xred | ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea

Analysis

max time kernel
141s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-01-2025 06:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe
Size

814KB
MD5

66a61fa07f6a99e8eb497b4ab2a4b8d4
SHA1

b275c01835d1a3c50ff351c8505c409b072807a6
SHA256

ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea
SHA512

d8b873937545a990b83b8916d5859bbe76217dbda4830d6fdf28cece3147b2aa7719d4584a28f8fa1d84864e303f414f4fb348579c9b2bea3a38e632f1e0703d
SSDEEP

12288:tMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9BZhA0S47c:tnsJ39LyjbJkQFMhmC+6GD9l7g

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
1276	._cache_ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe
2624	Synaptics.exe
2684	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2616	ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe
2616	ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe
2616	ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe
2624	Synaptics.exe
2624	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2536	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2536	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 1276	2616	ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe	31
PID 2616 wrote to memory of 1276	2616	ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe	31
PID 2616 wrote to memory of 1276	2616	ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe	31
PID 2616 wrote to memory of 1276	2616	ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe	31
PID 2616 wrote to memory of 2624	2616	ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe	32
PID 2616 wrote to memory of 2624	2616	ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe	32
PID 2616 wrote to memory of 2624	2616	ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe	32
PID 2616 wrote to memory of 2624	2616	ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe	32
PID 2624 wrote to memory of 2684	2624	Synaptics.exe	33
PID 2624 wrote to memory of 2684	2624	Synaptics.exe	33
PID 2624 wrote to memory of 2684	2624	Synaptics.exe	33
PID 2624 wrote to memory of 2684	2624	Synaptics.exe	33

C:\Users\Admin\AppData\Local\Temp\ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe
"C:\Users\Admin\AppData\Local\Temp\ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Users\Admin\AppData\Local\Temp\._cache_ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe"
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:2684

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
814KB

MD5
66a61fa07f6a99e8eb497b4ab2a4b8d4

SHA1
b275c01835d1a3c50ff351c8505c409b072807a6

SHA256
ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea

SHA512
d8b873937545a990b83b8916d5859bbe76217dbda4830d6fdf28cece3147b2aa7719d4584a28f8fa1d84864e303f414f4fb348579c9b2bea3a38e632f1e0703d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YCtPJalP.xlsm

Filesize
20KB

MD5
321124297ea25087638fd5816a6b6d13

SHA1
fd1af6af256d985ec65ee10b60b8e3d0610eff1b

SHA256
cfe0479e939367d3dbd4651346aabb30c42d29cd9d7f8ffcc364b6a7305dc5b3

SHA512
16ac7108c6d4c2285d1c05bfd1013804a8e91d8f02653574cd153a99374500f552445aaf6b4780437294f1abc7273c81c272b0c58b2c49f7e7ef3e115d74b545

Download Submit
C:\Users\Admin\AppData\Local\Temp\YCtPJalP.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\YCtPJalP.xlsm

Filesize
22KB

MD5
6833f50883e462f799d5fad9045f2744

SHA1
363c85be059d5c657ddfc6a30d0440572c7ac65c

SHA256
067f7c9b15194feedf4613edd262277a2cee599c35c78f1db1170f3d08ea2dfb

SHA512
b985338000afcdca9819a53f87fbf0944ffebf53c8bcde0c03e0b4815c1ba59a8ce69d919ea3d3410f08830447f82723b3e305beeca58b400567cf236e43892c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YCtPJalP.xlsm

Filesize
22KB

MD5
8f690a3699a0746a1c6295d9bd8a04a0

SHA1
5c829f93d0e74883ec9c8fec0acda574adda0fb0

SHA256
17f5b6a8e2fe67e082aa039a3ebf80bd1484b61697a93c3995215039b6104aaa

SHA512
5168c4712fe558e320c59570880db623dc1fcb4c5d419e12635aa0b4911b61402d9df6ba5ee9b2ecc5413b7cf84b9c2f745185c2a413ce5f529be68b0d859f64

Download Submit
C:\Users\Admin\AppData\Local\Temp\YCtPJalP.xlsm

Filesize
23KB

MD5
d1a744a313f8bcec53d0cef9077e96d7

SHA1
dbf64fd589001a385af1f04d1e461376c72328a2

SHA256
21d34a2f104c8b5acc4531bdd523b4e34f4acaea5d2c26557646f713dbb85f0d

SHA512
9f6c52eb9f8e0849af5706305b7e3f5f7bbe62d7003aa63fcbae470d9012db3a02a00c7b240d615e633eabeaef69193c696509827952ed04736db2a79094b221

Download Submit
C:\Users\Admin\AppData\Local\Temp\YCtPJalP.xlsm

Filesize
22KB

MD5
7c37be8f77992b002cec3de6468478de

SHA1
98d6c081c50fd4072c018ad562e91b4e51293ed2

SHA256
04b639c3dbec8d41f7f68d1c0c1d4875d5e2f779c0941b3c2aefd09ac24abd4d

SHA512
40f451c43bd846f290a5a54bcd8c391c6ebb4abc22551cd9732b0a53f240dcbee4f80f4757fd4b3ce26f2fd93c20706b2fa7435c64b4debd83fc937c659a385b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YCtPJalP.xlsm

Filesize
22KB

MD5
53be65620b9243213e94e6a8e99dd16a

SHA1
6b60eed60436ab7a6729c825b207c384643cb37a

SHA256
9194f7d0f66cc9e1b35a9411c80b0efb2f5ce8e3173f392674dd2deab3bda499

SHA512
c4a0484904ca7420cf5f6f1ce2e37c068a23852c020aa53befa6eb42068484260995fac42b9805dd1c33df22f823520902633e6d3cd769345baeae3d80fa8922

Download Submit
C:\Users\Admin\Desktop\~$PopTest.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe

Filesize
60KB

MD5
cf5ae9b73422687b7979d82f66d9a2ee

SHA1
16ae4c62c231c716082a03db0ba3da5d38583e5e

SHA256
cae98e535dba104fd872f22ff16ff94cdadc7fe0a6791f29359ca4f5b17f43a2

SHA512
15dad8f4fb76af8297cb53421488cf3815fb883e221f32b15bfeb8dab2327f6bf8eeeae1e9014fc7a10292f9b56dccfe3736b1e04e3a6b670614c0c11b259045

Download Submit
memory/2536-35-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2536-133-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2616-24-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2616-0-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2624-134-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2624-135-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2624-167-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads