General

  • Target

    xred_bkdoor_dropbox_20277974499.zip

  • Size

    3.9MB

  • Sample

    241210-vmgkca1jfy

  • MD5

    99c1889afbd57f73bb3f333442c3f3d9

  • SHA1

    e3ab1f4724ba6f29594d147b48b91b038371298e

  • SHA256

    5826c49ee8093a997df75d2bcc05f8996e11a66fd9e4f6d3c65afa39feddeeab

  • SHA512

    9e62bf7b4be1129579edab5a6105714f17678fd780b2ebaca432fa7d224ef1e9787457d71fa96aaaac4d9ca35b9a0696190e38c4af55fa0649ff6e4f68c0336f

  • SSDEEP

    98304:P4ydvlJUjjYXmAmkKhLQJ0548NqwFzzyq4oyFmn9+urd:BfUKVmDfe/oyQl

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      00029a8f1d571f6bbc96cc5c648e781f8ef550d26ceb899fe19e6b0733bab1fd

    • Size

      4.6MB

    • MD5

      24256ed6083f31556ddc5a1ba5be2f75

    • SHA1

      128285a982842b79c09544fb0fc87aa3955f1021

    • SHA256

      00029a8f1d571f6bbc96cc5c648e781f8ef550d26ceb899fe19e6b0733bab1fd

    • SHA512

      0a93fdbe51600db8ec4a609eb5a7847dce086fc0661b23c20848cc9d5c71efcb2c843749fa6c5243ec4cea3ffe07d3d4f411c559c647cdb58d2e9b80f98a4499

    • SSDEEP

      98304:Jnsmtk2aBPP/vhTxl71QVKwnYfmIINv8wO+S:VLwHxxl71QVKwnYuhNvfO+S

    • Xred

      Xred is backdoor written in Delphi.

    • Xred family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks