General

  • Target

    Spyroid v7.7.zip

  • Size

    281.4MB

  • Sample

    241214-zfdx4avqaq

  • MD5

    18ae93add8018c778bca199b43d1c3b8

  • SHA1

    7da2200d0abc3d7295a5396a07b560517065cd8e

  • SHA256

    97774c060f633451f8b0bc3720929156db91ab6ce6a0f663506e94c2b36e11d6

  • SHA512

    ae8f384da15057803e323640fc7f55778f561c16bcb2598ac5185a705eb6809f368e55cb7487f53c881dbe806142a8ab42a500e032d3f8d200ddc07553f451a2

  • SSDEEP

    6291456:T4mrOeqL3LVkIaz+aO5SuMCnxWn09L8y3m5Nmrd3:km3qLFHlSrgL8Qm5NMd3

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    xredline1@gmail.com

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      Spyroid v7.7.zip

    • Size

      281.4MB

    • MD5

      18ae93add8018c778bca199b43d1c3b8

    • SHA1

      7da2200d0abc3d7295a5396a07b560517065cd8e

    • SHA256

      97774c060f633451f8b0bc3720929156db91ab6ce6a0f663506e94c2b36e11d6

    • SHA512

      ae8f384da15057803e323640fc7f55778f561c16bcb2598ac5185a705eb6809f368e55cb7487f53c881dbe806142a8ab42a500e032d3f8d200ddc07553f451a2

    • SSDEEP

      6291456:T4mrOeqL3LVkIaz+aO5SuMCnxWn09L8y3m5Nmrd3:km3qLFHlSrgL8Qm5NMd3

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.