Overview

overview

10

Static

static

10

2025-01-16...er.exe

windows7-x64

10

2025-01-16...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-01-2025 19:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-16_13ea4eef9bf2474af62e91f23b997f22_darkgate_luca-stealer_magniber.exe

  • Size

    9.7MB

  • MD5

    13ea4eef9bf2474af62e91f23b997f22

  • SHA1

    1831e4456b4194153698a9456595a4334e375451

  • SHA256

    85b0329f81547c5ddcceb47048820f13e40361c9520fc4ae1cd52fd9de2b3af0

  • SHA512

    e3b634b4cb7a6018473a7cd45ba3575f4081e51f49e4633016f06ed7f3761a42f1c631ffe4b377dfa900c447be823b179bcd59a5659ae10a070d0a8b349a4aa7

  • SSDEEP

    196608:jLjLivur4OIag6AiQBhyQbEAkZQdnkW9AVSGfGIJXcaI6HMaJTtGbp:jHLiv6Iazyyu4JfdJXq

Score
10/10
xredbackdoordiscoveryexecutionpersistence

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-16_13ea4eef9bf2474af62e91f23b997f22_darkgate_luca-stealer_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-16_13ea4eef9bf2474af62e91f23b997f22_darkgate_luca-stealer_magniber.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4800
    • C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-16_13ea4eef9bf2474af62e91f23b997f22_darkgate_luca-stealer_magniber.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-16_13ea4eef9bf2474af62e91f23b997f22_darkgate_luca-stealer_magniber.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:1392
      • C:\Windows\SysWOW64\reg.exe
        "reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d 1 /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4524
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\Admin\AppData\Local\Temp\files\ver.txt') }"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1632
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:5040
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1848
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1160

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    9.7MB

    MD5

    13ea4eef9bf2474af62e91f23b997f22

    SHA1

    1831e4456b4194153698a9456595a4334e375451

    SHA256

    85b0329f81547c5ddcceb47048820f13e40361c9520fc4ae1cd52fd9de2b3af0

    SHA512

    e3b634b4cb7a6018473a7cd45ba3575f4081e51f49e4633016f06ed7f3761a42f1c631ffe4b377dfa900c447be823b179bcd59a5659ae10a070d0a8b349a4aa7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-16_13ea4eef9bf2474af62e91f23b997f22_darkgate_luca-stealer_magniber.exe
    Filesize

    9.0MB

    MD5

    c2f8f016aa58b9a0be33378f911185df

    SHA1

    c043b1630742ce321fcff02946ca2e6e758c6325

    SHA256

    621bc8871ab00c23151a99f2ea4c2dbadd55b86eae623fc4370276e0897ae5b8

    SHA512

    4c431246f01b974e3ad2a06ed90d0ee824a3c9338246c99a13a0ec8dea9fbcd9da5aa65a991ea74f9359954ca9b0a0039bde95060c4831cefe05d920c8530419

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ti2cytvw.tdn.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\files\ver.txt
    Filesize

    57KB

    MD5

    26eba5b216714f00d86b1b830a4d38ad

    SHA1

    707af5f668c121a59328f24b4a56c39436c650a6

    SHA256

    cf30d86f918a8bd8ca0d950723e1dd175694e9013da0f291359650e3a62d4cc3

    SHA512

    8187a1a7c7ed9ea0d5bd29cd5f67c922f00140626d6586097ead5781c53959240fdb5bc38bfc825987b010a094f154c2c7d4281da0bf758cc298b55eb0b08f80

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\otnwHPHQ.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • memory/1160-194-0x00007FF933130000-0x00007FF933140000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1160-195-0x00007FF933130000-0x00007FF933140000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1160-193-0x00007FF933130000-0x00007FF933140000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1160-192-0x00007FF933130000-0x00007FF933140000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1160-191-0x00007FF933130000-0x00007FF933140000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1160-196-0x00007FF9309D0000-0x00007FF9309E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1160-197-0x00007FF9309D0000-0x00007FF9309E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1632-212-0x00000000051F0000-0x0000000005226000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1632-228-0x00000000067E0000-0x000000000682C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1632-214-0x00000000057D0000-0x00000000057F2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1632-215-0x00000000060A0000-0x0000000006106000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1632-216-0x0000000006110000-0x0000000006176000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1632-230-0x0000000006CB0000-0x0000000006CCA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1632-226-0x0000000006280000-0x00000000065D4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1632-213-0x0000000005900000-0x0000000005F28000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1632-227-0x0000000006790000-0x00000000067AE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1632-229-0x0000000007DF0000-0x000000000846A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4800-0-0x00000000010B0000-0x00000000010B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4800-129-0x0000000000400000-0x0000000000DBB000-memory.dmp

    Filesize

    9.7MB

    Download

  • memory/5040-235-0x0000000000400000-0x0000000000DBB000-memory.dmp

    Filesize

    9.7MB

    Download

  • memory/5040-266-0x0000000000400000-0x0000000000DBB000-memory.dmp

    Filesize

    9.7MB

    Download