xred | 21d23ee41a142f6399afba67164c12ff6147fbad45bdeadc1ac394c039296543 | Triage

Sharing

General

Target

21d23ee41a142f6399afba67164c12ff6147fbad45bdeadc1ac394c039296543N.exe
Size

1.1MB
Sample

241216-whvrvaxmgq
MD5

65fe41a424c04ecb1dd22b43e7ec5dc0
SHA1

7cb9fe2280a297649c69d4d5ce82ce2b63bfa4b3
SHA256

21d23ee41a142f6399afba67164c12ff6147fbad45bdeadc1ac394c039296543
SHA512

22093e4ae7ac7559560e96aa2bc63d267433c512f1a87ad6668c81985dc35d35201dcac8ef5839aee0c090870211283ea7847ff2f48a7fe5ac7756f40c629c33
SSDEEP

24576:onsJ39LyjbJkQFMhmC+6GD9dTbBv5rUDyLyL5nKU:onsHyjtk2MYC5GDlB/LyVH

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Targets

- Target
  
  21d23ee41a142f6399afba67164c12ff6147fbad45bdeadc1ac394c039296543N.exe
- Size
  
  1.1MB
- MD5
  
  65fe41a424c04ecb1dd22b43e7ec5dc0
- SHA1
  
  7cb9fe2280a297649c69d4d5ce82ce2b63bfa4b3
- SHA256
  
  21d23ee41a142f6399afba67164c12ff6147fbad45bdeadc1ac394c039296543
- SHA512
  
  22093e4ae7ac7559560e96aa2bc63d267433c512f1a87ad6668c81985dc35d35201dcac8ef5839aee0c090870211283ea7847ff2f48a7fe5ac7756f40c629c33
- SSDEEP
  
  24576:onsJ39LyjbJkQFMhmC+6GD9dTbBv5rUDyLyL5nKU:onsHyjtk2MYC5GDlB/LyVH
Score

10^/10

xred backdoor discovery persistence
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xredbackdoordiscoverypersistence

behavioral2

xredbackdoordiscoverypersistence