Overview

overview

10

Static

static

10

winer/Winner_Free.exe

windows10-2004-x64

10

Resubmissions

29-11-2024 09:11

241129-k5pcssxkew 10

29-11-2024 09:11

241129-k5kdvaslhk 10

30-12-2023 12:12

231230-pdbpvaegdr 7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1826dc0bc1edf7510e7e82711ca89740

  • Size

    5.8MB

  • Sample

    241129-k5pcssxkew

  • MD5

    1826dc0bc1edf7510e7e82711ca89740

  • SHA1

    12bfe4f2bb5782830817e4f1b818d4986b54dc8e

  • SHA256

    8cce2bf81d0b937fb5256b69b497435b05ea9a4cf34f570592267897782d2d2b

  • SHA512

    1842a709abd8720870d601dc5c85d3b48da463c6ea40ced511ee864b4f07e455a9dea8f80c474201af607138c4385c43b4c8a29e441bed66b8e01cf5d6158c7d

  • SSDEEP

    98304:DCZJWS6j+ezs/dQ9I6J4ufBwsLsEzSxJYAsyddjY1JOjrtVvBLuN2AjDWYbZd8ta:WZJQj+rq9TJ42lLs1YATT+cr/ZuNrvWa

Score
10/10
xredbackdoordiscoverypersistencevmprotect

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      winer/Winner_Free.exe

    • Size

      6.3MB

    • MD5

      babd90df8276efdedb7a0510d6d6e8aa

    • SHA1

      9a43619fea06385a32a8bda7f125c834b7824f0a

    • SHA256

      925840c7fa54b3bd5f8df5ed843d6872e30c95b423b10dedf6c6f56ec92dec7a

    • SHA512

      7b703f1006f0a67184e95072eb14f5c24161e45ad134e690fc4b25640798e6ecd966d14c736f5782e5efd4d604a34bc89805257250cd80ba9bae30715df9e159

    • SSDEEP

      98304:xnsmtk2aPV6s5YTnGUIcNAYDtYsvs6zqVXoQW07XlOVZ+dHXn8RXHhxBh7ZM5DBW:NLiV6s5XUxNAotvsjoQhLGQHuXrEBW

    Score
    10/10
    xredbackdoordiscoverypersistencevmprotect

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks