xred | 738b2e06833209e95512dcf652b42691e38744657359828c5ac6cd664312b7b5

General

Target

RdpStealer/RdpStealer.exe
Size

762KB
MD5

5316877f3619a1768d3a8025245037c7
SHA1

07b0cf82a54614dc269c441fab8784b06d8722fc
SHA256

b28e21164f744e66c184e343cb85906f6bed8644841c18819b3d3c247ee65d20
SHA512

2644214e119b896fe27b649578956cef2853c0b60404aa26de8d55c2a4ed72d211d13774a815d34c5086e718b5af28a4d7b91c6bcd42a883b303b17020cb89ff
SSDEEP

12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9sBj:ansJ39LyjbJkQFMhmC+6GD9G

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Executes dropped EXE 3 IoCs

Processes:

._cache_RdpStealer.exeSynaptics.exe._cache_Synaptics.exe

pid process

2428 ._cache_RdpStealer.exe
2044 Synaptics.exe
2692 ._cache_Synaptics.exe
Loads dropped DLL 5 IoCs

Processes:

RdpStealer.exeSynaptics.exe

pid process

2204 RdpStealer.exe
2204 RdpStealer.exe
2204 RdpStealer.exe
2044 Synaptics.exe
2044 Synaptics.exe

pid	process
2428	._cache_RdpStealer.exe
2044	Synaptics.exe
2692	._cache_Synaptics.exe

pid	process
2204	RdpStealer.exe
2204	RdpStealer.exe
2204	RdpStealer.exe
2044	Synaptics.exe
2044	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RdpStealer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	RdpStealer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

EXCEL.EXE._cache_RdpStealer.exeSynaptics.exe._cache_Synaptics.execmd.exetimeout.exetimeout.exeRdpStealer.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_RdpStealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdpStealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1448 timeout.exe
2464 timeout.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2460 EXCEL.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

._cache_RdpStealer.exe._cache_Synaptics.exe

description pid process

Token: SeDebugPrivilege 2428 ._cache_RdpStealer.exe
Token: SeDebugPrivilege 2692 ._cache_Synaptics.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid process

2460 EXCEL.EXE

pid	process
1448	timeout.exe
2464	timeout.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2460	EXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	2428	._cache_RdpStealer.exe
Token: SeDebugPrivilege	2692	._cache_Synaptics.exe

pid	process
2460	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

RdpStealer.exeSynaptics.exe._cache_Synaptics.exe._cache_RdpStealer.execmd.execmd.exe

description	pid	process	target process
PID 2204 wrote to memory of 2428	2204	RdpStealer.exe	._cache_RdpStealer.exe
PID 2204 wrote to memory of 2428	2204	RdpStealer.exe	._cache_RdpStealer.exe
PID 2204 wrote to memory of 2428	2204	RdpStealer.exe	._cache_RdpStealer.exe
PID 2204 wrote to memory of 2428	2204	RdpStealer.exe	._cache_RdpStealer.exe
PID 2204 wrote to memory of 2044	2204	RdpStealer.exe	Synaptics.exe
PID 2204 wrote to memory of 2044	2204	RdpStealer.exe	Synaptics.exe
PID 2204 wrote to memory of 2044	2204	RdpStealer.exe	Synaptics.exe
PID 2204 wrote to memory of 2044	2204	RdpStealer.exe	Synaptics.exe
PID 2044 wrote to memory of 2692	2044	Synaptics.exe	._cache_Synaptics.exe
PID 2044 wrote to memory of 2692	2044	Synaptics.exe	._cache_Synaptics.exe
PID 2044 wrote to memory of 2692	2044	Synaptics.exe	._cache_Synaptics.exe
PID 2044 wrote to memory of 2692	2044	Synaptics.exe	._cache_Synaptics.exe
PID 2692 wrote to memory of 1264	2692	._cache_Synaptics.exe	cmd.exe
PID 2692 wrote to memory of 1264	2692	._cache_Synaptics.exe	cmd.exe
PID 2692 wrote to memory of 1264	2692	._cache_Synaptics.exe	cmd.exe
PID 2692 wrote to memory of 1264	2692	._cache_Synaptics.exe	cmd.exe
PID 2428 wrote to memory of 468	2428	._cache_RdpStealer.exe	cmd.exe
PID 2428 wrote to memory of 468	2428	._cache_RdpStealer.exe	cmd.exe
PID 2428 wrote to memory of 468	2428	._cache_RdpStealer.exe	cmd.exe
PID 2428 wrote to memory of 468	2428	._cache_RdpStealer.exe	cmd.exe
PID 468 wrote to memory of 1448	468	cmd.exe	timeout.exe
PID 468 wrote to memory of 1448	468	cmd.exe	timeout.exe
PID 468 wrote to memory of 1448	468	cmd.exe	timeout.exe
PID 468 wrote to memory of 1448	468	cmd.exe	timeout.exe
PID 1264 wrote to memory of 2464	1264	cmd.exe	timeout.exe
PID 1264 wrote to memory of 2464	1264	cmd.exe	timeout.exe
PID 1264 wrote to memory of 2464	1264	cmd.exe	timeout.exe
PID 1264 wrote to memory of 2464	1264	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\RdpStealer\RdpStealer.exe
"C:\Users\Admin\AppData\Local\Temp\RdpStealer\RdpStealer.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\RdpStealer\._cache_RdpStealer.exe
  "C:\Users\Admin\AppData\Local\Temp\RdpStealer\._cache_RdpStealer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpDD73.tmp.cmd""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:468
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 4
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1448
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\RdpStealer\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\RdpStealer\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpDD74.tmp.cmd""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1264
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 4
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2464

