xred | 0386f907a997e0d2f1b768facff9ef0ef70e917395a7c9f9972232a786903e3c | Triage

Sharing

General

Target

0386f907a997e0d2f1b768facff9ef0ef70e917395a7c9f9972232a786903e3cN.exe
Size

1.2MB
Sample

241225-zft93swqht
MD5

635b87245cb5ab0b4a6bf4bae99cefd0
SHA1

dffe11f4febd037201eb7bc182e65d7fc1606236
SHA256

0386f907a997e0d2f1b768facff9ef0ef70e917395a7c9f9972232a786903e3c
SHA512

d46aea739f50ba28378c6cf201b834bfa336c0260b7fc116c9b97d4b84efb0a968975a393e9843b2f359244d0ff266e485e7fb18f4eb99f7240ec6b4cb065de3
SSDEEP

24576:e5xolYQY64nsJ39LyjbJkQFMhmC+6GD9VLMWMa/k9wxa:pYNnsHyjtk2MYC5GDf7Iw4

Score

10^/10

xred backdoor discovery evasion persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Targets

- Target
  
  0386f907a997e0d2f1b768facff9ef0ef70e917395a7c9f9972232a786903e3cN.exe
- Size
  
  1.2MB
- MD5
  
  635b87245cb5ab0b4a6bf4bae99cefd0
- SHA1
  
  dffe11f4febd037201eb7bc182e65d7fc1606236
- SHA256
  
  0386f907a997e0d2f1b768facff9ef0ef70e917395a7c9f9972232a786903e3c
- SHA512
  
  d46aea739f50ba28378c6cf201b834bfa336c0260b7fc116c9b97d4b84efb0a968975a393e9843b2f359244d0ff266e485e7fb18f4eb99f7240ec6b4cb065de3
- SSDEEP
  
  24576:e5xolYQY64nsJ39LyjbJkQFMhmC+6GD9VLMWMa/k9wxa:pYNnsHyjtk2MYC5GDf7Iw4
Score

10^/10

xred backdoor discovery evasion persistence
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xredbackdoordiscoveryevasionpersistence

behavioral2

xredbackdoordiscoveryevasionpersistence