xred

Sharing

Copy URL

Twitter E-mail

General

Target

Discord Account Generator v2.rar
Size

27.9MB
Sample

241207-2p3nxsxrdy
MD5

97f49dcd2417f7949b8a1f5aad275254
SHA1

ce210e43b79bf0da292830d62f9126f9c48fefda
SHA256

5de180ff35a8a0835dc704f4b8551fb1bb196837358c2020f84849c4f517fad8
SHA512

b842e825dd3102336ee41237710f87867c202dc447d529710011bb5f18fe9f24c857ef6660851b0eaf78cec4b4649d7557c6835a455b854a32cf654088c49d85
SSDEEP

786432:vhQth3Z6+q3KZUlYIPJhQth3Z6+q3KZUlYIPN:vWhzBZKBWhzBZK1

Score

10^/10

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Targets

- Target
  
  Discord Account Generator v2/AlphaFS.lib
- Size
  
  13.2MB
- MD5
  
  3a49c6ce407d3b7757c99bd6d6af8724
- SHA1
  
  0793415a29df3b80ed1652b804c142fd07432e73
- SHA256
  
  9bcf497f05bd39935654dc7b92af299794a3f6fad83a37f2fbfc097b664645c5
- SHA512
  
  8efeb1a4d77527d234a6777c8324f19a61d3a0f012d1171620ef240f24c076a503a3dfcdd91b7239e69b8e5554bea330e663773d8a6e38d485e0bc2b8fb60747
- SSDEEP
  
  393216:IVm9jIg3Mf+WJno10MzU1oFw4EHykhp3kWGCjuq:IV2W++oiMzQn1hZKCjuq
Score

7^/10
- Loads dropped DLL
behavioral1
- Target
  
  Discord Account Generator v2/DiscordGenerator.exe
- Size
  
  226KB
- MD5
  
  768baf6ab6a559b6f01db21660baea67
- SHA1
  
  e3ac1aa045def382517ee8ad34f17b73083df128
- SHA256
  
  5f87f1ab9a87bd981a4a2c6173989948086ed8681763fec48cdc4fb1ae854237
- SHA512
  
  96404cd3a7c42bd6ad98e17f8a790dca48d5287dfb7169bc696870a07a139b16eb1cd3f8c46a281e4e2d93bde06e6c2d6e48be4a6c767c5add7742743471cf5d
- SSDEEP
  
  3072:84lRaB+zSSfIF18Gpt+hEjU+dTKye0VNE4+jjjjcjjjjN7uoF:86RakJq+hSE0VNsjjjjcjjjjE
Score

10^/10

xred backdoor discovery execution persistence
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral2
- Target
  
  Discord Account Generator v2/RDXService/AlphaFS.lib
- Size
  
  13.2MB
- MD5
  
  3a49c6ce407d3b7757c99bd6d6af8724
- SHA1
  
  0793415a29df3b80ed1652b804c142fd07432e73
- SHA256
  
  9bcf497f05bd39935654dc7b92af299794a3f6fad83a37f2fbfc097b664645c5
- SHA512
  
  8efeb1a4d77527d234a6777c8324f19a61d3a0f012d1171620ef240f24c076a503a3dfcdd91b7239e69b8e5554bea330e663773d8a6e38d485e0bc2b8fb60747
- SSDEEP
  
  393216:IVm9jIg3Mf+WJno10MzU1oFw4EHykhp3kWGCjuq:IV2W++oiMzQn1hZKCjuq
Score

7^/10
- Loads dropped DLL
behavioral3
- Target
  
  Discord Account Generator v2/RDXService/Ionic.Zip.dll
- Size
  
  480KB
- MD5
  
  f6933bf7cee0fd6c80cdf207ff15a523
- SHA1
  
  039eeb1169e1defe387c7d4ca4021bce9d11786d
- SHA256
  
  17bb0c9be45289a2be56a5f5a68ec9891d7792b886e0054bc86d57fe84d01c89
- SHA512
  
  88675512daa41e17ce4daf6ca764ccb17cd9633a7c2b7545875089cae60f6918909a947f3b1692d16ec5fa209e18e84bc0ff3594f72c3e677a6cca9f3a70b8d6
- SSDEEP
  
