Overview

overview

10

Static

static

10

1ce6e133b0...37.exe

windows7-x64

10

1ce6e133b0...37.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137.7z

  • Size

    5.2MB

  • Sample

    241121-fzhkvatmbj

  • MD5

    be3bd237e879f004ea89be663492aacb

  • SHA1

    5b18781fd0d6702e18ac9a9a83b1621c641d8373

  • SHA256

    97b7c2b1f5ffd5bae4799483d416012ceede6b2cff5087220e045af1913747ec

  • SHA512

    f15c85a640e98f40009f21e9e9fafd786ad3f05e2ead1cbaee799bfb2f39d9b938f9def1e1678835648ede013cad8c17f365afbde2bf5c71f99c2023f189ee46

  • SSDEEP

    98304:GnzdFMJEa7QiyzRV9CDcQqlPlIQeH+G8mqQ4IOv43T53P033IsZ112svhS:4rMJ7/yzRcqliN78nQUv493PJs1fvo

Score
10/10
xredbackdoordiscoverymacropersistenceupx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137

    • Size

      5.7MB

    • MD5

      6ef27d77f5e163e63bcef83aad488dac

    • SHA1

      e58d1eea2b997c9c57ed917002aa3f180258283d

    • SHA256

      1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137

    • SHA512

      73e29cdd50eea7d2dc9ac2fb9f34c030f45e89a45e2e6c9cc2cac027cd70bfb92dcfa2a7bd0db1980df46d3686c18d5105f6c4fc33560c42654ae0ce5e4b8d0a

    • SSDEEP

      98304:snsmtk2a1oiKjvpG51TDyWAYAZkEIVGzUihpHQSUggLFsXmL+uEqZEJh9bkUDRpp:CLO+jvIALYih2SUgpXa+jKEJh9b/9D

    Score
    10/10
    xredbackdoordiscoverypersistenceupxmacro

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Suspicious Office macro

      Office document equipped with macros.

      macro

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks