xred | 026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd | Triage

Sharing

General

Target

026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd
Size

1.0MB
Sample

250125-xwllrswrey
MD5

bed8e067a2554b876daa76c61af143bd
SHA1

eb17ee360e17beee03c10b09f774a478bafb49fa
SHA256

026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd
SHA512

cd8b16aee1d375f6ebc1c8c1f77830ec6e7b8d2fae168da6938b64791a81750c533a4ca5138c05a42a47144e7f2141a2adbd37276bb5fe6b8b567ef21830fc98
SSDEEP

24576:6nsJ39LyjbJkQFMhmC+6GD9GFOasRUjXfYr:6nsHyjtk2MYC5GDMaqXAr

Score

10^/10

xred backdoor defense_evasion discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Targets

- Target
  
  026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd
- Size
  
  1.0MB
- MD5
  
  bed8e067a2554b876daa76c61af143bd
- SHA1
  
  eb17ee360e17beee03c10b09f774a478bafb49fa
- SHA256
  
  026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd
- SHA512
  
  cd8b16aee1d375f6ebc1c8c1f77830ec6e7b8d2fae168da6938b64791a81750c533a4ca5138c05a42a47144e7f2141a2adbd37276bb5fe6b8b567ef21830fc98
- SSDEEP
  
  24576:6nsJ39LyjbJkQFMhmC+6GD9GFOasRUjXfYr:6nsHyjtk2MYC5GDMaqXAr
Score

10^/10

xred backdoor defense_evasion discovery persistence
- Modifies visiblity of hidden/system files in Explorer
  defense_evasion
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xredbackdoordefense_evasiondiscoverypersistence

behavioral2

xredbackdoordefense_evasiondiscoverypersistence