xred | cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68 | Triage

Sharing

General

Target

cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe
Size

1011KB
Sample

250119-rq4x9ssjfn
MD5

e610228c78a89fb511090c70ddabf0a5
SHA1

bd3de44307ce176dc2d4b219861592dabcfd60c7
SHA256

cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68
SHA512

c3c74877dc9d5cc3a9b1c139befec46c11205c57a8e743f125e55075fca0d47fa90e307f4ad8caeb08b86d92d94c4196c92cfeb4433bc2deb8b6e1f8cb5a726b
SSDEEP

12288:WMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9u40KgGXFhazmdVgxn2:WnsJ39LyjbJkQFMhmC+6GD9B072aCVi2

Score

10^/10

xred backdoor bootkit discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Targets

- Target
  
  cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe
- Size
  
  1011KB
- MD5
  
  e610228c78a89fb511090c70ddabf0a5
- SHA1
  
  bd3de44307ce176dc2d4b219861592dabcfd60c7
- SHA256
  
  cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68
- SHA512
  
  c3c74877dc9d5cc3a9b1c139befec46c11205c57a8e743f125e55075fca0d47fa90e307f4ad8caeb08b86d92d94c4196c92cfeb4433bc2deb8b6e1f8cb5a726b
- SSDEEP
  
  12288:WMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9u40KgGXFhazmdVgxn2:WnsJ39LyjbJkQFMhmC+6GD9B072aCVi2
Score

10^/10

xred backdoor bootkit discovery persistence
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Pre-OS Boot

Bootkit

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Pre-OS Boot

Bootkit

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

Software Discovery

Security Software Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xredbackdoorbootkitdiscoverypersistence

behavioral2

xredbackdoorbootkitdiscoverypersistence