xred | 803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9 | Triage

Sharing

General

Target

803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9
Size

2.0MB
Sample

241218-as2ggswlbl
MD5

93d1d1c97e14653712e616df83ba0c59
SHA1

eb79dddb3b8bd6ad2af731aa07fce9ea7e9fd760
SHA256

803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9
SHA512

18d22d2f02876fcab989b5208c20f29fa72fa358e9d34c4112b9c4fd543a6fda2cd35ed2d41d8ddc548587e5b24ba61146b7ce373ca41495490793ddbbb7dd74
SSDEEP

49152:PnsHyjtk2MYC5GDafnsHyjtk2MYC5GDL3Svfe41Yq:Pnsmtk2alnsmtk2aXvfl1p

Score

10^/10

xred backdoor discovery evasion persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Targets

- Target
  
  803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9
- Size
  
  2.0MB
- MD5
  
  93d1d1c97e14653712e616df83ba0c59
- SHA1
  
  eb79dddb3b8bd6ad2af731aa07fce9ea7e9fd760
- SHA256
  
  803eeaf99884b5eafd59fc360edf3a3ec1171701030362120d11a952ed0201e9
- SHA512
  
  18d22d2f02876fcab989b5208c20f29fa72fa358e9d34c4112b9c4fd543a6fda2cd35ed2d41d8ddc548587e5b24ba61146b7ce373ca41495490793ddbbb7dd74
- SSDEEP
  
  49152:PnsHyjtk2MYC5GDafnsHyjtk2MYC5GDL3Svfe41Yq:Pnsmtk2alnsmtk2aXvfl1p
Score

10^/10

xred backdoor discovery evasion persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xredbackdoordiscoveryevasionpersistence

behavioral2

xredbackdoordiscoveryevasionpersistence