General
-
Target
Spyroid v7.7.zip
-
Size
281.4MB
-
Sample
241214-zfdx4avqaq
-
MD5
18ae93add8018c778bca199b43d1c3b8
-
SHA1
7da2200d0abc3d7295a5396a07b560517065cd8e
-
SHA256
97774c060f633451f8b0bc3720929156db91ab6ce6a0f663506e94c2b36e11d6
-
SHA512
ae8f384da15057803e323640fc7f55778f561c16bcb2598ac5185a705eb6809f368e55cb7487f53c881dbe806142a8ab42a500e032d3f8d200ddc07553f451a2
-
SSDEEP
6291456:T4mrOeqL3LVkIaz+aO5SuMCnxWn09L8y3m5Nmrd3:km3qLFHlSrgL8Qm5NMd3
Behavioral task
behavioral1
Sample
Spyroid v7.7.zip
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Spyroid v7.7.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Spyroid v7.7.zip
Resource
win10ltsc2021-20241211-en
Malware Config
Extracted
xred
xred.mooo.com
-
email
xredline1@gmail.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Targets
-
-
Target
Spyroid v7.7.zip
-
Size
281.4MB
-
MD5
18ae93add8018c778bca199b43d1c3b8
-
SHA1
7da2200d0abc3d7295a5396a07b560517065cd8e
-
SHA256
97774c060f633451f8b0bc3720929156db91ab6ce6a0f663506e94c2b36e11d6
-
SHA512
ae8f384da15057803e323640fc7f55778f561c16bcb2598ac5185a705eb6809f368e55cb7487f53c881dbe806142a8ab42a500e032d3f8d200ddc07553f451a2
-
SSDEEP
6291456:T4mrOeqL3LVkIaz+aO5SuMCnxWn09L8y3m5Nmrd3:km3qLFHlSrgL8Qm5NMd3
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-