xred

Sharing

Copy URL

Twitter E-mail

General

Target

RdpStealer.zip
Size

793KB
Sample

241118-m219aszndr
MD5

c5b9c34d61b7ce0b5a6172ce6f6f4849
SHA1

fc8bda594e25225ebc44b29ada8171f9e944b865
SHA256

738b2e06833209e95512dcf652b42691e38744657359828c5ac6cd664312b7b5
SHA512

51321cb0b877781cf191315fd391d79ad9a50740522fa25aa16a3a117ac8c0073ddbe431a3a8425587a6841ec0b51ffd1c58cc3d6ded3b4d6a49d45b6f82724c
SSDEEP

12288:WNCaf3F1Wg3/gIMj839lMiroQjP6ZvQa2jibcVSBQEeBLBlfio9v8b6veS:Wx3Fo5A39oQ2Z4vjqBLeBLBAo9v8m2S

Score

10^/10

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Targets

- Target
  
  RdpStealer/AxInterop.MSTSCLib.dll
- Size
  
  360KB
- MD5
  
  de3d5ad623e7c7b4ec2d0464079378de
- SHA1
  
  e3e3819f8af9df76f9be384812502afe0aff1633
- SHA256
  
  462ca2c2ef011243b18b7812da10584cf10d81f5c91df56fd2d635bd040ec42a
- SHA512
  
  110af2cd3095452817bb583966525989802e868db1e75ed0feea01e66994bb01f0021d121a34d6c13ede03af82a10bc1183c4161a6984db61a1410d8631152a1
- SSDEEP
  
  3072:DZEKEcvukPhjyUG2p8wV0z6gWAkapSyS6hH+GC1Z5U8h:iwhjvGU0WgWAkaW6hH+GC1ZF
Score

1^/10
behavioral1 behavioral2
- Target
  
  RdpStealer/Interop.MSTSCLib.dll
- Size
  
  738KB
- MD5
  
  ca5aa0968425f4ac15e2dd42a0bbbfc0
- SHA1
  
  711f690afcda21ef9549a8f0688e4a733974f765
- SHA256
  
  4a6b40e408f0331ae5bf846705424441ab8a7a31ca9ab94e49ccb7d1e17e84da
- SHA512
  
  9ce97224b0c6ba88949307e58977c33eb802d7b5fe848f74ff2d931274440880ee0cfd57cabb81ea0eb691efc5012a93ec2748b68e5a297bae6711a141c6f355
- SSDEEP
  
  12288:cuF8zCZQHmtk76B4veVsjyJgXW9UrqxINQzitUn2BYL6l8szncUicKs8geyRli+p:cuF8zCZQHmtk76B4veVsjyJgXW9Urqxq
Score

1^/10
behavioral3 behavioral4
- Target
  
  RdpStealer/Leaf.Net.dll
- Size
  
  134KB
- MD5
  
  c98de72cd4374c4210eb5c0102e1c2af
- SHA1
  
  671649bc3df7789f3b98282ed50fbf967be9e719
- SHA256
  
  77ebb46eb03ace07790b535020dbd1170c5c5eefc249f55fe27c9f19561beb8b
- SHA512
  
  d9dbb94b7f1756cbcbb4fa8e321905a1105c40ae8e996e0f49d426d303eacbf5b65031031589198b7084cf53adc25b9b87d289db0f3e147da031c6a147b58df0
- SSDEEP
  
  3072:wy9SMUEaXYnX9pPMaetDkFyLDGaEiOtK0OrFoc1u7CqmC:wy9SMU0rkaqfDXGl
Score

1^/10
behavioral5 behavioral6
- Target
  
  RdpStealer/RdpStealer.exe
- Size
  
  762KB
- MD5
  
  5316877f3619a1768d3a8025245037c7
- SHA1
  
  07b0cf82a54614dc269c441fab8784b06d8722fc
- SHA256
  
  b28e21164f744e66c184e343cb85906f6bed8644841c18819b3d3c247ee65d20
- SHA512
  
  2644214e119b896fe27b649578956cef2853c0b60404aa26de8d55c2a4ed72d211d13774a815d34c5086e718b5af28a4d7b91c6bcd42a883b303b17020cb89ff
- SSDEEP
  
  12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9sBj:ansJ39LyjbJkQFMhmC+6GD9G
Score

10^/10

xred backdoor discovery persistence
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral7 behavioral8
- Target
  
  RdpStealer/xNet.dll
- Size
  
  110KB
- MD5
  
  ac1dceddbc66a1ab7915ac9931f0cfec
- SHA1
  
  22ce2ec96192a520a2a76a0fa272656c77f1041a
- SHA256
  
  cc949931ef9533adced83f3d58862e9732e5db7ad17b5fd4cb9d209a99edb592
- SHA512
  
  3906b3b7f8874bfd79f94e945d857dbc83ec89ed73ac13d49790c7fc4eed5c7e98c99c32ffc4a05795da9981c3163978c7f84a54298e94420e365c395392b3f9
- SSDEEP
  
  3072:PqCUxh+3H0MznY3wihz0YmcTqnV+xnEdU:PqCUxhfMUTqnV+xnEd
Score

1^/10
behavioral10 behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Xred family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10