Overview

overview

10

Static

static

10

RdpStealer...ib.dll

windows7-x64

1

RdpStealer...ib.dll

windows10-2004-x64

1

RdpStealer...ib.dll

windows7-x64

1

RdpStealer...ib.dll

windows10-2004-x64

1

RdpStealer...et.dll

windows7-x64

1

RdpStealer...et.dll

windows10-2004-x64

1

RdpStealer...er.exe

windows7-x64

10

RdpStealer...er.exe

windows10-2004-x64

10

RdpStealer/xNet.dll

windows7-x64

1

RdpStealer/xNet.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    145s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-11-2024 10:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RdpStealer/RdpStealer.exe

  • Size

    762KB

  • MD5

    5316877f3619a1768d3a8025245037c7

  • SHA1

    07b0cf82a54614dc269c441fab8784b06d8722fc

  • SHA256

    b28e21164f744e66c184e343cb85906f6bed8644841c18819b3d3c247ee65d20

  • SHA512

    2644214e119b896fe27b649578956cef2853c0b60404aa26de8d55c2a4ed72d211d13774a815d34c5086e718b5af28a4d7b91c6bcd42a883b303b17020cb89ff

  • SSDEEP

    12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9sBj:ansJ39LyjbJkQFMhmC+6GD9G

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RdpStealer\RdpStealer.exe
    "C:\Users\Admin\AppData\Local\Temp\RdpStealer\RdpStealer.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3104
    • C:\Users\Admin\AppData\Local\Temp\RdpStealer\._cache_RdpStealer.exe
      "C:\Users\Admin\AppData\Local\Temp\RdpStealer\._cache_RdpStealer.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1380
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp191.tmp.cmd""
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3716
        • C:\Windows\SysWOW64\timeout.exe
          timeout 4
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:1880
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2156
      • C:\Users\Admin\AppData\Local\Temp\RdpStealer\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\RdpStealer\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:100
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp153.tmp.cmd""
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3380
          • C:\Windows\SysWOW64\timeout.exe
            timeout 4
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:4268
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    762KB

    MD5

    5316877f3619a1768d3a8025245037c7

    SHA1

    07b0cf82a54614dc269c441fab8784b06d8722fc

    SHA256

    b28e21164f744e66c184e343cb85906f6bed8644841c18819b3d3c247ee65d20

    SHA512

    2644214e119b896fe27b649578956cef2853c0b60404aa26de8d55c2a4ed72d211d13774a815d34c5086e718b5af28a4d7b91c6bcd42a883b303b17020cb89ff

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1MhmTM2A.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\53085E00
    Filesize

    22KB

    MD5

    fc59f3f7628f7d75ee9a88b004640502

    SHA1

    e0bf2bee3defce45400b90c5ffcde4c5091d72a7

    SHA256

    1f63f2e3bbd31e533458c6ac876d34dbc438a6ed7905bfe7d3d3122957b1c9b1

    SHA512

    d6276b0a034bad4d41d958aab4ea5da5d7f09c95cb01e4c017f5b36065ab7444383a9a6007bacea232df2918f543b4a83ac38ad1f2851e8e20242450fd5a3ee4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RdpStealer\._cache_RdpStealer.exe
    Filesize

    8KB

    MD5

    56f70138199c1b666ccce7d33eca29fe

    SHA1

    61da84bfeb7c9b9582704775f523f5ef9dc866fe

    SHA256

    23f7e75257b27c7458330ecff652f3f1819de6ddeafb4fd1ea1ad383581fad4a

    SHA512

    9e927144298f91a4fa5d224632a8f1d8a88d662c781eec0c09016ce060d01c2a1a550316f9abc9bb107dcf96a5570dee463200981db815347b04ac1108392aee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp153.tmp.cmd
    Filesize

    162B

    MD5

    6da6fb3c293a5a713e89608bf63b577d

    SHA1

    34dc8996f5a6fd3c3cedf16fb4f339c8683f343b

    SHA256

    9b33af1d5b5230496fb1863017e2508ea32428a80e90e2cb549a77269a820041

    SHA512

    90a3ca1c9f3049341638d0b08469510096e4709bd170cf1e74dd2d9bc6b896d47bb2137973afeddd93a4db5cbb9c86898bdc50484da4a23f06957c79f3433b65

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp191.tmp.cmd
    Filesize

    163B

    MD5

    482da9d7a20153358d6fe1d746bebfe6

    SHA1

    59e669cb11a39cbbff7f30cf628df7d94840de2a

    SHA256

    35f28ac3d02198928e1944a32b682a0db6266ad2c5b28cc232812ff160cc2473

    SHA512

    6b5921c1c3ae93888091c4c37af1d898c55dd766835b94583f2346b89caacf7dd2c85d1d424afe7b8fca7bbc11164cb1e7e6c056b945aec3b6d85a98e03dd313

    Download Submit

  • memory/892-196-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/892-193-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/892-195-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/892-192-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/892-194-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/892-197-0x00007FFA3A950000-0x00007FFA3A960000-memory.dmp

    Filesize

    64KB

    Download

  • memory/892-198-0x00007FFA3A950000-0x00007FFA3A960000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1380-129-0x0000000072A4E000-0x0000000072A4F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1380-175-0x0000000000910000-0x0000000000918000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2156-130-0x0000000002120000-0x0000000002121000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2156-253-0x0000000002120000-0x0000000002121000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2156-254-0x0000000000400000-0x00000000004C4000-memory.dmp

    Filesize

    784KB

    Download

  • memory/2156-285-0x0000000000400000-0x00000000004C4000-memory.dmp

    Filesize

    784KB

    Download

  • memory/3104-0-0x00000000005F0000-0x00000000005F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3104-128-0x0000000000400000-0x00000000004C4000-memory.dmp

    Filesize

    784KB

    Download