General
-
Target
cc474b2294467921e1156d5c72461ca57de5bfcd931d6525b3d4bd74150a0d41.exe
-
Size
3.5MB
-
Sample
241126-2q2g9azpcl
-
MD5
470e9fe6c02e6aa4cb615bb5e27a3901
-
SHA1
24d99a93454eabbb4fa12358e281daad7969e48b
-
SHA256
cc474b2294467921e1156d5c72461ca57de5bfcd931d6525b3d4bd74150a0d41
-
SHA512
2bef2f5dc44e0cd1792dca5c9ca422504ccaddda316f7dddfa1430abb7dc431f404eef92336cfd7d5f2f34715fb9bd1d28a20697462e2d617c15cb580d5349ab
-
SSDEEP
98304:Lnsmtk2aNXzhW148Pd+Tf1mpcOldJQ3/VY:zL6FK4s0TfLOdo/K
Behavioral task
behavioral1
Sample
cc474b2294467921e1156d5c72461ca57de5bfcd931d6525b3d4bd74150a0d41.exe
Resource
win7-20241010-en
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Targets
-
-
Target
cc474b2294467921e1156d5c72461ca57de5bfcd931d6525b3d4bd74150a0d41.exe
-
Size
3.5MB
-
MD5
470e9fe6c02e6aa4cb615bb5e27a3901
-
SHA1
24d99a93454eabbb4fa12358e281daad7969e48b
-
SHA256
cc474b2294467921e1156d5c72461ca57de5bfcd931d6525b3d4bd74150a0d41
-
SHA512
2bef2f5dc44e0cd1792dca5c9ca422504ccaddda316f7dddfa1430abb7dc431f404eef92336cfd7d5f2f34715fb9bd1d28a20697462e2d617c15cb580d5349ab
-
SSDEEP
98304:Lnsmtk2aNXzhW148Pd+Tf1mpcOldJQ3/VY:zL6FK4s0TfLOdo/K
-
Modifies visiblity of hidden/system files in Explorer
-
Xred family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1