Analysis
-
max time kernel
143s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
28-01-2025 13:29
General
-
Target
2025-01-28_db88155e4bce794188a61369780ba162_darkgate_luca-stealer_magniber.exe
-
Size
20.6MB
-
MD5
db88155e4bce794188a61369780ba162
-
SHA1
577efdb04544d7d6a32e212e5d0e3b1529c95577
-
SHA256
b26d57328c89c925b195cafa44279f2648a051ba7309b0ed098ed0d335e2b296
-
SHA512
734cfb73563308f214d3bc42f64f9dff78c35e183f47d11e4a210e438327c1b5cb563df831400aeb72dd329c0bc9bd45763a048a622482ab7b104274790f6393
-
SSDEEP
393216:EUVeyIB6YW/oLBLxss1p15V3qKBtO0iglAlbM1UsjDAvYmgNBOGQI9Bd/zsEv:/K6YTLzs05V3/EGA2GsjcAmsMG/9DAEv
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred
Xred is backdoor written in Delphi.
-
Xred family
-
Detected Nirsoft tools 7 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-01-28_db88155e4bce794188a61369780ba162_darkgate_luca-stealer_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2025-01-28_db88155e4bce794188a61369780ba162_darkgate_luca-stealer_magniber.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-28_db88155e4bce794188a61369780ba162_darkgate_luca-stealer_magniber.exe"C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-28_db88155e4bce794188a61369780ba162_darkgate_luca-stealer_magniber.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSTools "C:\Users\Admin\AppData\Local\Temp\KMSTools.tmp" /Y3⤵
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSTools "C:\Users\Admin\AppData\Local\Temp\KMSTools.tmp" /Y4⤵
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x528 0x4241⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20.6MB
MD5db88155e4bce794188a61369780ba162
SHA1577efdb04544d7d6a32e212e5d0e3b1529c95577
SHA256b26d57328c89c925b195cafa44279f2648a051ba7309b0ed098ed0d335e2b296
SHA512734cfb73563308f214d3bc42f64f9dff78c35e183f47d11e4a210e438327c1b5cb563df831400aeb72dd329c0bc9bd45763a048a622482ab7b104274790f6393
-
Filesize
19.8MB
MD5c8c03628fd548c4725505d7f54958dd6
SHA19d5f52ba4e2a99baefb559cdc5f078fb678b2e19
SHA256cda31522b7cf502870861b98bf4ba1926a9aa1e0cf8650496a2ffb78eb1038e6
SHA512392fa18a6e6a100aaf8f91d7251f71bfc3ceeea45b59a0c87575045f8b46d99d31cc7436a1cb4d00ac25a64a8eafbafcc91411e74c0411aa8e8552fff74d0d70
-
Filesize
25KB
MD5dec279aa1a369636f4f958802716f1fd
SHA124f3a3eb8c6b39b64b26a8f5951632991e45fd37
SHA2566d1ca0c411c64682906679524bd823e12afd50689da13f84607bc338ff51f370
SHA512463bb1210cacefbaaca7473662a236f168a18ed0b0c7e1e3644879fe12b5a5868d165f86e73d63a2ac9eae4abfb17d812824179d26c6ab57f190741e8b1274ee
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
20.6MB
-
Filesize
4KB
-
Filesize
20.6MB
-
Filesize
20.6MB
-
Filesize
20.6MB
-
Filesize
20.6MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB