General
-
Target
MirroredTemp.exe
-
Size
60.0MB
-
Sample
241208-r6xtws1phj
-
MD5
99cf7921de86b345d414004926480081
-
SHA1
776d3982615ad7e13c2f1cc8ce7b50d997342188
-
SHA256
403f6204be4db0ac4cbe1bbe2067f7cca87de8b889862f3db02b48364c67be9d
-
SHA512
9fc2016289acdf343eaef5952100c42d8adcf553b8f07235888fabf80ce2d9cba0f79a9fb60bc80fe9a2bea1a523a831a161f0416cedc5a59f4763bbd40839df
-
SSDEEP
1572864:RESUmxQqMrlpA+Ql4LMkxTivfS4qYaYcFJfJ:iSUmxykl0xenLuzFJR
Static task
static1
Behavioral task
behavioral1
Sample
MirroredTemp.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
MirroredTemp.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Targets
-
-
Target
MirroredTemp.exe
-
Size
60.0MB
-
MD5
99cf7921de86b345d414004926480081
-
SHA1
776d3982615ad7e13c2f1cc8ce7b50d997342188
-
SHA256
403f6204be4db0ac4cbe1bbe2067f7cca87de8b889862f3db02b48364c67be9d
-
SHA512
9fc2016289acdf343eaef5952100c42d8adcf553b8f07235888fabf80ce2d9cba0f79a9fb60bc80fe9a2bea1a523a831a161f0416cedc5a59f4763bbd40839df
-
SSDEEP
1572864:RESUmxQqMrlpA+Ql4LMkxTivfS4qYaYcFJfJ:iSUmxykl0xenLuzFJR
-
Xred family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Hide Artifacts: Hidden Files and Directories
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3