Overview

overview

10

Static

static

3

df44de6846...76.exe

windows7-x64

10

df44de6846...76.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    df44de684671c741c6829e74c2ca682c7db85240fa600b769d7cee78a3b73776

  • Size

    1.2MB

  • Sample

    241120-fcrj8s1cjc

  • MD5

    b5b47f531d7f154f40987c7298eeead8

  • SHA1

    f4a3e41d668ebde5403c7e6ecdefebb69733a244

  • SHA256

    df44de684671c741c6829e74c2ca682c7db85240fa600b769d7cee78a3b73776

  • SHA512

    cd5aa21d668c571a86e8ba61a5b4b537b3ef4bdc7002a7843693a362acbf37fae81ac78164dab5809ef007c63cc55e1ba450c4afbf8f6e3253519258a4fd46dd

  • SSDEEP

    24576:oG+/8l+k1W0tq78x3s+hPNt790/ASMcmqhrbjXxI+PpKWSJTzCduD:L+/8l+kAf78x3B2ASMHKrfPpATz3D

Score
10/10
xredbackdoorcredential_accessdefense_evasiondiscoverypersistencespywarestealer

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      df44de684671c741c6829e74c2ca682c7db85240fa600b769d7cee78a3b73776

    • Size

      1.2MB

    • MD5

      b5b47f531d7f154f40987c7298eeead8

    • SHA1

      f4a3e41d668ebde5403c7e6ecdefebb69733a244

    • SHA256

      df44de684671c741c6829e74c2ca682c7db85240fa600b769d7cee78a3b73776

    • SHA512

      cd5aa21d668c571a86e8ba61a5b4b537b3ef4bdc7002a7843693a362acbf37fae81ac78164dab5809ef007c63cc55e1ba450c4afbf8f6e3253519258a4fd46dd

    • SSDEEP

      24576:oG+/8l+k1W0tq78x3s+hPNt790/ASMcmqhrbjXxI+PpKWSJTzCduD:L+/8l+kAf78x3B2ASMHKrfPpATz3D

    Score
    10/10
    xredbackdoorcredential_accessdefense_evasiondiscoverypersistencespywarestealer

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Adds Run key to start application

      persistence

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks