xred | 447c72c5138078fc11668200f09edaff028ceb40097e409b3ff49125fcc79c9a | Triage

Sharing

General

Target

MSRX.7z
Size

591KB
Sample

241203-2pacdatnbp
MD5

63b8469f969f26dba70a4017c8efa341
SHA1

fb1f0f0bae8f5c2a67ff0d650a192058dd006de0
SHA256

447c72c5138078fc11668200f09edaff028ceb40097e409b3ff49125fcc79c9a
SHA512

ddff04f1c17e6b3a53b2b1f8b9085cb1e5548f9501017123bfd3bc450789265efa9c43f9d9c4cd825ba80a7e085a2f6ac98009ca8f3ac17b1b066a88d50f2972
SSDEEP

12288:vlWrgFvUlZTm25tRGIxNDZCvcYqAZ+IJuxWKxo9sZBsv0r1/85Q:dWreYTj5tRGIRCvcEZ+s+9Z6cr98q

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Targets

- Target
  
  MSRX/MSRX.exe
- Size
  
  1.8MB
- MD5
  
  8eed22631ca6a1573f8bd6443abf9a63
- SHA1
  
  1dd9578345f9e5fd9837ffeb5792d64e5b5dc2f3
- SHA256
  
  01eaf6db3eff96a405c630ead532557d77d1f22383cf3521eb61cc041d432b9a
- SHA512
  
  f09acb725d9ae0ea2309e70c04dc626157fb2997ca901ebb0ec9768657fca1b521c1d4481f5873b3077b44580853bf53d5523a43904205f88c4533a134c396a2
- SSDEEP
  
  24576:BnsJ39LyjbJkQFMhmC+6GD9UBNMplUHK/AtanJ9jWxAbLH:BnsHyjtk2MYC5GDOMUHgZpWAn
Score

10^/10

xred backdoor discovery persistence
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2
- Target
  
  MSRX/MagAPI.dll
- Size
  
  58KB
- MD5
  
  67f3472d5436422c52a7640f6b1d66cd
- SHA1
  
  07a7ae6736a49e9de47b9d3e4538c2fbc5041862
- SHA256
  
  a4411273bc0c39afdc29b9e1e66f5880f644918a374f4ad079b0fa5eac3493bd
- SHA512
  
  4365fcde2c5da35392a8400fc83d5189d573c174c58f26158dc1682f14935716be9c922f7bc4fc08c536610a35d543aa879fa365d1f6d5792d3bd2c785a123da
- SSDEEP
  
  1536:UaVrde9a+SQmRdRhT3LILKHYlHGkl5+H5F4GkG9NCDjp:pekddRhOKZk/+H5jNYp
Score

3^/10

discovery
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xredbackdoordiscoverypersistence

behavioral2

xredbackdoordiscoverypersistence

behavioral3

behavioral4