General
-
Target
boot_fps_v2.rar
-
Size
20.1MB
-
Sample
241219-r2be4avlgj
-
MD5
2be5d8faf40ced85b24204da86425cfd
-
SHA1
649e935ea6e27357558dc8c079cf3cb28a724ee5
-
SHA256
04cf383bf7d4e2f3e23c162f56c46b8f1728a57e53b28f47c9eb2280a45fdec4
-
SHA512
56fda3890457cafd6773c549472610e21f9803284d9d2f1e9dfd2cd043b124675680e47526b80526c77583b3d86cc0d7e6c37f4f92dd2b7a1bba0983650da802
-
SSDEEP
393216:P2WD2NrtrFEm3bqn4fXuqvxKiHFkzadFewtRG6a6LQbZJ5a:VDmZlCrqJU2fHpLeZJo
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Extracted
xworm
5.0
89.213.177.171:7000
QSt8Afyc7zR2PwtO
-
Install_directory
%ProgramData%
-
install_file
VLC_Medai.exe
Targets
-
-
Target
boot_fps_v2.rar
-
Size
20.1MB
-
MD5
2be5d8faf40ced85b24204da86425cfd
-
SHA1
649e935ea6e27357558dc8c079cf3cb28a724ee5
-
SHA256
04cf383bf7d4e2f3e23c162f56c46b8f1728a57e53b28f47c9eb2280a45fdec4
-
SHA512
56fda3890457cafd6773c549472610e21f9803284d9d2f1e9dfd2cd043b124675680e47526b80526c77583b3d86cc0d7e6c37f4f92dd2b7a1bba0983650da802
-
SSDEEP
393216:P2WD2NrtrFEm3bqn4fXuqvxKiHFkzadFewtRG6a6LQbZJ5a:VDmZlCrqJU2fHpLeZJo
Score10/10-
Detect Xworm Payload
-
Xred
Xred is backdoor written in Delphi.
-
Xred family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Modifies boot configuration data using bcdedit
-
Executes dropped EXE
-