General

  • Target

    Bootstrapper.exe

  • Size

    1.5MB

  • Sample

    241208-zhk47atpe1

  • MD5

    d4a03084464e8fc23beea44ad84d065f

  • SHA1

    9db22b5630e09a42898ef2da5df0a745886bc912

  • SHA256

    5154019f133eb1d0673898bd2751222c5c540f0575b40e22ae24be1e5dd03d6b

  • SHA512

    ee9e0d4c32443e4bed9da30d07812270c96b2e54a8c1e1bfffbcf746617c9366dcc87ec9004da3d6d5fac94a864ccdf890d4b6e65d74610a46f24c6b8d6d0caf

  • SSDEEP

    24576:ynsJ39LyjbJkQFMhmC+6GD9O+ubYHYqRoAQpjFVG0HXqlF4u4:ynsHyjtk2MYC5GDauoAQpjGPl4

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      Bootstrapper.exe

    • Size

      1.5MB

    • MD5

      d4a03084464e8fc23beea44ad84d065f

    • SHA1

      9db22b5630e09a42898ef2da5df0a745886bc912

    • SHA256

      5154019f133eb1d0673898bd2751222c5c540f0575b40e22ae24be1e5dd03d6b

    • SHA512

      ee9e0d4c32443e4bed9da30d07812270c96b2e54a8c1e1bfffbcf746617c9366dcc87ec9004da3d6d5fac94a864ccdf890d4b6e65d74610a46f24c6b8d6d0caf

    • SSDEEP

      24576:ynsJ39LyjbJkQFMhmC+6GD9O+ubYHYqRoAQpjFVG0HXqlF4u4:ynsHyjtk2MYC5GDauoAQpjGPl4

    • Xred

      Xred is backdoor written in Delphi.

    • Xred family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks