xred | c3d08da4de1efa0d5aeda92e1a6a414f5a1b6155a15487c6a14e3eead20a3e41 | Triage

Resubmissions

29-11-2024 09:09

241129-k4l62sxkax 10

31-12-2023 13:14

231231-qgt62aghen 7

Sharing

General

Target

378934719d9eaaccb26897d7ec92828b
Size

1.5MB
Sample

241129-k4l62sxkax
MD5

378934719d9eaaccb26897d7ec92828b
SHA1

90b1c3843c3c52d745009742b8b11155482aad26
SHA256

c3d08da4de1efa0d5aeda92e1a6a414f5a1b6155a15487c6a14e3eead20a3e41
SHA512

fd8c1cc2c866224947cf1b9d662eb36884790a33cd23e5843b700c3b71df44af55b76cde0ad66f3834c7129a8cc47770ce88b84f62d755a791981953e8774fec
SSDEEP

24576:ensJ39LyjbJkQFMhmC+6GD9cwTwVsCAIr8Blu/GdbsmPLWRP9GVbDGghUeEMl:ensHyjtk2MYC5GDhqAIr8/ZAlP9GVn5l

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Targets

- Target
  
  378934719d9eaaccb26897d7ec92828b
- Size
  
  1.5MB
- MD5
  
  378934719d9eaaccb26897d7ec92828b
- SHA1
  
  90b1c3843c3c52d745009742b8b11155482aad26
- SHA256
  
  c3d08da4de1efa0d5aeda92e1a6a414f5a1b6155a15487c6a14e3eead20a3e41
- SHA512
  
  fd8c1cc2c866224947cf1b9d662eb36884790a33cd23e5843b700c3b71df44af55b76cde0ad66f3834c7129a8cc47770ce88b84f62d755a791981953e8774fec
- SSDEEP
  
  24576:ensJ39LyjbJkQFMhmC+6GD9cwTwVsCAIr8Blu/GdbsmPLWRP9GVbDGghUeEMl:ensHyjtk2MYC5GDhqAIr8/ZAlP9GVn5l
Score

10^/10

xred backdoor discovery persistence
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xredbackdoordiscoverypersistence