General

  • Target

    cc474b2294467921e1156d5c72461ca57de5bfcd931d6525b3d4bd74150a0d41.exe

  • Size

    3.5MB

  • Sample

    241126-2q2g9azpcl

  • MD5

    470e9fe6c02e6aa4cb615bb5e27a3901

  • SHA1

    24d99a93454eabbb4fa12358e281daad7969e48b

  • SHA256

    cc474b2294467921e1156d5c72461ca57de5bfcd931d6525b3d4bd74150a0d41

  • SHA512

    2bef2f5dc44e0cd1792dca5c9ca422504ccaddda316f7dddfa1430abb7dc431f404eef92336cfd7d5f2f34715fb9bd1d28a20697462e2d617c15cb580d5349ab

  • SSDEEP

    98304:Lnsmtk2aNXzhW148Pd+Tf1mpcOldJQ3/VY:zL6FK4s0TfLOdo/K

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      cc474b2294467921e1156d5c72461ca57de5bfcd931d6525b3d4bd74150a0d41.exe

    • Size

      3.5MB

    • MD5

      470e9fe6c02e6aa4cb615bb5e27a3901

    • SHA1

      24d99a93454eabbb4fa12358e281daad7969e48b

    • SHA256

      cc474b2294467921e1156d5c72461ca57de5bfcd931d6525b3d4bd74150a0d41

    • SHA512

      2bef2f5dc44e0cd1792dca5c9ca422504ccaddda316f7dddfa1430abb7dc431f404eef92336cfd7d5f2f34715fb9bd1d28a20697462e2d617c15cb580d5349ab

    • SSDEEP

      98304:Lnsmtk2aNXzhW148Pd+Tf1mpcOldJQ3/VY:zL6FK4s0TfLOdo/K

    • Modifies visiblity of hidden/system files in Explorer

    • Xred

      Xred is backdoor written in Delphi.

    • Xred family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Suspicious Office macro

      Office document equipped with macros.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks