Overview

overview

10

Static

static

5

fix_device...ce.exe

windows10-2004-x64

7

fix_device...ce.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fix_device_gameloop.rar

  • Size

    1.4MB

  • Sample

    250102-rt2mbavnhy

  • MD5

    551aab077dff8ae20b58e429b6e61c62

  • SHA1

    493681dface98754853d0d269cbbb83873ecccf7

  • SHA256

    d51776621cd1ac69169b594b2bc892ca4d9c6040bb6aadd62207285e51cc79b9

  • SHA512

    b6974c22f9cadcd8f96eaf111d308859fba4fcbb994c38529347134da70852c768dfaf04e04d4a637dcd6357340a4ff972670a7191689b07896edb1c40a98fc9

  • SSDEEP

    24576:TwttzEHDfsgW4eiD3yLFEkAKq5/ixZN/YxD0L1phuWVtp62YA7CXLuDattoAM:EjzHWTyLFrnq5/CgDo1phRVt6AmLuutE

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      fix_device_gameloop/._cache_fix_device.exe

    • Size

      897KB

    • MD5

      8b07d76ec57ec6318ba2b11184d4660b

    • SHA1

      dd19f8115c74474280e0a111e4aed880589c4a9e

    • SHA256

      db9d357b2ec908814f357d54bd0657d22d43d82f5b76de43201f99b68e2bc5b2

    • SHA512

      25c317f85407274a3aaa4d3b218df9dae672943f95f5166c463105b7aafa1554c65772c71718a9306b34d940055ea1fdfb58f4eecc25a65f2ae1c340eae8c2d9

    • SSDEEP

      12288:Yak7dFemNsqI3etnBHYPpAkApyRV3jRfP4S5LH28U3mcQuKXQoggdnYgafCEZTj:YasdFeWsN3skA4RV1Hom2KXMmHaqEZTj

    Score
    7/10
    discovery

    • Executes dropped EXE

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral1

    • Target

      fix_device_gameloop/fix_device.exe

    • Size

      1.6MB

    • MD5

      e0551d8cf33f2f8443a390c3b07d0f68

    • SHA1

      4eaa9c4fbb626f30a9041710096d16a2cf0decb5

    • SHA256

      1cab7709001cc2f7a9d341f185cb79495ad86fa5dfcfddc0a9aad8cb3c49911f

    • SHA512

      6134d41c44c8854ff9d251412d8e10e2768902fde1ab9761a55cccacb500d68921479edf0acbf4a3367025512531dc5af74f1eb7d9de93d6b51164c39b46f704

    • SSDEEP

      24576:NaVasdFeWsN3skA4RV1Hom2KXMmHaqEZThuu1OUjezCk4o5BSj17QRDms33Z:8/ZkldoPK8YaqQhuukUjez+PpQRqs3p

    Score
    10/10
    xredbackdoordiscoverypersistence

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral2

MITRE ATT&CK Enterprise v15

Tasks