xred | 2677883f2109a228a80bebbd723c70ec58e01526af5944d92627d2fcf634a3dd | Triage

Submit
Reports

Overview

overview

Static

static

CraxsRat°...P].zip

windows10-2004-x64

Sharing

General

Target

CraxsRat°v7.1cracked [RDP].zip
Size

259.5MB
Sample

250111-m2579azngp
MD5

c222287d1a010c086a301f789de8ea87
SHA1

a5999d3213ecb6ffe1c593866a384e983aa0b350
SHA256

2677883f2109a228a80bebbd723c70ec58e01526af5944d92627d2fcf634a3dd
SHA512

b2fb338af2a99d79a4b7658b3e251a13d76b23279985a043dd18136ef4816c044bf61543f31e95e77ea58fa51c61ddc7bf749462d6d0e97d85a228c8168f5e1d
SSDEEP

6291456:lgl+OvcaWK3Y/Eod2qQlqFbp1XfTsmgmvv7GInbBsH:l0+zLr2jMXf1gcGGKH

Score

10^/10

xred agilenet backdoor defense_evasion discovery evasion phishing themida trojan

Static task

static1

phishing agilenet xred

4 signatures

Behavioral task

behavioral1

Sample

CraxsRat°v7.1cracked [RDP].zip

Resource

win10v2004-20241007-en

xred agilenet backdoor defense_evasion discovery evasion themida trojan

windows10-2004-x64

29 signatures

150 seconds

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Targets

- Target
  
  CraxsRat°v7.1cracked [RDP].zip
- Size
  
  259.5MB
- MD5
  
  c222287d1a010c086a301f789de8ea87
- SHA1
  
  a5999d3213ecb6ffe1c593866a384e983aa0b350
- SHA256
  
  2677883f2109a228a80bebbd723c70ec58e01526af5944d92627d2fcf634a3dd
- SHA512
  
  b2fb338af2a99d79a4b7658b3e251a13d76b23279985a043dd18136ef4816c044bf61543f31e95e77ea58fa51c61ddc7bf749462d6d0e97d85a228c8168f5e1d
- SSDEEP
  
  6291456:lgl+OvcaWK3Y/Eod2qQlqFbp1XfTsmgmvv7GInbBsH:l0+zLr2jMXf1gcGGKH
Score

10^/10

xred agilenet backdoor defense_evasion discovery evasion themida trojan
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Probable phishing domain
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Phishing

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

SIP and Trust Provider Hijacking

Virtualization/Sandbox Evasion

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

phishingagilenetxred

behavioral1

xredagilenetbackdoordefense_evasiondiscoveryevasionthemidatrojan

© 2018-2025

Terms | Privacy