xred

General

Target

Spotify.exe
Size

8.6MB
Sample

241117-whxw7szlel
MD5

1ea664910e4d4231ed21f59af15bea5f
SHA1

563660e175cf56eaeeb34bb723a7f1b0297aa4b2
SHA256

10416b8b2519ca56e4d81576f492dae3b670fbb1e54ead4234b5415c5e0dcc35
SHA512

636b9cb78ff616159fb74084e9d0af29a2660465faf4901954b72fb3c9f950567b8adc0e6aca78c510a03793b3b1d4fa31c7e2ea5ce517c1981016f6d4a5a298
SSDEEP

196608:iLGgQdj4O9LgRRHG94UEbrURbsvnEJlQ9aNx1pLrB:iCdX2RRmqUEbwRbsvnIG92x1B1

Score

10^/10

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Targets

- Target
  
  Spotify.exe
- Size
  
  8.6MB
- MD5
  
  1ea664910e4d4231ed21f59af15bea5f
- SHA1
  
  563660e175cf56eaeeb34bb723a7f1b0297aa4b2
- SHA256
  
  10416b8b2519ca56e4d81576f492dae3b670fbb1e54ead4234b5415c5e0dcc35
- SHA512
  
  636b9cb78ff616159fb74084e9d0af29a2660465faf4901954b72fb3c9f950567b8adc0e6aca78c510a03793b3b1d4fa31c7e2ea5ce517c1981016f6d4a5a298
- SSDEEP
  
  196608:iLGgQdj4O9LgRRHG94UEbrURbsvnEJlQ9aNx1pLrB:iCdX2RRmqUEbwRbsvnIG92x1B1
Score

10^/10

xred backdoor discovery macro persistence upx collection credential_access defense_evasion execution spyware stealer
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Suspicious Office macro
  Office document equipped with macros.
  macro
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Enumerates processes with tasklist
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2