Overview

overview

10

Static

static

10

2025-01-16...er.exe

windows7-x64

10

2025-01-16...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    16-01-2025 19:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-16_a471854facb61ad4d760001845c57469_darkgate_luca-stealer_magniber.exe

  • Size

    9.7MB

  • MD5

    a471854facb61ad4d760001845c57469

  • SHA1

    6275477c5ddfe99db225b580193b6b26e3ae7152

  • SHA256

    56bdfa76e1f0629bbde6b7fa28d8efb7e77252ff190b90470078d9a3ab80a15f

  • SHA512

    f0e89a7c39a6095be8e932a235ceaba5218fed9cdc1e55af9c92e6b5f6ceb02acf20a616b76eb5515c878d11fa7242d26a589fdb8ef211d1f104e08e861d14f9

  • SSDEEP

    196608:zLo73STvxTfg6AiQBhyQbEAkZQdnkW9AVSGfGIJXvaI6HMaJTtGbp:zc73ATfzyyu4JfdJXx

Score
10/10
xredbackdoordiscoveryexecutionmacropersistence

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData

Extracted

Language
ps1
Source
URLs
exe.dropper

https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://officecdn.microsoft.com/db/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://officecdn.microsoft.com/db/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Blocklisted process makes network request 10 IoCs
  • Suspicious Office macro 2 IoCs

    Office document equipped with macros.

    macro
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Using powershell.exe command.

    execution
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-16_a471854facb61ad4d760001845c57469_darkgate_luca-stealer_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-16_a471854facb61ad4d760001845c57469_darkgate_luca-stealer_magniber.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1756
    • C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-16_a471854facb61ad4d760001845c57469_darkgate_luca-stealer_magniber.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-16_a471854facb61ad4d760001845c57469_darkgate_luca-stealer_magniber.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\Windows\SysWOW64\reg.exe
        "reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d 1 /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2852
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\Admin\AppData\Local\Temp\files\ver.txt') }"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2752
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -nop -c "$Tls12 = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072); [System.Net.ServicePointManager]::SecurityProtocol = $Tls12; (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData','C:\Users\Admin\AppData\Local\Temp\files\ver.txt')"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2960
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/db/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\files\v32.cab') }"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2168
      • C:\Windows\SysWOW64\expand.exe
        "expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\files
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:3032
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\files\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2528
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\Admin\AppData\Local\Temp\files\ver.txt') }"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:544
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -nop -c "$Tls12 = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072); [System.Net.ServicePointManager]::SecurityProtocol = $Tls12; (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData','C:\Users\Admin\AppData\Local\Temp\files\ver.txt')"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1428
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/db/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\files\v32.cab') }"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:836
      • C:\Windows\SysWOW64\expand.exe
        "expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\files
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2396
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\files\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1376
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2652
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    9.7MB

    MD5

    a471854facb61ad4d760001845c57469

    SHA1

    6275477c5ddfe99db225b580193b6b26e3ae7152

    SHA256

    56bdfa76e1f0629bbde6b7fa28d8efb7e77252ff190b90470078d9a3ab80a15f

    SHA512

    f0e89a7c39a6095be8e932a235ceaba5218fed9cdc1e55af9c92e6b5f6ceb02acf20a616b76eb5515c878d11fa7242d26a589fdb8ef211d1f104e08e861d14f9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\files\VersionDescriptor.xml
    Filesize

    25KB

    MD5

    78ac1196c60e8f7fb1f8a890522bcef2

    SHA1

    1cd2730c3814d3e21286074e39637fea7546c901

    SHA256

    ff559a00c85cfa76c738485fb7a177153732f9d37f1ea2e89d144b3db1fa039e

    SHA512

    99174c89dfaed75d1d9f4448cb88a3a70a04677cb47432daff2b465ef1dc72d65b0ba12575af0ce966efb52b262e5322d256b0227eceee74219a6f3c518743a7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\files\VersionDescriptor.xml
    Filesize

    12KB

    MD5

    59f66213e30b1681bc462c7dd4c365e8

    SHA1

    18c1d5ff74dee42dc2cd96d23dabf1551929d9dc

    SHA256

    cae1ea66b8eb0d8a86c93688112bb9b67e9288d7bc97138cc30dd70b91727b78

    SHA512

    1943794bf27ca1a4a8cb45b580f555d064a800245c8ffffa641bfca11d5202e21b24ba7dcf85072f2af62b8ffe9aee03bab7d33b15ef4cefbbb7c3b27847fdba

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\files\v32.cab
    Filesize

    10KB

    MD5

    c8396c0cfb79601a14f62e40d677ef89

    SHA1

    a80a45bee058dc42635d3f72e8b34d683af122d1

    SHA256

    b7fe0edbe23f745b1864619c88d32809c5d3df8a0dcca5df6bfbb860767d81d8

    SHA512

    fab3fe1e7576c2a4485ce08226f3205b998f99cfc86654af750cc84224d6c61b7adfd377f60df2e354886bd65e46f3c687f9a399a91e463e289f33d867eab49e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\files\v32.cab
    Filesize

