Overview

overview

10

Static

static

10

Guna.UI2.dll

windows7-x64

1

Guna.UI2.dll

windows10-2004-x64

1

Loader.exe

windows7-x64

10

Loader.exe

windows10-2004-x64

10

Siticone.D...UI.dll

windows7-x64

1

Siticone.D...UI.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    oqur(1).rar

  • Size

    2.3MB

  • Sample

    241228-wes4va1jan

  • MD5

    e6b18d4833c5f655b3e3269c07c9c864

  • SHA1

    1956b36e5075edce15b08459b13804d3efc235a0

  • SHA256

    d1a476d5942564e548c475cde9c17e923d512aae74b2eb86f23b834a117f4d5c

  • SHA512

    72f222a8eee7bcf4cecda5b04c26546117af42597f61bda14537eb8cb8eb4f5e70691f825de93959f11f30549ba0be80a6d5d23c7c4a8180dc99fa7f4733350d

  • SSDEEP

    49152:cvg6W+zqP6kaRK/QNDYkO8aHUjJEqZH94o5nVzO4TTV49JwFf9Jn6T:co++P6vRK4NDPfzBWqn1O4Tun6J6T

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      Guna.UI2.dll

    • Size

      2.1MB

    • MD5

      c19e9e6a4bc1b668d19505a0437e7f7e

    • SHA1

      73be712aef4baa6e9dabfc237b5c039f62a847fa

    • SHA256

      9ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82

    • SHA512

      b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de

    • SSDEEP

      49152:6QNztBO2+VN7N3HtnPhx70ZO4+CPXOn5PThDH2TBeHjvjiBckYf+Yh/FJ3:6Ahck2z

    Score
    1/10
    behavioral1behavioral2

    • Target

      Loader.exe

    • Size

      2.2MB

    • MD5

      195ea7a4b2c6c1ac97690b188ace0da5

    • SHA1

      3577d22783350ddc93abe12e08bfb36838ffadd7

    • SHA256

      5c9abc8e84d9da9bedf545bf9221eceaa600a0f3bde6dcf34e30e7e0953cf549

    • SHA512

      964048cdecb66cb726518f19269c568ef998a3aeb10a88ca21ee43c28051094f00dc7e5433dd5c86b9f5713e9e8befb207859c8b8dd25a6f0178163ff45b1f8b

    • SSDEEP

      49152:NnsHyjtk2MYC5GDBTMDYr8Ar8Ar8Ar88ur84HBB:Nnsmtk2a0ADYrvrvrvrpurVHBB

    Score
    10/10
    xredbackdoordiscoverypersistence

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral3behavioral4

    • Target

      Siticone.Desktop.UI.dll

    • Size

      4.0MB

    • MD5

      1582aa45d981e0e569c6e05698642b30

    • SHA1

      763506f312a186c55a04ef6a16ad7e867c394097

    • SHA256

      21eecaf504b7fe787a45f4aa8f8f36dacfc3ab1d75624dfb41827cdef2a9a589

    • SHA512

      278a7a4e2b9d82528200b9f92244db3f228187d15c36fd169deb927e343bc4d0bb29c9dba496f86558aea4f4deb44d1e47a41d5598c0b375d99ad9fbe99cec34

    • SSDEEP

      24576:UCCxPAT4L7h3M7O2MLBSlvTh/aOBteUePU/DU/GHQYazK/DkWoql3zjbndHQ/jzb:WuO2MIThZNwewYDoyG

    Score
    1/10
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks