Overview

overview

10

Static

static

3

Fn Cheat C...er.sys

windows10-2004-x64

1

Fn Cheat C...pp.exe

windows10-2004-x64

1

Fn Cheat C...1).exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Fn Cheat Cracked.rar

  • Size

    6.2MB

  • Sample

    241122-wnjxja1mek

  • MD5

    600751e5c06b74f501784156f18d1c79

  • SHA1

    36ac231fc3db400deab30369b5ef20b995af678c

  • SHA256

    3307062c28428650267d61ad282295e38d5d2f4d2a033824ecfe302cdcc4be3b

  • SHA512

    cc49b242d2a66d1d719ebc69a36ef2ad32c63a8d7f8a4162ac98e24b1da5bff144de114f31f81d4c611547b81847c66e20a15f6f02051b827521198fc7604cc9

  • SSDEEP

    196608:G4wCflR0SjSDiQckcU+PDF/5/ohgY/aULWy:G4w86XcU+55AhgYrWy

Score
10/10
redlinexredinglesbackdoordiscoveryinfostealerpersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

redline

Botnet

ingles

C2

20.47.120.249:1912

Targets

    • Target

      Fn Cheat Cracked/Driver Dump/driver.sys

    • Size

      9KB

    • MD5

      d28af522ac4c301de527271c2b1b1726

    • SHA1

      ee9d28fff7ae8563cd15cbadd4a9aa10c3040390

    • SHA256

      3868770ba5ca380250143472ba753cc94f2c7c318eabc29b5eb0c5de55b08024

    • SHA512

      d4ad50d1875ba77a164e3166d9a935506234a39240c024c3bed0876c5cdc8b82957d8d707baad8d908da57fc3f3d314a5d378ee229d1add5887a70d8e75c2fdb

    • SSDEEP

      192:wgo2gczvWMcwL/89YcZbZuZxkItZVQHkBAkpT:vokbWM7/65ZNGxkHkB7

    Score
    1/10
    behavioral1

    • Target

      Fn Cheat Cracked/Driver Dump/mapp.exe

    • Size

      143KB

    • MD5

      98139cee6a27bc7115b7dec0ccc0d56d

    • SHA1

      c73c945b4c0666668afc0c56ac9518108b532ce6

    • SHA256

      e7b9b250e62a5b9fbc0e49e7d572c33bc91df667f0d65c8a4e8f3e11762ca61c

    • SHA512

      8f6d68688944d4f51aebd9b8a8209e1ffa1e8ce4437c2d4529d0a1f57daaba73689a9af1ae4a254865801662305cfd7eae2117ad482911835c146fbdc3889811

    • SSDEEP

      3072:0nQGQ/taw4jXYpdxLc9wNImJTQSaMm5/6fGNv7qObYop3o:eQGIUw4DwkaWlMJ6Zp4

    Score
    1/10
    behavioral2

    • Target

      Fn Cheat Cracked/fn (1).exe

    • Size

      6.1MB

    • MD5

      75104ebb7b59d1cee81ee9855b0bfa0c

    • SHA1

      122d4239f5e838c40a905bf8ee4270d2e7526367

    • SHA256

      1cd7a63a349eacea2579932f9fdf40edf2eb57b62b76b18a92c1b7d0c82c81e0

    • SHA512

      d9aebd3fc23ee26e6135b3b1607c2450c2a837aa383c24cd056ad63e1df7a5dfdc072a6f4f3654008d15d81eee339b25fb9e638a27eabf8bd314825a6c96de53

    • SSDEEP

      196608:l4wCflR0SjSDiQckcU+PDF/5/ohgY/aULW:l4w86XcU+55AhgYrW

    Score
    10/10
    redlinexredinglesbackdoordiscoveryinfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3

MITRE ATT&CK Enterprise v15

Tasks