Overview

overview

10

Static

static

10

6df4d2f370...bb.exe

windows7-x64

10

6df4d2f370...bb.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb.exe

  • Size

    3.1MB

  • Sample

    241226-p8y4mawndn

  • MD5

    87fb4257cb0773489cd1ef55238c8045

  • SHA1

    36a40324575abb231d4f6f7db0bd8c7f8682a1cb

  • SHA256

    6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb

  • SHA512

    5fa362502c546c84204e7a525256adbcfff999fdf3a1bd0cd9c1d289c6f169d63b81ce17dd19117b78dc9282cb31f1fc729edb87e0fc5e6947bb8d8131c85603

  • SSDEEP

    49152:RnsHyjtk2MYC5GDfL0UVAhJtZjwhf+3KlVahOfe3ax+UlSa4MUkPEwBs2b0Rr00:Rnsmtk2aAL2hTZchf+arfeqUTMRPBGhh

Score
10/10
xredbackdoorbootkitdiscoverymacropersistenceupx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb.exe

    • Size

      3.1MB

    • MD5

      87fb4257cb0773489cd1ef55238c8045

    • SHA1

      36a40324575abb231d4f6f7db0bd8c7f8682a1cb

    • SHA256

      6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb

    • SHA512

      5fa362502c546c84204e7a525256adbcfff999fdf3a1bd0cd9c1d289c6f169d63b81ce17dd19117b78dc9282cb31f1fc729edb87e0fc5e6947bb8d8131c85603

    • SSDEEP

      49152:RnsHyjtk2MYC5GDfL0UVAhJtZjwhf+3KlVahOfe3ax+UlSa4MUkPEwBs2b0Rr00:Rnsmtk2aAL2hTZchf+arfeqUTMRPBGhh

    Score
    10/10
    xredbackdoorbootkitdiscoverymacropersistenceupx

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Suspicious Office macro

      Office document equipped with macros.

      macro

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks