCp1RCaSCF/6UMiySQYPfrj:i4rBfL1RCaSC0ej
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  VB6STKIT.DLL
- Size
  
  100KB
- MD5
  
  737be44c23baf9c094c46ff7d4e848c7
- SHA1
  
  08826635b8efc67725737738a477fc9aa2f594d0
- SHA256
  
  6fc6ce013a693fa291a07004adb3971774f420235e78f174d59de8e881f23530
- SHA512
  
  f147c3f6bc874eaf714d817a09556929129cbbc4c5ab0e89796aba07d876b90f01145d759e4a68d79429a673d0bb9297dba4382500515349da76d5e464f5c439
- SSDEEP
  
  3072:jd0rZEDYOAN99R3DUxPgDMOlxlCVSAgZO:B0rZED1ATH32PdQxli
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  msadodc.ocx
- Size
  
  115KB
- MD5
  
  d827412fc2d9c7bdc190a457206270ae
- SHA1
  
  14045b78fb848532b677bf8114c8107d21c28fa8
- SHA256
  
  d7a81a9de2c737673301d1d695bf31dfc2bc9bc5db2df18f85b4d4fa2e590a91
- SHA512
  
  975214f4c09295f09f3fc902fafec05d8179beccb44027851fb14177b350b65a02ba42f5f955b417e24b2bab0770070c3d6ba7254128d7eb3d1cae45c58cf266
- SSDEEP
  
  3072:o/jTv/fmKGte1zKjNv0+3hxW1LfqFBt1bURl/iu9pXKnfrD:QTv/fmKGtekO+3Tt1b2394D
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  msvbvm60.dll
- Size
  
  1.3MB
- MD5
  
  c2a267759a55cf8cf23f716dbd2ecf91
- SHA1
  
  cd4b60830b40c8cfed1d4e579b9abbdfd5440237
- SHA256
  
  414f65d0abfe8b9dab1ac94987eaf331442bad8db8585c51fbe6f452909e9045
- SHA512
  
  810f737bd35bb41262c1452478102b43593fe43bf8908ac444f1c3c1cf65b9e0f8e3500646eb92b0f59404eb8b4adb211d079e84b37999a2b3f1a29b2f4eaffc
- SSDEEP
  
  24576:hmz+bRl8ga3PzD6APEFB4NfGb9ty/uDE9KhDH9PLRl0j1cMW5a8Jb6:h8MRmf3Pz8b9ty/uUKhDH9PAjA5rW
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  scrrnchs.dll
- Size
  
  20KB
- MD5
  
  1da9192337b95732b1f47d9180428385
- SHA1
  
  52f8a6a51642c36de7272b434efa8970fc986024
- SHA256
  
  5f8f946b0dc4b643c70543a4a3dd02a2499619a583377668dca9d7212c488325
- SHA512
  
  604461f9708ab9da7611e3f28ae83d9fea5fb58c90339f11e346f85847078aeb6df4721f536e5ab3b8b478ae43cce7fc5eefdd3416de11b58f0260474514e6fa
- SSDEEP
  
  96:5GhdaHhNNNCu6Aj0w+6G6Wzsi7DW+2WsYi:5GhYHJNCuNj0w+iWzsWCPWsYi
Score

1^/10
behavioral17 behavioral18
- Target
  
  《语音投影圣经》5.20版说明.doc
- Size
  
  868KB
- MD5
  
  1378f496d1b151bd185e94ecd457f641
- SHA1
  
  cff119050f877a8bf8041dc108eaba81d1843ac2
- SHA256
  
  1112420b91e32fbeebacb29dc24a8a8b2fec07a21080cf0a3e71983f2099bc9b
- SHA512
  
  b90ce83d65bd47659a97b71253b66a39db347be420c0426a7e958516b65f081bc6c0a5f845bbfb6ab8a17d28f7353aa5d4bf1b19e30967528b5f6987974bf6e3
- SSDEEP
  
  24576:lA6V8HsGPZaU0yqdGJspfp23Hkc3BuQxW/c7iLSYKfpUzP68y9qXirXSEspYNvu:lA6V8HsGPZaU0yqdGJspfp23Hkc3BuQQ
Score

4^/10

discovery
behavioral19 behavioral20
- Target
  
  新编赞美诗补充本200首pps.rar.lnk
- Size
  
  502B
- MD5
  
  ab67ddbb5e42f32d290ceb9b43c20ea8
- SHA1
  
  65d9f612177fbf12ac215ea3f6f1a39a0691e2a0
- SHA256
  
  e85a2b732af9835f157232a2c28159e903dea1e79fc094b915958fd19b08bda1
- SHA512
  
  838e9ed1fc220313113f0ecf95d4dc76512e284068b76749ba3b735868e2b083e4022fcd323edd413b7d5cc708b3a5e2c92a7dda9bb593c834b4431883519ca0
Score

3^/10
behavioral21 behavioral22
- Target
  
  旷野呼声.url
- Size
  
  238B
- MD5
  
  577f076944c894b18812ae98d68cc884
- SHA1
  
  cba95e556332f8c74b2ae6adc483bd01121b27a6
- SHA256
  
  168a43703d296ec0a20deab7df759549a9d41cd4f3c90747ac12310c3c4f5d70
- SHA512
  
  91db3d5ff819e407eabf14ba4375848de006938dfdc5a91311404cb6aec14562f36cdb3fee1e8ec51ad314ac05af1cb2c22ba21bc6fa23f646cba4da31edc3f5
Score

1^/10
behavioral23 behavioral24
- Target
  
  语音投影圣经无声版.exe
- Size
  
  1.7MB
- MD5
  
  4e5eded0365b4ae66547251673e02e12
- SHA1
  
  f0ed0dddcc0c266b28088b5d6c36e7e437059aec
- SHA256
  
  10e95326c16351a26f64ec1e6fb3499e7c8adad2b69af2c197d8349edfde3d95
- SHA512
  
  82ad8fbd1b499816c951155e48f6b1276955a67b63e9a18cc314d5ddb899b30d99132c7ab4683bf5580398f6c95ade3c562932a2c8ef59d95467c1256ab08330
- SSDEEP
  
  49152:DnsHyjtk2MYC5GD8K1hEel8GBG5epsL0uo4:Dnsmtk2alyEeLG4iL0uo4
Score

10^/10

xred backdoor discovery persistence
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Adds Run key to start application
  persistence
behavioral25 behavioral26

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Enumerates connected drives

Xred family

Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26