  6144:OhagC/Mq25o9sXGtSV41OJDsTDDVUMle6ZjxLV/kHu4Bht79I9:iagxWS4msNUCe65fkHdBf9
Score

1^/10
behavioral4
- Target
  
  Discord Account Generator v2/RDXService/Jint.exe
- Size
  
  959KB
- MD5
  
  68a9f00a8e353b412f6f874c319aa5f1
- SHA1
  
  53a0e6f2ee1405c98871c5f5eb1fd2bf4b8d8d7d
- SHA256
  
  4de87cf5d3b6e29a4f5a870d2f267eb9628ca158ef9504508dec6e06503406cd
- SHA512
  
  f00123c27153f0bb540237f80e3526d0d36d7cf873d061a4db3d68de6b10827d6dec5fe2aca43d30365416f6caa7537686ca8c9a78de18aad333d90e188a357b
- SSDEEP
  
  12288:3MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9CltSGCFuJ9lTDd6S7sQoh:3nsJ39LyjbJkQFMhmC+6GD9mtSa7s1h
Score

10^/10

xred backdoor discovery persistence
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral5
- Target
  
  Discord Account Generator v2/RDXService/Launcher.exe
- Size
  
  53KB
- MD5
  
  c6d4c881112022eb30725978ecd7c6ec
- SHA1
  
  ba4f96dc374195d873b3eebdb28b633d9a1c5bf5
- SHA256
  
  0d87b9b141a592711c52e7409ec64de3ab296cddc890be761d9af57cea381b32
- SHA512
  
  3bece10b65dfda69b6defbf50d067a59d1cd1db403547fdf28a4cbc87c4985a4636acfcff8300bd77fb91f2693084634d940a91517c33b5425258835ab990981
- SSDEEP
  
  768:FKtnBTTQi/YqMFlVt52ftDhKeoNzZq8OujxUu5XEAb4b9yvMzUV5:qBTUgYFveDRuFEAb4b99QV5
Score

8^/10

discovery execution persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral6
- Target
  
  Discord Account Generator v2/RDXService/WPFToolkit.dll
- Size
  
  456KB
- MD5
  
  195ed09e0b4f3b09ea4a3b67a0d3f396
- SHA1
  
  01a250631397c93c4aab9a777a86e39fd8d84f09
- SHA256
  
  aef9fcbb874fc82e151e32279330061f8f22a77c05f583a0cb5e5696654ac456
- SHA512
  
  b801c03efa3e8079366a7782d2634a3686d88f64c3c31a03aa5ce71b7bf472766724d209290c231d55da89dd4f03bd1c0153ffeb514e1d5d408cc2c713cd4098
- SSDEEP
  
  6144:ABk34hZ9hNZbkDu0WtH7epyiNrt3329rzSkmN0OE0QxlmGJcdBI8rO7le2LvFVNs:OhuUiNrt33sSkmN0OE0QyGJeBwL/G5
Score

1^/10
behavioral7
- Target
  
  Discord Account Generator v2/RDXService/build.lib
- Size
  
  255KB
- MD5
  
  8629c65903ca26e7ffada84c69ae0972
- SHA1
  
  015673ba0498ae35bd4da1c3ba45bab5fbfa18ce
- SHA256
  
  adc6887d772f9f47ab67406cc9ea7dd0177b94d84f98124fc712b9e66208dd0d
- SHA512
  
  6a3b8717daeaed8dde18cedcb1c6fc31932f01234a63b80f37c6960f7212255cd32d1c3135d84da773e7b94ad1f326cc965463b9fc68f35b8b5449ff70d79af7
- SSDEEP
  
