xred | f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730 | Triage

Sharing

General

Target

f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe
Size

1.5MB
Sample

241226-y5xk3aykct
MD5

92fc1b64d702ebee25b1cabea2a81ae0
SHA1

1d3d5ec151eae49d8186d755db49c0d2b1df1a76
SHA256

f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730
SHA512

ac8ad02121c75db44ce5c67c4e7ec7cfdcb2fdcb5577c2675d8c7c63fca27c86626ee45e92c8ec58efedfb35bf9e863b76d482e45eb4dd1427b9a88c73e1981d
SSDEEP

24576:ansJ39LyjbJkQFMhmC+6GD9u5xolYQY6dp7gAVKzar5:ansHyjtk2MYC5GDjYmp7gAVK2

Score

10^/10

xred backdoor discovery evasion persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Targets

- Target
  
  f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe
- Size
  
  1.5MB
- MD5
  
  92fc1b64d702ebee25b1cabea2a81ae0
- SHA1
  
  1d3d5ec151eae49d8186d755db49c0d2b1df1a76
- SHA256
  
  f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730
- SHA512
  
  ac8ad02121c75db44ce5c67c4e7ec7cfdcb2fdcb5577c2675d8c7c63fca27c86626ee45e92c8ec58efedfb35bf9e863b76d482e45eb4dd1427b9a88c73e1981d
- SSDEEP
  
  24576:ansJ39LyjbJkQFMhmC+6GD9u5xolYQY6dp7gAVKzar5:ansHyjtk2MYC5GDjYmp7gAVK2
Score

10^/10

xred backdoor discovery evasion persistence
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xredbackdoordiscoveryevasionpersistence

behavioral2

xredbackdoordiscoveryevasionpersistence