    11KB

    MD5

    e824b52386bb17a4f135f5645dadc293

    SHA1

    89c31cb22f86db32cb006dfeb697a1fb4bc7df8a

    SHA256

    b771c767f0ecb93cb9a4d89724fcb97b8af1f7cf74bac59279b3f59e4e7ebfdd

    SHA512

    c4c74fd55e30655dc99a71d870646aff26637256d4e38becbec029ea955bfe35ea1eedcfbdfcccc4c4d67adb51d3bd4a103e97ee910f63c45dbc18a393ea9522

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\files\v32.txt
    Filesize

    12KB

    MD5

    65e4eb494857b5826055446bb92ffe04

    SHA1

    e85f53cc10313ce48334cfd9449bc67592c91d31

    SHA256

    b86889541b154b6d76413fc79af5f15860dcf8679de86489970ee8fec1779b52

    SHA512

    27f4565d3bffd59c112fb7271155629d5421a51f1d7d7ac0b32db10b57f4b62cf1aa62a2c11c4ff7fa885a3784df5eb35b51530306c3718a8a842c7f9a6a6f9e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\files\v32.txt
    Filesize

    25KB

    MD5

    f44dd037ead72551d525805169988584

    SHA1

    746e36ec9fcb5a9e9238e1623a1d3bae979ccbf1

    SHA256

    c6cf577e28cdb1da8c75fdb63149ac08ca528f4303e6bfd2011965e463fcd242

    SHA512

    ae583b30d5ff8453a46e6404c3826e39f2383ffccff8346d825d01dd8071dd83371962738de1b635b73a2f1e8b27c0abdd037f25dbcdddbaccb2e4a89e5d80d4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gwWXxvOw.xlsm
    Filesize

    24KB

    MD5

    4bf8839deaaa9bf5f9a6014c7e7bab29

    SHA1

    67c8a06144e542a9b1ee5f9a0b2f36692fa68f42

    SHA256

    b9afdb8ce3e5f6dd428418d79865cd8f469b405ed39e1ff7c08eb6bec9fe2cf9

    SHA512

    3ea92ab8428c0fbb3b32dcec2a3411aa0139f01f138a4e5257034a64ac4e3ad91f97aa033c325c54f6ca0e6d24fe9a7d4a67c572ecab1bfb3c87a5831c39081e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gwWXxvOw.xlsm
    Filesize

    32KB

    MD5

    2966f891658c79027992aab39e0f0b3e

    SHA1

    5285a4a034b2cacb098bc698b62820ac43262c66

    SHA256

    d0c1b1670c189336c81416458d85838eb0f485ba62f6cb21c9e53228a22c92e4

    SHA512

    d39574877676a5ec03bd4c997a9c16f5a183385866ab49a6a02f68cfe2f07a7a9ae348cf1531735b7c7ad3960c31a50ccf16baa9cb303998a4d4b35976153ee4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gwWXxvOw.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    6cf12dfe112c819cad040c34ade4a1d8

    SHA1

    b27f971c3996a69a34e5fe6c6cca11c4a119f2d6

    SHA256

    0fc00bd554fac4b36da502a8deb2465ae9b025e8ed9b70ff7cccd45566311110

    SHA512

    1927ebc3be68897bf9ec9024f8e7c955f829972921a4da9cecad2788aaf946fa7064e9157bd3056ae1747b2c9c8cf197e7aa14dc0a4694a037ee08e4f000c6c3

    Download Submit

  • C:\Windows\Logs\DPX\setupact.log
    Filesize

    6KB

    MD5

    8bb36d530a835848e083dc54c7f751a8

    SHA1

    09f88958026ac528e59e1fbffbc58f95cf0687b0

    SHA256

    25c35f71db5938599fe5cc8c1fda7d8b79e06d15238712422c658e93f20abab7

    SHA512

    139d7960be0bb712f5401bdbe91f1117fc4f171df7008a8f7aead531de342d43e73e8deb818a7dff8a18d144f173de4fa3455f4bc66fb1197f3ab0e3400f6faf

    Download Submit

  • \Users\Admin\AppData\Local\Temp\._cache_2025-01-16_a471854facb61ad4d760001845c57469_darkgate_luca-stealer_magniber.exe
    Filesize

    9.0MB

    MD5

    bb47521d553de207b420f7a16dddf152

    SHA1

    ed2fb53becb4b161d58bd90ea42211751bc36c78

    SHA256

    167fb686a8182b4380c699306a3c533eb3c264665925ad086329a752e0b2bde1

    SHA512

    e0cda4ddccc70b9791a74b27a3c2b3453cbfa1d2a7e78fdb44c3150e90dea061b324e6b76e56a8ef6af7268516fbc97ee278e870b720a4a08887576b09b52801

    Download Submit

  • memory/1712-95-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1712-43-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1756-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1756-28-0x0000000000400000-0x0000000000DBE000-memory.dmp

    Filesize

    9.7MB

    Download

  • memory/2840-101-0x0000000000400000-0x0000000000DBE000-memory.dmp

    Filesize

    9.7MB

    Download

  • memory/2840-153-0x0000000000400000-0x0000000000DBE000-memory.dmp

    Filesize

    9.7MB

    Download

  • memory/2840-187-0x0000000000400000-0x0000000000DBE000-memory.dmp

    Filesize

    9.7MB

    Download