  6144:Ja1FAmxe7NnOrQS8ksy3tiun59xSAO5Lxgl:JarAee7NnOrQS5sun59Aftgl
Score

3^/10

discovery
behavioral8
- Target
  
  Discord Account Generator v2/RDXService/rdpcorets.dll
- Size
  
  1.5MB
- MD5
  
  b68448b360e7660dbf1d48f2a15087f9
- SHA1
  
  35a7a6bf7c94804c94d6b7423d7e58d28fcba4b0
- SHA256
  
  0570048261865f95bfa88d97ed32afe75b6e376d4c7050a2aeb956bdaca45a34
- SHA512
  
  fb342aec978504646649dc573971a5bec83aa3f34abffa70f30bbd2841c3fe1e1a10c421c903c3a1ca390480c5f731cf7552d3143ba60eb09e8ea2c78dee9565
- SSDEEP
  
  24576:Qs1R+rNZvVovzDczVH/GD5cAlDfMz+1EuC0FmLbucF/vgM1BxSudoC3qfgdAEBe+:QKR+rNZvVovzDc5H/GD59Nk+1EuC0Fm/
Score

1^/10
behavioral9
- Target
  
  Discord Account Generator v2/WPFToolkit.dll
- Size
  
  456KB
- MD5
  
  195ed09e0b4f3b09ea4a3b67a0d3f396
- SHA1
  
  01a250631397c93c4aab9a777a86e39fd8d84f09
- SHA256
  
  aef9fcbb874fc82e151e32279330061f8f22a77c05f583a0cb5e5696654ac456
- SHA512
  
  b801c03efa3e8079366a7782d2634a3686d88f64c3c31a03aa5ce71b7bf472766724d209290c231d55da89dd4f03bd1c0153ffeb514e1d5d408cc2c713cd4098
- SSDEEP
  
  6144:ABk34hZ9hNZbkDu0WtH7epyiNrt3329rzSkmN0OE0QxlmGJcdBI8rO7le2LvFVNs:OhuUiNrt33sSkmN0OE0QyGJeBwL/G5
Score

1^/10
behavioral10
- Target
  
  Discord Account Generator v2/build.lib
- Size
  
  255KB
- MD5
  
  8629c65903ca26e7ffada84c69ae0972
- SHA1
  
  015673ba0498ae35bd4da1c3ba45bab5fbfa18ce
- SHA256
  
  adc6887d772f9f47ab67406cc9ea7dd0177b94d84f98124fc712b9e66208dd0d
- SHA512
  
  6a3b8717daeaed8dde18cedcb1c6fc31932f01234a63b80f37c6960f7212255cd32d1c3135d84da773e7b94ad1f326cc965463b9fc68f35b8b5449ff70d79af7
- SSDEEP
  
  6144:Ja1FAmxe7NnOrQS8ksy3tiun59xSAO5Lxgl:JarAee7NnOrQS5sun59Aftgl
Score

3^/10

discovery
behavioral11
- Target
  
  Discord Account Generator v2/rdpcorets.dll
- Size
  
  1.5MB
- MD5
  
  b68448b360e7660dbf1d48f2a15087f9
- SHA1
  
  35a7a6bf7c94804c94d6b7423d7e58d28fcba4b0
- SHA256
  
  0570048261865f95bfa88d97ed32afe75b6e376d4c7050a2aeb956bdaca45a34
- SHA512
  
  fb342aec978504646649dc573971a5bec83aa3f34abffa70f30bbd2841c3fe1e1a10c421c903c3a1ca390480c5f731cf7552d3143ba60eb09e8ea2c78dee9565
- SSDEEP
  
  24576:Qs1R+rNZvVovzDczVH/GD5cAlDfMz+1EuC0FmLbucF/vgM1BxSudoC3qfgdAEBe+:QKR+rNZvVovzDc5H/GD59Nk+1EuC0Fm/
Score

1^/10
behavioral12

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Loads dropped DLL

Xred family

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Loads dropped DLL

Xred

Xred family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Executes dropped EXE

Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12