Overview

overview

10

Static

static

10

2025-01-16...er.exe

windows7-x64

10

2025-01-16...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-01-2025 19:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-16_6ba291b813ac8947bb43546f3132e2bf_darkgate_luca-stealer_magniber.exe

  • Size

    20.9MB

  • MD5

    6ba291b813ac8947bb43546f3132e2bf

  • SHA1

    d7df03818f85885edff3fb0e9e511b25a89df8ca

  • SHA256

    278fbc572f4c3dd603ba9131d858b0dcbf0746b243bfec96ae09dda62854c40f

  • SHA512

    79096b43c928d7e0ddd0d2a5f8b76833fa11b52963c9b96bfcf28af4e479f1fdee095e81f6500f4c8a72bce980c639af2a7666c2deb0cb8dd086af409b4f11e7

  • SSDEEP

    393216:/1kQeWIB6YcXX4BHSczO9X+hPjAPdHPNGmHCAkB/L4uTn/KolvzHbq:d3K6YZy3WsPdHlMAi4uT/KUC

Score
10/10
xredbackdoordiscoverymacropersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Detected Nirsoft tools 6 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • Suspicious Office macro 1 IoCs

    Office document equipped with macros.

    macro
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-16_6ba291b813ac8947bb43546f3132e2bf_darkgate_luca-stealer_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-16_6ba291b813ac8947bb43546f3132e2bf_darkgate_luca-stealer_magniber.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2660
    • C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-16_6ba291b813ac8947bb43546f3132e2bf_darkgate_luca-stealer_magniber.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-16_6ba291b813ac8947bb43546f3132e2bf_darkgate_luca-stealer_magniber.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\Windows\system32\cmd.exe
        "C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSTools "C:\Users\Admin\AppData\Local\Temp\KMSTools.tmp" /Y
        3⤵
          PID:2716
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2808
        • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2976
          • C:\Windows\system32\cmd.exe
            "C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSTools "C:\Users\Admin\AppData\Local\Temp\KMSTools.tmp" /Y
            4⤵
              PID:2644
      • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
        1⤵
        • System Location Discovery: System Language Discovery
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:1676

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Synaptics\Synaptics.exe
        Filesize

        20.9MB

        MD5

        6ba291b813ac8947bb43546f3132e2bf

        SHA1

        d7df03818f85885edff3fb0e9e511b25a89df8ca

        SHA256

        278fbc572f4c3dd603ba9131d858b0dcbf0746b243bfec96ae09dda62854c40f

        SHA512

        79096b43c928d7e0ddd0d2a5f8b76833fa11b52963c9b96bfcf28af4e479f1fdee095e81f6500f4c8a72bce980c639af2a7666c2deb0cb8dd086af409b4f11e7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\2wg1n7Oa.xlsm
        Filesize

        17KB

        MD5

        e566fc53051035e1e6fd0ed1823de0f9

        SHA1

        00bc96c48b98676ecd67e81a6f1d7754e4156044

        SHA256

        8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

        SHA512

        a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\2wg1n7Oa.xlsm
        Filesize

        23KB

        MD5

        5a4daa6c35f3b73dfb7fcb57d877c5c3

        SHA1

        6e4dc370e5ad436932183741eb7ef78d7f1cd509

        SHA256

        070886e458297b93ea13ac78522ae4f87c5fb15cdd643db5b5323c032181d752

        SHA512

        6632eb5cb6e83dba6388282d5c5c4ac1a9541dd7bb997fa926f229eb198feaa4faa6b8683eb5bce0047e5ef8dd1a19eb1a307f792c5096ff3bbb3b568aee01ef

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\2wg1n7Oa.xlsm
        Filesize

        26KB

        MD5

        9e6c2de8931ba61c3ba84089295d0554

        SHA1

        8dd20ccacc90b0bf2908e91ee41e2105c98560a7

        SHA256

        84edc9888c713b0bc6d6b6147d154a9a12769f26c73cde2dbb04be7bec1e5a61

        SHA512

        d2ef9d9c6946dcbfac75f050ee9fe92586314cdc24b52e479e17cbc3f96bf0b863d6018357678da790c4a6148570eac1925281a58312152a2e7935fd754f3d56

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\2wg1n7Oa.xlsm
        Filesize

        28KB

        MD5

        8a81084e2613c7dbc1db8a41c1ad4058

        SHA1

        cd2e7c59299895e62e6f332525953bfdb3dc11be

        SHA256

        07d4a8f2bdf21c5a1ffee74527a213101cc5a3275dd2cd2380518f1b623ff88d

        SHA512

        e8899e67df86d149b49645d01b65db260665a4f15391108a33aeb601cad031532ae8d2da437cb73c1b089b67a0b3d8d72ea627dcae71c43e27a906dee9f7fe08

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\2wg1n7Oa.xlsm
        Filesize

        26KB

        MD5

        e5d64421ce64adf7ccb7530da8fa1cb9

        SHA1

        4100872b2c4a49b60b51065b98b584a6ea93ff22

        SHA256

        5b1b58a124875daad63671d0bbdea2922c0f76084ccd0477ad3968c5818ca2e6

        SHA512

        6619d63888de2d339a26a548e29c5b70b4437d3b69966cdaf57b7da60b0e05be6bffee60eedcf8ae2cdc18d968b3b816d58e1507245d599fb11e3bc14d3c2d5e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\~$2wg1n7Oa.xlsm
        Filesize

        165B

        MD5

        ff09371174f7c701e75f357a187c06e8

        SHA1

        57f9a638fd652922d7eb23236c80055a91724503

        SHA256

        e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

        SHA512

        e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

        Download Submit

      • \Users\Admin\AppData\Local\Temp\._cache_2025-01-16_6ba291b813ac8947bb43546f3132e2bf_darkgate_luca-stealer_magniber.exe
        Filesize

        20.2MB

        MD5

        3f197f581fb5ccf132b755e901f14bc4

        SHA1

        4b1c93db087f9c3a3e7fea68092249cf1d8a02a2

        SHA256

        bc1915790f5e64cf2a814370afa8ea37e32d3417d818783620cbcd7d67a62b47

        SHA512

        da4eac8c78dcea1fd237f40fb13bf86ca229f4861bd09514f16e40e75a9c223c13663d48b0ddf7bee6dd7be891b37670efa46507d167c43f8fb4cb5bca4e776b

        Download Submit

      • memory/1676-35-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1676-111-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2660-25-0x0000000000400000-0x00000000018ED000-memory.dmp

        Filesize

        20.9MB

        Download

      • memory/2660-0-0x0000000000220000-0x0000000000221000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2808-112-0x0000000000400000-0x00000000018ED000-memory.dmp

        Filesize

        20.9MB

        Download

      • memory/2808-113-0x0000000000400000-0x00000000018ED000-memory.dmp

        Filesize

        20.9MB

        Download

      • memory/2808-147-0x0000000000400000-0x00000000018ED000-memory.dmp

        Filesize

        20.9MB

        Download