Overview

overview

10

Static

static

3

crack.dll

windows7-x64

9

crack.dll

windows10-2004-x64

9

loader.exe

windows7-x64

10

loader.exe

windows10-2004-x64

10

maple.exe

windows7-x64

7

maple.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    maple_latest_cracked.rar

  • Size

    50.1MB

  • Sample

    250112-m91bzasmbp

  • MD5

    bbe4fa7ad4f6641727db948850d6d353

  • SHA1

    d7065d5659858c7154e1ccb4ccef7497a4122600

  • SHA256

    877bbfa93204729a4a260fede9c76318d4f7e58a38f6ba5073424f94829ed536

  • SHA512

    15ce1dac4c77dde25ed80823318110cd5046d71b427a74487ab1914c19d9fad9e85a3f44d9a82af0b68480e44ce1fc26f47b6481761d506795a2cd46e8f9d564

  • SSDEEP

    1572864:0upJ40VcS/Gl5U7ks51h6vWZnd0LiU+rxi68nN7S:Zp20ClQkc6OZnd0eJ78Nm

Score
10/10
stormkittyxredbackdoorcollectiondiscoveryevasionmacropersistencespywarestealertrojan

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      crack.dll

    • Size

      5.0MB

    • MD5

      b5b1b26e855eda6268b9a2008e0fce86

    • SHA1

      d7925f7de5835e3564b187d8654bb9305ea945fb

    • SHA256

      06dec4f9857f7b9a43157756606546d04a0f34c87681c7db9aab9125a43b33a7

    • SHA512

      14ad2e93ed5876dd246ce6f32674e994b4f35a5acbb1ac46388bebc682a70ce4eca974fda102c273c71dae3c9bc7b69f965fd636cb2d5c579de9cd23e8b35799

    • SSDEEP

      98304:j+YCYfXbb8DckgAEhxWiHF/5DoNZ2qkFVwz7583lfdmjLdGGf:jP8QDDRF/eNsqgiZ

    Score
    9/10
    evasiontrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral1behavioral2

    • Target

      loader.exe

    • Size

      5.8MB

    • MD5

      618cb93c3c997388af8524158c86bfeb

    • SHA1

      fa1d990888cddd1ce2f42de85362127bfb4e3a63

    • SHA256

      51f784375bfd11aa1c2d3d8ba38ba59682f5f54e09c0ebb3d5d67c33d1012259

    • SHA512

      407fbf24f34a7810452136d678570d8ad0bd68640d7ff4df8bcf0c7d7bcd1621482bc4d47c1fb8ef0aa4540cb885024ae6055c359d9d70ecf10887be1113c80c

    • SSDEEP

      98304:rDjJgdhBZTv0sGVD+Oq7j3JQ9oQSqEac8JgZSeC3FSDsa7V578kXHoujwCl1um:3jJuBtGVD+OoUq8+SZ1hAVpRRjw6Q

    Score
    10/10
    stormkittyxredbackdoorcollectiondiscoverymacropersistencespywarestealer

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Stormkitty family

      stormkitty

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Suspicious Office macro

      Office document equipped with macros.

      macro

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3behavioral4

    • Target

      maple.exe

    • Size

      40.8MB

    • MD5

      db7b4b030f0a44a2f51c957d949f8e1e

    • SHA1

      7814eaffb9c68fb78f3f69380439aaf94d556828

    • SHA256

      8f5f582788ce95ba51ca37dac8e45fff1674e0d36e4129731edded7e71a94c30

    • SHA512

      be6f371423a0bee1b3d3f61640e1b6ca64290a4a864d4a1b3ad8ca6250650ca01d42b635f650138733b3817c491f64a8bc82622e7f1b565dc4cc8da37e43a63c

    • SSDEEP

      786432:GmtGTz74LgKKoB7fgM3QZ2ciA4DS+mC8yZ9BSmPpnbP3EwlIFFnHpu1Ckf9+uKcY:GmKoLW233u2cipDM+Z9LFPI/nkUg9M6S

    Score
    7/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

6
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks