General

  • Target

    df935b9361d774ecac1e063264480ec45c833a99182f6934bedac4d58bcf14b9N.exe

  • Size

    2.3MB

  • Sample

    241120-aqtc4awdnd

  • MD5

    e458deafb28333f548c26abb8ab87360

  • SHA1

    0c1fdb03cfc6006c3c698fbfc853d1e9371cfe76

  • SHA256

    df935b9361d774ecac1e063264480ec45c833a99182f6934bedac4d58bcf14b9

  • SHA512

    eb62aedc33c5a9f48bc9153774fb91f71e2e160fc679f1b7eeb7982c1aab13a8dd206ea51ca39f143b6ed7dcf2660851d43109784639d6adec61bd4ebdaa8ad6

  • SSDEEP

    49152:dnsHyjtk2MYC5GDNYTWPNykHuuSshTypt:dnsmtk2adeoiOln

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      df935b9361d774ecac1e063264480ec45c833a99182f6934bedac4d58bcf14b9N.exe

    • Size

      2.3MB

    • MD5

      e458deafb28333f548c26abb8ab87360

    • SHA1

      0c1fdb03cfc6006c3c698fbfc853d1e9371cfe76

    • SHA256

      df935b9361d774ecac1e063264480ec45c833a99182f6934bedac4d58bcf14b9

    • SHA512

      eb62aedc33c5a9f48bc9153774fb91f71e2e160fc679f1b7eeb7982c1aab13a8dd206ea51ca39f143b6ed7dcf2660851d43109784639d6adec61bd4ebdaa8ad6

    • SSDEEP

      49152:dnsHyjtk2MYC5GDNYTWPNykHuuSshTypt:dnsmtk2adeoiOln

    • Xred

      Xred is backdoor written in Delphi.

    • Xred family

    • Drops file in Drivers directory

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks