Extracted

• • Target

    2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber

  • Size

    34.7MB

  • MD5

    253baf4a712d3bacc42c2c944c688feb

  • SHA1

    9c54c6810b05ad51f31a14acd60131dca259716e

  • SHA256

    35acdf1a5578a8605697cc8053509c51e8737921168f6f9917ba72d4e8bdc3ee

  • SHA512

    3cc204d205fc509ebc6b0857de825b1e4fc4c5b0478fe44bb3a0e97d4bed95e67878ebee824e3e69d94b663c0abf7c21c2a31021d4e30e788c7e5451111c4d91

  • SSDEEP

    393216:mXXdmf1JPPIbTv2zqfFOsvSqQs8yDuDhxMewmIaOiRrqNuZif8l1hSp0huAePYn6:Qw1JPGTvXfIsb45O8ZiY1s7g8Sw

  Score

  10^/10

  xredbackdoorbootkitdiscoverymacropersistencespywarestealer

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred

  • Xred family

    xred

  • Downloads MZ/PE file

  • Suspicious Office macro

    Office document equipped with macros.

    macro

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Checks for any installed AV software in registry

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Checks system information in the registry

    System information is often read in order to detect sandboxing environments.

  behavioral1behavioral2