xred | 99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056 | Triage

Sharing

General

Target

99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056
Size

6.1MB
Sample

241219-axnfeszmak
MD5

3836fdeaf179df63b904a0498fefc3ca
SHA1

81127b3089ca41b081647b13c6ec0474638343ed
SHA256

99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056
SHA512

212dcb46234115aaa3a36cdb5983bbefa4e4766089689eaf7fe7f9de6fe59de0f3f4e7ce613dcb3726d753901fe256a325d8c6521de57429ba072fe388b9ffad
SSDEEP

98304:knsmtk2aNFd7Xy1VkHK5mi8P4aR8qLf3gbz2FSmaI7dl0c:KLsFVXy1KHKQjQbz2FSmaI7dlN

Score

10^/10

xred adware backdoor discovery macro persistence spyware stealer

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Targets

- Target
  
  99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056
- Size
  
  6.1MB
- MD5
  
  3836fdeaf179df63b904a0498fefc3ca
- SHA1
  
  81127b3089ca41b081647b13c6ec0474638343ed
- SHA256
  
  99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056
- SHA512
  
  212dcb46234115aaa3a36cdb5983bbefa4e4766089689eaf7fe7f9de6fe59de0f3f4e7ce613dcb3726d753901fe256a325d8c6521de57429ba072fe388b9ffad
- SSDEEP
  
  98304:knsmtk2aNFd7Xy1VkHK5mi8P4aR8qLf3gbz2FSmaI7dl0c:KLsFVXy1KHKQjQbz2FSmaI7dlN
Score

10^/10

xred adware backdoor discovery macro persistence spyware stealer
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Suspicious Office macro
  Office document equipped with macros.
  macro
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Browser Extensions

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xredadwarebackdoordiscoverymacropersistencespywarestealer

behavioral2

xredadwarebackdoordiscoverypersistencespywarestealer