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
762KB

MD5
5316877f3619a1768d3a8025245037c7

SHA1
07b0cf82a54614dc269c441fab8784b06d8722fc

SHA256
b28e21164f744e66c184e343cb85906f6bed8644841c18819b3d3c247ee65d20

SHA512
2644214e119b896fe27b649578956cef2853c0b60404aa26de8d55c2a4ed72d211d13774a815d34c5086e718b5af28a4d7b91c6bcd42a883b303b17020cb89ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDD73.tmp.cmd

Filesize
164B

MD5
9d21e5df8875e2bc3199766e9901c5fb

SHA1
27a77d0e657679f3d828365b7b586d9d8b2f33ea

SHA256
59962e166ff23bbb194071555230e3c3dde8a7374d22c65e3d989629615bfbb8

SHA512
d561b95b6f62d096c7b0f5b949780b6aff13b37ca8908b68d95225ef0638321e5c452a62c546923445112fb4fc299035689863c139a608b47832cf7d064d1633

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDD74.tmp.cmd

Filesize
163B

MD5
80042f5dab348927a5be1aa90c215da0

SHA1
c6f5ae61755a90b59df17d2596fe7551c296cab6

SHA256
92bfd5c81879e098dba31096146e5114fc8d8ea11216f3677eb9fdd3a0335233

SHA512
190d51e7510d103474a275ebfdf113a3d15a82627b786747ed34cd8be0ea0462ac94203769d5b9def95049e3e796858576a0e1c826619569c7bd9506d0528123

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUbai5Py.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUbai5Py.xlsm

Filesize
24KB

MD5
0408f7ac8b7f34264aaef646d5cc112f

SHA1
9031de3fa3752055103c1b7fea2c0fb78239f14b

SHA256
cc81c7e1c0745efd17b0e6706c34b9404587082a3ca7c6c51a3bee9a62224ff8

SHA512
b720905db9e26d7210223e8e57ca07c1132207e8af49df6d5531517b11773e0af7ce3fca8184cce6308a8882f733e6f40541ad8e50a1a0c9838f9942c4ea4295

Download Submit
\Users\Admin\AppData\Local\Temp\RdpStealer\._cache_RdpStealer.exe

Filesize
8KB

MD5
56f70138199c1b666ccce7d33eca29fe

SHA1
61da84bfeb7c9b9582704775f523f5ef9dc866fe

SHA256
23f7e75257b27c7458330ecff652f3f1819de6ddeafb4fd1ea1ad383581fad4a

SHA512
9e927144298f91a4fa5d224632a8f1d8a88d662c781eec0c09016ce060d01c2a1a550316f9abc9bb107dcf96a5570dee463200981db815347b04ac1108392aee

Download Submit
memory/2044-98-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2044-99-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2044-105-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2044-132-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2204-26-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2204-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2428-29-0x0000000000100000-0x0000000000108000-memory.dmp

Filesize
32KB

Download
memory/2460-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2692-38-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads