General
-
Target
fa61c97691aff92a11841e2f3ff73587ae6b6d1fdec8e0cff4d966c1c590e74c.exe
-
Size
753KB
-
Sample
241219-g4rjzsslcv
-
MD5
acd3d3ab6f9f2bc1812c9caa23a70c53
-
SHA1
b70036c1743febd3039f37c561b103d5951206fb
-
SHA256
fa61c97691aff92a11841e2f3ff73587ae6b6d1fdec8e0cff4d966c1c590e74c
-
SHA512
0f0025fa35b821f211ba321f09b714727574d0bd4005bc487579ffb0fc9b7c5e876584af5ce79c851b81f71290772d63cf5bb449394dff66a4f118a18f2b740d
-
SSDEEP
12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Ibp:ansJ39LyjbJkQFMhmC+6GD9M
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Targets
-
-
Target
fa61c97691aff92a11841e2f3ff73587ae6b6d1fdec8e0cff4d966c1c590e74c.exe
-
Size
753KB
-
MD5
acd3d3ab6f9f2bc1812c9caa23a70c53
-
SHA1
b70036c1743febd3039f37c561b103d5951206fb
-
SHA256
fa61c97691aff92a11841e2f3ff73587ae6b6d1fdec8e0cff4d966c1c590e74c
-
SHA512
0f0025fa35b821f211ba321f09b714727574d0bd4005bc487579ffb0fc9b7c5e876584af5ce79c851b81f71290772d63cf5bb449394dff66a4f118a18f2b740d
-
SSDEEP
12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Ibp:ansJ39LyjbJkQFMhmC+6GD9M
Score10/10-
Xred
Xred is backdoor written in Delphi.
-
Xred family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-