Overview

overview

10

Static

static

10

8.0.exe

windows7-x64

10

8.0.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8.0.exe

  • Size

    1.0MB

  • Sample

    250104-k3fb4svman

  • MD5

    7bfcd8f6d2396fac92e1693cbc15fc0d

  • SHA1

    b60b4aa3be6ca2bb357d7e921685dffc88bf6196

  • SHA256

    922f57f2041b3e1e0a5ef916bed236a658332ced17091d551d1580c0fae62629

  • SHA512

    fbf4ae62c34c475f9d090e2003d3b492347c9a6023898f24f2d7dce7943eefebb463bc816c4c7edc1a66b8d547983e799db42c241635745c4a2285ee6b7d9526

  • SSDEEP

    24576:ensJ39LyjbJkQFMhmC+6GD9d2Aup39eCLjVg:ensHyjtk2MYC5GDuAoDS

Score
10/10
blackmoonxredbackdoorbankerdefense_evasiondiscoverymacropersistencetrojan

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      8.0.exe

    • Size

      1.0MB

    • MD5

      7bfcd8f6d2396fac92e1693cbc15fc0d

    • SHA1

      b60b4aa3be6ca2bb357d7e921685dffc88bf6196

    • SHA256

      922f57f2041b3e1e0a5ef916bed236a658332ced17091d551d1580c0fae62629

    • SHA512

      fbf4ae62c34c475f9d090e2003d3b492347c9a6023898f24f2d7dce7943eefebb463bc816c4c7edc1a66b8d547983e799db42c241635745c4a2285ee6b7d9526

    • SSDEEP

      24576:ensJ39LyjbJkQFMhmC+6GD9d2Aup39eCLjVg:ensHyjtk2MYC5GDuAoDS

    Score
    10/10
    blackmoonxredbackdoorbankerdiscoverymacropersistencetrojandefense_evasion

    • Blackmoon family

      blackmoon

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

      trojanbankerblackmoon

    • Detect Blackmoon payload

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Suspicious Office macro

      Office document equipped with macros.

      macro

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Indicator Removal: Clear Persistence

      remove IFEO.

      defense_evasion
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks