Overview

overview

10

Static

static

10

8bce0ecd1f...50.exe

windows7-x64

10

8bce0ecd1f...50.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8bce0ecd1f7422ffac9920986b14355edda1822c4cb8e7141e5681faf6e2ee50

  • Size

    2.3MB

  • Sample

    250102-tqkkqsxphs

  • MD5

    273744044bbc6e49baffda91a9dd6b38

  • SHA1

    1088749a1051fc3c909959cdcb8c8d6a1d8af316

  • SHA256

    8bce0ecd1f7422ffac9920986b14355edda1822c4cb8e7141e5681faf6e2ee50

  • SHA512

    e077864cebcc5305f1f5c7c4d6380a84b6cd304a8fda198609da77d1d19d2bb2298ee3a1861cd8854e10c48f9cf9d44612aa6ea6f98bd82a2bb5645e96683daf

  • SSDEEP

    49152:M09XJt4HIN2H2tFvduySCpEWoxv8nsHyjtk2MYC5GDs:xZJt4HINy2LkCKZxknsmtk2aR

Score
10/10
gh0stratpurplefoxxredbackdoordiscoverymacropersistenceratrootkittrojanupx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      8bce0ecd1f7422ffac9920986b14355edda1822c4cb8e7141e5681faf6e2ee50

    • Size

      2.3MB

    • MD5

      273744044bbc6e49baffda91a9dd6b38

    • SHA1

      1088749a1051fc3c909959cdcb8c8d6a1d8af316

    • SHA256

      8bce0ecd1f7422ffac9920986b14355edda1822c4cb8e7141e5681faf6e2ee50

    • SHA512

      e077864cebcc5305f1f5c7c4d6380a84b6cd304a8fda198609da77d1d19d2bb2298ee3a1861cd8854e10c48f9cf9d44612aa6ea6f98bd82a2bb5645e96683daf

    • SSDEEP

      49152:M09XJt4HIN2H2tFvduySCpEWoxv8nsHyjtk2MYC5GDs:xZJt4HINy2LkCKZxknsmtk2aR

    Score
    10/10
    gh0stratpurplefoxxredbackdoordiscoverymacropersistenceratrootkittrojanupx

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

      rootkit

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Gh0strat family

      gh0strat

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

      rootkittrojanpurplefox

    • Purplefox family

      purplefox

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Drops file in Drivers directory

    • Sets service image path in registry

      persistence

    • Suspicious Office macro

      Office document equipped with macros.

      macro

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks