General

  • Target

    90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904

  • Size

    3.6MB

  • Sample

    241124-bd766askcn

  • MD5

    c2972d792053690ef2691934ceaa9c3b

  • SHA1

    ed118d6e81af163e6596d31981a594b334efd7eb

  • SHA256

    90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904

  • SHA512

    fec10ed87dd11db615e752f338995dc482a46bf2a5b0337bd9e30b67e9cbbf1f6e061665f79ee5f920e960af0312b34cc16de6ef10e456be0400e117518f7695

  • SSDEEP

    98304:5nsmtk2aKXzhW148Pd+Tf1mpcOldJQ3/Vk3Y:FLtFK4s0TfLOdo/d

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904

    • Size

      3.6MB

    • MD5

      c2972d792053690ef2691934ceaa9c3b

    • SHA1

      ed118d6e81af163e6596d31981a594b334efd7eb

    • SHA256

      90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904

    • SHA512

      fec10ed87dd11db615e752f338995dc482a46bf2a5b0337bd9e30b67e9cbbf1f6e061665f79ee5f920e960af0312b34cc16de6ef10e456be0400e117518f7695

    • SSDEEP

      98304:5nsmtk2aKXzhW148Pd+Tf1mpcOldJQ3/Vk3Y:FLtFK4s0TfLOdo/d

    • Modifies visiblity of hidden/system files in Explorer

    • Xred

      Xred is backdoor written in Delphi.

    • Xred family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks