General

  • Target

    main.zip

  • Size

    1.0MB

  • Sample

    241208-zjct7synen

  • MD5

    3e1cd5da0520bc3ff5f42216139e0475

  • SHA1

    8e97f4f13cfaee55d4a68a617434f38a1ca50551

  • SHA256

    85a4fb3e5a14a6d204207accee7e8222ffa0c3139d85c5cc87b2649ef6a38eef

  • SHA512

    50759f6e658219793be229aa00e55da6be8711b83411374a4d87d54495cf1c98d209db7106e5b347350c763182096baba85ff69ad74eddf3cb3cd9df346e901e

  • SSDEEP

    24576:IztdwShks2CxM0jQRsfzK9DoI+zdseB2GSZYfV+6y6AODJag0yG:GwgkLCaRQoDoIoLB2GSZ6V+6f3E

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      SolaraBootStrapper-main/Bootstrapper.exe

    • Size

      1.5MB

    • MD5

      d4a03084464e8fc23beea44ad84d065f

    • SHA1

      9db22b5630e09a42898ef2da5df0a745886bc912

    • SHA256

      5154019f133eb1d0673898bd2751222c5c540f0575b40e22ae24be1e5dd03d6b

    • SHA512

      ee9e0d4c32443e4bed9da30d07812270c96b2e54a8c1e1bfffbcf746617c9366dcc87ec9004da3d6d5fac94a864ccdf890d4b6e65d74610a46f24c6b8d6d0caf

    • SSDEEP

      24576:ynsJ39LyjbJkQFMhmC+6GD9O+ubYHYqRoAQpjFVG0HXqlF4u4:ynsHyjtk2MYC5GDauoAQpjGPl4

    • Xred

      Xred is backdoor written in Delphi.

    • Xred family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Target

      SolaraBootStrapper-main/SolaraBootstrapper.exe

    • Size

      766KB

    • MD5

      d994d58e87f0deda637e325d0a54a347

    • SHA1

      8b72ea95b3569ba1ca12cb7ead4edd6e5694614d

    • SHA256

      6607cc8e27767479f97d55d7f4e8073589836bd5bf832ae951f3b565ab0541e3

    • SHA512

      cc9959f52a5c55644b85a24d203137ad43408014ea63bf453bd2b36b7a1ad9f937f5e2cae45f6c6a5c732a5928d9edf14f00e768a5584e43ca1c70c7cef94ca9

    • SSDEEP

      12288:GMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9i8Oj:GnsJ39LyjbJkQFMhmC+6GD9i

    • Xred

      Xred is backdoor written in Delphi.

    • Xred family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks