Extracted

• • Target

    cleaner.exe

  • Size

    4.8MB

  • MD5

    9f7814f6afd7096bf99503d1d3041fb2

  • SHA1

    69fa12afa162ce8ae6b3fdb3a3c9c7dc4904c518

  • SHA256

    77e1da6faed8b6c0eb9a1a0941050efbfc2e13eb30d3d9f1524644d2747f3b5b

  • SHA512

    1e51811f4e5d671050e036f3cd007c24103a78a77df82130e1cbf2462ab16b0fcf24e00cecd7f009efa1b8f0d97460d8ddc7d92bfb0782826cc54282498e2db4

  • SSDEEP

    98304:Wnsmtk2a8Lke9J+7dvr1tV/akJOTaHFNxIyA2NIaJlabbWeaO:ILvLkP7JptV/BWryXNIan+bWeaO

  Score

  10^/10

  xredbackdoordiscoverypersistencedefense_evasionthemidatrojan

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred

  • Xred family

    xred

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Themida packer

    Detects Themida, an advanced Windows software protection system.

    themida

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    defense_evasiontrojan

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2