General

  • Target

    3b4b87fdc8c5531b416d5d9817c8ea165c8a79ad4d23154a50cd55a4965a585d

  • Size

    1.2MB

  • Sample

    241119-1czk3axrdp

  • MD5

    0de4333f75d28ab023f56e208ea1f4f2

  • SHA1

    7edd7e6ce18728cbe132c256bbdc51a7b24002d5

  • SHA256

    3b4b87fdc8c5531b416d5d9817c8ea165c8a79ad4d23154a50cd55a4965a585d

  • SHA512

    d8c0cf967227837f9d49dd271e99c408d63909cc954074dc21f1fb788bb5bf1bccd9e5a1b7c997b2373b35ff0897fe43bcd3221e38a708642a14493a6271e54e

  • SSDEEP

    24576:oGl/8l+k1W0tq78x3s+hPNt790/ASMcmqhrbjXxI+PpKWSJTzCduD:Ll/8l+kAf78x3B2ASMHKrfPpATz3D

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      3b4b87fdc8c5531b416d5d9817c8ea165c8a79ad4d23154a50cd55a4965a585d

    • Size

      1.2MB

    • MD5

      0de4333f75d28ab023f56e208ea1f4f2

    • SHA1

      7edd7e6ce18728cbe132c256bbdc51a7b24002d5

    • SHA256

      3b4b87fdc8c5531b416d5d9817c8ea165c8a79ad4d23154a50cd55a4965a585d

    • SHA512

      d8c0cf967227837f9d49dd271e99c408d63909cc954074dc21f1fb788bb5bf1bccd9e5a1b7c997b2373b35ff0897fe43bcd3221e38a708642a14493a6271e54e

    • SSDEEP

      24576:oGl/8l+k1W0tq78x3s+hPNt790/ASMcmqhrbjXxI+PpKWSJTzCduD:Ll/8l+kAf78x3B2ASMHKrfPpATz3D

    • Xred

      Xred is backdoor written in Delphi.

    • Xred family

    • Suspicious Office macro

      Office document equipped with macros.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Adds Run key to start application

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks