Overview

overview

10

Static

static

10

2025-01-16...er.exe

windows7-x64

10

2025-01-16...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-01-2025 19:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-16_6ba291b813ac8947bb43546f3132e2bf_darkgate_luca-stealer_magniber.exe

  • Size

    20.9MB

  • MD5

    6ba291b813ac8947bb43546f3132e2bf

  • SHA1

    d7df03818f85885edff3fb0e9e511b25a89df8ca

  • SHA256

    278fbc572f4c3dd603ba9131d858b0dcbf0746b243bfec96ae09dda62854c40f

  • SHA512

    79096b43c928d7e0ddd0d2a5f8b76833fa11b52963c9b96bfcf28af4e479f1fdee095e81f6500f4c8a72bce980c639af2a7666c2deb0cb8dd086af409b4f11e7

  • SSDEEP

    393216:/1kQeWIB6YcXX4BHSczO9X+hPjAPdHPNGmHCAkB/L4uTn/KolvzHbq:d3K6YZy3WsPdHlMAi4uT/KUC

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Detected Nirsoft tools 6 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-16_6ba291b813ac8947bb43546f3132e2bf_darkgate_luca-stealer_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-16_6ba291b813ac8947bb43546f3132e2bf_darkgate_luca-stealer_magniber.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-16_6ba291b813ac8947bb43546f3132e2bf_darkgate_luca-stealer_magniber.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-16_6ba291b813ac8947bb43546f3132e2bf_darkgate_luca-stealer_magniber.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:32
      • C:\Windows\system32\cmd.exe
        "C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSTools "C:\Users\Admin\AppData\Local\Temp\KMSTools.tmp" /Y
        3⤵
          PID:540
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1740
        • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:4760
          • C:\Windows\system32\cmd.exe
            "C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSTools "C:\Users\Admin\AppData\Local\Temp\KMSTools.tmp" /Y
            4⤵
              PID:3908
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x2f8 0x2f4
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:668
      • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
        1⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:1084

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Synaptics\Synaptics.exe
        Filesize

        20.9MB

        MD5

        6ba291b813ac8947bb43546f3132e2bf

        SHA1

        d7df03818f85885edff3fb0e9e511b25a89df8ca

        SHA256

        278fbc572f4c3dd603ba9131d858b0dcbf0746b243bfec96ae09dda62854c40f

        SHA512

        79096b43c928d7e0ddd0d2a5f8b76833fa11b52963c9b96bfcf28af4e479f1fdee095e81f6500f4c8a72bce980c639af2a7666c2deb0cb8dd086af409b4f11e7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-16_6ba291b813ac8947bb43546f3132e2bf_darkgate_luca-stealer_magniber.exe
        Filesize

        20.2MB

        MD5

        3f197f581fb5ccf132b755e901f14bc4

        SHA1

        4b1c93db087f9c3a3e7fea68092249cf1d8a02a2

        SHA256

        bc1915790f5e64cf2a814370afa8ea37e32d3417d818783620cbcd7d67a62b47

        SHA512

        da4eac8c78dcea1fd237f40fb13bf86ca229f4861bd09514f16e40e75a9c223c13663d48b0ddf7bee6dd7be891b37670efa46507d167c43f8fb4cb5bca4e776b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\D1C75E00
        Filesize

        22KB

        MD5

        04fbc58cd95d3904504939be62810e3c

        SHA1

        13b7e54547ad761c4ae04ce2af1259742712e6fe

        SHA256

        a710abd6fbe3866ce6ed3e753097f6be1d32494ee012cf2876cc85f359d29e85

        SHA512

        02abc286f5863a981169328c9489a755d2f1cc90ac7da1b6fa7d08a3ebde92eac71839742b67cbb44c3ba0c4fbab944cf85bb76863685028aa8bd9b04d5617d2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\EybToDDF.xlsm
        Filesize

        17KB

        MD5

        e566fc53051035e1e6fd0ed1823de0f9

        SHA1

        00bc96c48b98676ecd67e81a6f1d7754e4156044

        SHA256

        8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

        SHA512

        a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

        Download Submit

      • memory/1084-190-0x00007FF96A9D0000-0x00007FF96A9E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1084-188-0x00007FF96A9D0000-0x00007FF96A9E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1084-192-0x00007FF96A9D0000-0x00007FF96A9E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1084-191-0x00007FF96A9D0000-0x00007FF96A9E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1084-189-0x00007FF96A9D0000-0x00007FF96A9E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1084-193-0x00007FF968070000-0x00007FF968080000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1084-194-0x00007FF968070000-0x00007FF968080000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1740-187-0x0000000000400000-0x00000000018ED000-memory.dmp

        Filesize

        20.9MB

        Download

      • memory/1740-241-0x0000000000400000-0x00000000018ED000-memory.dmp

        Filesize

        20.9MB

        Download

      • memory/1740-272-0x0000000000400000-0x00000000018ED000-memory.dmp

        Filesize

        20.9MB

        Download

      • memory/2164-0-0x0000000003790000-0x0000000003791000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2164-127-0x0000000000400000-0x00000000018ED000-memory.dmp

        Filesize

        20.9MB

        Download