General

  • Target

    48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54

  • Size

    3.1MB

  • Sample

    241228-hkk4jawnbz

  • MD5

    5286bdb9041867beb47e916e4f69b1b5

  • SHA1

    4d4ecbb6f3f0fc305660caca7a57decd156a5fc9

  • SHA256

    48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54

  • SHA512

    61932b014263fcddd5e42061fc3ca7a4074b552d9775bd080bd1e3102738fef6d3db654d8c14c6b638d706fed8183b67a9cc47afb239afe028b536dfafadb514

  • SSDEEP

    49152:RCwsbCANnKXferL7Vwe/Gg0P+WhjtDsLnsHyjtk2MYC5GDe/Q:cws2ANnKXOaeOgmh6Lnsmtk2aRQ

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    xredline1@gmail.com

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54

    • Size

      3.1MB

    • MD5

      5286bdb9041867beb47e916e4f69b1b5

    • SHA1

      4d4ecbb6f3f0fc305660caca7a57decd156a5fc9

    • SHA256

      48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54

    • SHA512

      61932b014263fcddd5e42061fc3ca7a4074b552d9775bd080bd1e3102738fef6d3db654d8c14c6b638d706fed8183b67a9cc47afb239afe028b536dfafadb514

    • SSDEEP

      49152:RCwsbCANnKXferL7Vwe/Gg0P+WhjtDsLnsHyjtk2MYC5GDe/Q:cws2ANnKXOaeOgmh6Lnsmtk2aRQ

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Gh0strat family

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Purplefox family

    • Xred

      Xred is backdoor written in Delphi.

    • Xred family

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

    • Sets service image path in registry

    • Suspicious Office macro

      Office document equipped with macros.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.