xred | f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-01-2025 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe
Size

1.3MB
MD5

2935d17373e419c7624ab17139690a8c
SHA1

792e8f46fa12ac247f3c4b4b0a00b37a57861a53
SHA256

f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750
SHA512

0c7a602e1c669f0641d4203202f0dc5cc190ddc0f83314fc99240cf765d7fbcf971348cd19c7e65e3d4075f9e450fa659fb499e8c7e6d5bb90db1a034c5c4ea3
SSDEEP

24576:xnsJ39LyjbJkQFMhmC+6GM9OVTdNHKMognTF0vGAAu2wH:xnsHyjtk2MYC5GMaTddn1nSvgvk

Score

10^/10

xred backdoor discovery persistence upx

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
2288	._cache_f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe
340	Synaptics.exe
2568	._cache_Synaptics.exe

Loads dropped DLL 7 IoCs

pid	Process
1768	f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe
1768	f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe
1768	f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe
1768	f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe
340	Synaptics.exe
340	Synaptics.exe
340	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000d000000012276-4.dat	upx
behavioral1/memory/2288-22-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral1/memory/2568-45-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral1/memory/340-44-0x0000000005690000-0x00000000058C2000-memory.dmp	upx
behavioral1/memory/2288-46-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral1/memory/2568-47-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral1/memory/2568-50-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral1/memory/2288-48-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral1/memory/2288-143-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral1/memory/2568-145-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral1/memory/2568-148-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral1/memory/2288-146-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral1/memory/2288-149-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral1/memory/2568-151-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral1/memory/2288-152-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral1/memory/2568-154-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral1/memory/2288-156-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral1/memory/2568-158-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral1/memory/2288-159-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral1/memory/2568-161-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral1/memory/2568-190-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral1/memory/2288-188-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral1/memory/2288-191-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral1/memory/2568-193-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral1/memory/2288-194-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral1/memory/2568-196-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral1/memory/2288-197-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral1/memory/2568-199-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral1/memory/2288-200-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral1/memory/2568-202-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral1/memory/2288-203-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral1/memory/2568-205-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral1/memory/2288-206-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral1/memory/2568-208-0x0000000000400000-0x0000000000632000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2940	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2940	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 2288	1768	f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe	30
PID 1768 wrote to memory of 2288	1768	f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe	30
PID 1768 wrote to memory of 2288	1768	f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe	30
PID 1768 wrote to memory of 2288	1768	f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe	30
PID 1768 wrote to memory of 340	1768	f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe	31
PID 1768 wrote to memory of 340	1768	f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe	31
PID 1768 wrote to memory of 340	1768	f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe	31
PID 1768 wrote to memory of 340	1768	f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe	31
PID 340 wrote to memory of 2568	340	Synaptics.exe	32
PID 340 wrote to memory of 2568	340	Synaptics.exe	32
PID 340 wrote to memory of 2568	340	Synaptics.exe	32
PID 340 wrote to memory of 2568	340	Synaptics.exe	32

C:\Users\Admin\AppData\Local\Temp\f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe
"C:\Users\Admin\AppData\Local\Temp\f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Users\Admin\AppData\Local\Temp\._cache_f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2288
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:340
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2568

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.3MB

MD5
2935d17373e419c7624ab17139690a8c

SHA1
792e8f46fa12ac247f3c4b4b0a00b37a57861a53

SHA256
f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750

SHA512
0c7a602e1c669f0641d4203202f0dc5cc190ddc0f83314fc99240cf765d7fbcf971348cd19c7e65e3d4075f9e450fa659fb499e8c7e6d5bb90db1a034c5c4ea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAYtmHHD.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAYtmHHD.xlsm

Filesize
23KB

MD5
46561e20db54f2ac64521b346f512aee

SHA1
48159a2fcd564771a3faac6480db5c18f1c02eee

SHA256
8c25abde690523483308ea9c3d60cf9d380b796cf10bca2c3b17eb96d257f95c

SHA512
c24ec73069badc2d19065cd57c0788b83385f8f95307f65dd62a371b5af20bb20b09f2127e80612a994d6c6b0ba3f96380fae83dc40ba12a614844b9efa846d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAYtmHHD.xlsm

