General
-
Target
MirroredTemp.zip
-
Size
60.7MB
-
Sample
241208-w12m4swnfn
-
MD5
426dbda31c5464395fdbb8c71578b064
-
SHA1
62f451e2c9eb9dac92c05d256c8a91a0fe232a11
-
SHA256
2a62bb02fdeecca8f59e0ed1f6590d6ca2f09487ff6fb1b06731ca620d7b7d25
-
SHA512
0227e67310a81c8c2d46c7cfb671390173e9d300acc0028589029cb3e8179d650d55ca5b8e470293040c6556d194f1a3386633dde9f901e699af9e4e789cbc9d
-
SSDEEP
1572864:9YIpD4rytnGkdPmEBvEULWDZDiEPGQ8r7AKOQU7eG:Cvyp4yVL6uEuQ8nTOv7eG
Static task
static1
Behavioral task
behavioral1
Sample
Guna.UI2.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Guna.UI2.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Mirrored Temp.exe
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
Mirrored Temp.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Newtonsoft.Json.dll
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
Newtonsoft.Json.dll
Resource
win10v2004-20241007-en
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Targets
-
-
Target
Guna.UI2.dll
-
Size
2.1MB
-
MD5
c19e9e6a4bc1b668d19505a0437e7f7e
-
SHA1
73be712aef4baa6e9dabfc237b5c039f62a847fa
-
SHA256
9ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82
-
SHA512
b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de
-
SSDEEP
49152:6QNztBO2+VN7N3HtnPhx70ZO4+CPXOn5PThDH2TBeHjvjiBckYf+Yh/FJ3:6Ahck2z
Score1/10 -
-
-
Target
Mirrored Temp.exe
-
Size
60.0MB
-
MD5
99cf7921de86b345d414004926480081
-
SHA1
776d3982615ad7e13c2f1cc8ce7b50d997342188
-
SHA256
403f6204be4db0ac4cbe1bbe2067f7cca87de8b889862f3db02b48364c67be9d
-
SHA512
9fc2016289acdf343eaef5952100c42d8adcf553b8f07235888fabf80ce2d9cba0f79a9fb60bc80fe9a2bea1a523a831a161f0416cedc5a59f4763bbd40839df
-
SSDEEP
1572864:RESUmxQqMrlpA+Ql4LMkxTivfS4qYaYcFJfJ:iSUmxykl0xenLuzFJR
-
Xred family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Hide Artifacts: Hidden Files and Directories
-
-
-
Target
Newtonsoft.Json.dll
-
Size
695KB
-
MD5
195ffb7167db3219b217c4fd439eedd6
-
SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8
-
SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
-
SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac
-
SSDEEP
12288:GBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:GBjk38WuBcAbwoA/BkjSHXP36RMG/
Score1/10 -
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3