General

  • Target

    Mirrored Temp.zip

  • Size

    60.7MB

  • Sample

    241208-wk6xws1lcy

  • MD5

    426dbda31c5464395fdbb8c71578b064

  • SHA1

    62f451e2c9eb9dac92c05d256c8a91a0fe232a11

  • SHA256

    2a62bb02fdeecca8f59e0ed1f6590d6ca2f09487ff6fb1b06731ca620d7b7d25

  • SHA512

    0227e67310a81c8c2d46c7cfb671390173e9d300acc0028589029cb3e8179d650d55ca5b8e470293040c6556d194f1a3386633dde9f901e699af9e4e789cbc9d

  • SSDEEP

    1572864:9YIpD4rytnGkdPmEBvEULWDZDiEPGQ8r7AKOQU7eG:Cvyp4yVL6uEuQ8nTOv7eG

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      Mirrored Temp.zip

    • Size

      60.7MB

    • MD5

      426dbda31c5464395fdbb8c71578b064

    • SHA1

      62f451e2c9eb9dac92c05d256c8a91a0fe232a11

    • SHA256

      2a62bb02fdeecca8f59e0ed1f6590d6ca2f09487ff6fb1b06731ca620d7b7d25

    • SHA512

      0227e67310a81c8c2d46c7cfb671390173e9d300acc0028589029cb3e8179d650d55ca5b8e470293040c6556d194f1a3386633dde9f901e699af9e4e789cbc9d

    • SSDEEP

      1572864:9YIpD4rytnGkdPmEBvEULWDZDiEPGQ8r7AKOQU7eG:Cvyp4yVL6uEuQ8nTOv7eG

    • Xred

      Xred is backdoor written in Delphi.

    • Xred family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Hide Artifacts: Hidden Files and Directories

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      Guna.UI2.dll

    • Size

      2.1MB

    • MD5

      c19e9e6a4bc1b668d19505a0437e7f7e

    • SHA1

      73be712aef4baa6e9dabfc237b5c039f62a847fa

    • SHA256

      9ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82

    • SHA512

      b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de

    • SSDEEP

      49152:6QNztBO2+VN7N3HtnPhx70ZO4+CPXOn5PThDH2TBeHjvjiBckYf+Yh/FJ3:6Ahck2z

    Score
    1/10
    • Target

      Mirrored Temp.exe

    • Size

      60.0MB

    • MD5

      99cf7921de86b345d414004926480081

    • SHA1

      776d3982615ad7e13c2f1cc8ce7b50d997342188

    • SHA256

      403f6204be4db0ac4cbe1bbe2067f7cca87de8b889862f3db02b48364c67be9d

    • SHA512

      9fc2016289acdf343eaef5952100c42d8adcf553b8f07235888fabf80ce2d9cba0f79a9fb60bc80fe9a2bea1a523a831a161f0416cedc5a59f4763bbd40839df

    • SSDEEP

      1572864:RESUmxQqMrlpA+Ql4LMkxTivfS4qYaYcFJfJ:iSUmxykl0xenLuzFJR

    • Xred

      Xred is backdoor written in Delphi.

    • Xred family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Hide Artifacts: Hidden Files and Directories

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      loader-o.pyc

    • Size

      4.2MB

    • MD5

      e5433391dc60c90c81534af5b596a105

    • SHA1

      5a6677e7561b562b5bd04bbfef8804bcd94aff86

    • SHA256

      554fbf189a5f577503ed52fd634d3145866de66253c21c6728fe99842fc18e7e

    • SHA512

      340eb382098ba61509a8ae4d4f5ebd2fceb3559eddfef6628d206aa19bb90d43a66e5d86e02cd0188934cd4e6f28c6333750c56cd0cc29fd4c9116fe19cdf5ff

    • SSDEEP

      3072:VuZGfmLdJcKr0ZTFsKh0snD8PT8Ig4BAaPlo08FcJZf1Bp2uWc92tl4dcuuSzOuk:D

    Score
    3/10
    • Target

      Newtonsoft.Json.dll

    • Size

      695KB

    • MD5

      195ffb7167db3219b217c4fd439eedd6

    • SHA1

      1e76e6099570ede620b76ed47cf8d03a936d49f8

    • SHA256

      e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

    • SHA512

      56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

    • SSDEEP

      12288:GBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:GBjk38WuBcAbwoA/BkjSHXP36RMG/

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks