General

  • Target

    6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb.exe

  • Size

    3.1MB

  • Sample

    241226-p8y4mawndn

  • MD5

    87fb4257cb0773489cd1ef55238c8045

  • SHA1

    36a40324575abb231d4f6f7db0bd8c7f8682a1cb

  • SHA256

    6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb

  • SHA512

    5fa362502c546c84204e7a525256adbcfff999fdf3a1bd0cd9c1d289c6f169d63b81ce17dd19117b78dc9282cb31f1fc729edb87e0fc5e6947bb8d8131c85603

  • SSDEEP

    49152:RnsHyjtk2MYC5GDfL0UVAhJtZjwhf+3KlVahOfe3ax+UlSa4MUkPEwBs2b0Rr00:Rnsmtk2aAL2hTZchf+arfeqUTMRPBGhh

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    xredline1@gmail.com

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb.exe

    • Size

      3.1MB

    • MD5

      87fb4257cb0773489cd1ef55238c8045

    • SHA1

      36a40324575abb231d4f6f7db0bd8c7f8682a1cb

    • SHA256

      6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb

    • SHA512

      5fa362502c546c84204e7a525256adbcfff999fdf3a1bd0cd9c1d289c6f169d63b81ce17dd19117b78dc9282cb31f1fc729edb87e0fc5e6947bb8d8131c85603

    • SSDEEP

      49152:RnsHyjtk2MYC5GDfL0UVAhJtZjwhf+3KlVahOfe3ax+UlSa4MUkPEwBs2b0Rr00:Rnsmtk2aAL2hTZchf+arfeqUTMRPBGhh

    • Xred

      Xred is backdoor written in Delphi.

    • Xred family

    • Suspicious Office macro

      Office document equipped with macros.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.