Filesize
24KB

MD5
eaa5b62901434f9028774c909c30914a

SHA1
10d344849dfdb982ce7bbc1464f5b9f0fe399bb7

SHA256
ab242f10ded0b8d41a4a06a456496712b35214423ff643b5eddbec059192af3e

SHA512
a594ced9bf8865606ed84e63c4d7dda6f8ac72a0aeb279e108e702c27269a7d90e4c4670b663fd8e0d8b3e03d2a9f53e80279bd1f90a5c856e8cd7d696f2eef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAYtmHHD.xlsm

Filesize
27KB

MD5
35ce080f6521229eb432acdf4b1b0b5b

SHA1
31fbb6d5ba9b75e0a2a614ad16a0799196bd7158

SHA256
1be46e0e18bd1e42d2c0154de2adffcc6b4c65a19c366156e448f27d3244cc20

SHA512
cbee9ec24e628bf39741a435286e7dce37d4991d263f157710cd5d2b4fe586b517e006f6e3ecdf1dec13904fe56e5e4f46294cc618ecb13fcd47d4e17f250b6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAYtmHHD.xlsm

Filesize
25KB

MD5
477009cc366f85340f8129a9aaee35cc

SHA1
9b3dc603bc5cc9a2e88e18d8ee33f79ad0e68611

SHA256
96f6ed5a822ab5d0d63be1668f7c1cc39a53a2c46da42387fcbd3b5c9c3d939a

SHA512
81b3c74bc17dfe65ba75be53dab829d5bb532eda173afb2a99bf57835e0dec1b95d916f8b7fd136133ebb222642388968ca3f49bc3757c7b565045474fae0565

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAYtmHHD.xlsm

Filesize
28KB

MD5
7d3e2c40086ab0a70b4c4641a552333f

SHA1
b7672845d0370e24b3074171d78a3a6583e2434d

SHA256
74e9d5f4d0bf75b2f81fa28e5599b1b2e715c687cbd97af4b786d300f958af20

SHA512
25c395c8d2526e7e7f9e5f2284ebebc22fc521f51ad63e232fb05bdab9722314821fd51afb517186c4074da92504bd2f28a47bfd8a45e3366643f1b1a8ac9d10

Download Submit
C:\Users\Admin\Desktop\~$StepInitialize.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe

Filesize
585KB

MD5
706939c469346bef9b84c822abcf7b31

SHA1
bc87860064ecd909c9f9569b1fce0785db06ecc7

SHA256
e64fdd9dd992efceb24951c882b3dcce36d9ee22c09eea4e3af8ecedf4d65bf9

SHA512
c2b90981442467032a7b88844f5057b24d1d44def11b867e83939626f6b1093f5c6814af408f62b06ffdec91308798e1c597712e591103080c93fad32eedd084

Download Submit
memory/340-49-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/340-144-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/340-51-0x0000000005690000-0x00000000058C2000-memory.dmp

Filesize
2.2MB

Download
memory/340-147-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/340-44-0x0000000005690000-0x00000000058C2000-memory.dmp

Filesize
2.2MB

Download
memory/340-189-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/1768-31-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/1768-20-0x0000000005730000-0x0000000005962000-memory.dmp

Filesize
2.2MB

Download
memory/1768-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1768-19-0x0000000005730000-0x0000000005962000-memory.dmp

Filesize
2.2MB

Download
memory/2288-191-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2288-197-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2288-48-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2288-206-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2288-203-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2288-143-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2288-200-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2288-46-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2288-194-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2288-146-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2288-149-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2288-22-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2288-152-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2288-188-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2288-156-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2288-159-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2568-196-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2568-154-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2568-158-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2568-190-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2568-208-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2568-151-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2568-193-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2568-199-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2568-45-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2568-161-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2568-148-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2568-145-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2568-202-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2568-47-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2568-205-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2568-50-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2940-52-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads