Overview

overview

10

Static

static

10

2025-02-01...er.exe

windows7-x64

10

2025-02-01...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    01-02-2025 11:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-02-01_4b87b7448d0aaf1611dd75168e05f3fb_darkgate_luca-stealer_magniber.exe

  • Size

    20.6MB

  • MD5

    4b87b7448d0aaf1611dd75168e05f3fb

  • SHA1

    48366ee5d9504ea32cca7280ca355031b2d892e1

  • SHA256

    3c3d7e16843be0a6e741a93f8b6e05ac39f5cb716c2f6a3efe6131c207bd19fe

  • SHA512

    e6e61a69fb4abf79c05a8fb6693dee51439ecfcc26965417d5614ec275c8d9d68702eccb29e053a20f3e01bd39872bd628626dcf4b1c23bbe375cc69ab2f8f2b

  • SSDEEP

    393216:EUVeyIB6YW/oLBLxss1p15V3qKBtO0iglAlbM1UsjDAvYmgNBOGQI9Bd/zsE9:/K6YTLzs05V3/EGA2GsjcAmsMG/9DAE9

Score
10/10
xredbackdoordiscoverymacropersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Detected Nirsoft tools 6 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • Suspicious Office macro 1 IoCs

    Office document equipped with macros.

    macro
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-02-01_4b87b7448d0aaf1611dd75168e05f3fb_darkgate_luca-stealer_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-02-01_4b87b7448d0aaf1611dd75168e05f3fb_darkgate_luca-stealer_magniber.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Users\Admin\AppData\Local\Temp\._cache_2025-02-01_4b87b7448d0aaf1611dd75168e05f3fb_darkgate_luca-stealer_magniber.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_2025-02-01_4b87b7448d0aaf1611dd75168e05f3fb_darkgate_luca-stealer_magniber.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2976
      • C:\Windows\system32\cmd.exe
        "C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSTools "C:\Users\Admin\AppData\Local\Temp\KMSTools.tmp" /Y
        3⤵
          PID:2696
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2952
        • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2756
          • C:\Windows\system32\cmd.exe
            "C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSTools "C:\Users\Admin\AppData\Local\Temp\KMSTools.tmp" /Y
            4⤵
              PID:2668
      • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
        1⤵
        • System Location Discovery: System Language Discovery
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:2288

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Synaptics\Synaptics.exe
        Filesize

        20.6MB

        MD5

        4b87b7448d0aaf1611dd75168e05f3fb

        SHA1

        48366ee5d9504ea32cca7280ca355031b2d892e1

        SHA256

        3c3d7e16843be0a6e741a93f8b6e05ac39f5cb716c2f6a3efe6131c207bd19fe

        SHA512

        e6e61a69fb4abf79c05a8fb6693dee51439ecfcc26965417d5614ec275c8d9d68702eccb29e053a20f3e01bd39872bd628626dcf4b1c23bbe375cc69ab2f8f2b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\sywr75EZ.xlsm
        Filesize

        25KB

        MD5

        fdcb5c4b363fd042938f762fd08613f7

        SHA1

        3a988d2f6a0a80275fdec5dbf5ff8ff9326b147c

        SHA256

        1395a3cfc9155d24c28fac7f3f430340734d823268b3ce478d8d52f0054f9d39

        SHA512

        518d80501a66f05f9be910d40842957fc6721f8f4c019cea0559ffc8b4dc75872279c680e8ca16c5b7576e27b24af8bf7b9bdfc81a182bfa1e71dcf2ba8225a3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\sywr75EZ.xlsm
        Filesize

        28KB

        MD5

        d5772b30b0268acd85ac3356d520e9bd

        SHA1

        a73ccd8eaab82c43c6a9c0f1ec8b2d3506b5f9e3

        SHA256

        bc65f922696982378b21f0f1bc7376db83e59ec0dc5defcd9d6034f7ffd18b11

        SHA512

        bea56012e1f9d5ee8ae8c61b4efc19eb20cd30335c05d1f73468c939b84d52a68d3c05f1ee0bba5c8d52004a1ae13189127aae35ca286d2bb9118c833c7130d0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\sywr75EZ.xlsm
        Filesize

        28KB

        MD5

        63fc4eefac8aa8f4757c3281015787af

        SHA1

        ef4bb571ef5ad987c6af76ee943fe8cf1c270167

        SHA256

        6cb1cbd02e221371ed6fc96c20e369d4f6f7c756c0ac88830b2fcd87eb5bacb7

        SHA512

        fbf81ca8172b54f15be9a14b15fe1ab00f24155c80693d926f7060fb358d36b08b725993c54686ba816ffc060da6c8d42acde0139c80c19a78978390401c54ef

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\sywr75EZ.xlsm
        Filesize

        30KB

        MD5

        50696f3da010a30f89fb3c0b43d7e03c

        SHA1

        78de9c3a317f8ad69e2efd5f42f11803f53b6417

        SHA256

        f890eff4cb22f945d49604eca501418b4f5e36804feaa9b6db6faf6d28691c6d

        SHA512

        128f7c7cc3f72ba373396a1ccf39dc1b81d5ba641d07b2dc5517c43f387055895c3dd0a827c69b8ce7f42fb37ea63b9e85b4e681cf768c4ff2982dafc02b8566

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\sywr75EZ.xlsm
        Filesize

        27KB

        MD5

        0b30d38eaf57d64a12c3fe4e611e9fe3

        SHA1

        ec9dfd12e3eb491f402bd8e9554109b8a1ed3760

        SHA256

        edbb590fb8d80e27cf760a88bb9435142ed862b52a0b9d53492d3c43620f4494

        SHA512

        e3b4609f48c9937d7ab97c721cd3bcc8e7fd28d5c86cc827d5ee6293218c3d863860b7544e8375ccbd9aae4f4e6ae65276ceb732fa7765745897604a8a7cad1b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\sywr75EZ.xlsm
        Filesize

        17KB

        MD5

        e566fc53051035e1e6fd0ed1823de0f9

        SHA1

        00bc96c48b98676ecd67e81a6f1d7754e4156044

        SHA256

        8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

        SHA512

        a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

        Download Submit

      • C:\Users\Admin\Desktop\~$GrantSync.xlsx
        Filesize

        165B

        MD5

        ff09371174f7c701e75f357a187c06e8

        SHA1

        57f9a638fd652922d7eb23236c80055a91724503

        SHA256

        e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

        SHA512

        e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

        Download Submit

      • \Users\Admin\AppData\Local\Temp\._cache_2025-02-01_4b87b7448d0aaf1611dd75168e05f3fb_darkgate_luca-stealer_magniber.exe
        Filesize

        19.8MB

        MD5

        c8c03628fd548c4725505d7f54958dd6

        SHA1

        9d5f52ba4e2a99baefb559cdc5f078fb678b2e19

        SHA256

        cda31522b7cf502870861b98bf4ba1926a9aa1e0cf8650496a2ffb78eb1038e6

        SHA512

        392fa18a6e6a100aaf8f91d7251f71bfc3ceeea45b59a0c87575045f8b46d99d31cc7436a1cb4d00ac25a64a8eafbafcc91411e74c0411aa8e8552fff74d0d70

        Download Submit

      • memory/2280-25-0x0000000000400000-0x0000000001895000-memory.dmp

        Filesize

        20.6MB

        Download

      • memory/2280-0-0x0000000000220000-0x0000000000221000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2288-35-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2952-86-0x0000000000400000-0x0000000001895000-memory.dmp

        Filesize

        20.6MB

        Download

      • memory/2952-125-0x0000000000400000-0x0000000001895000-memory.dmp

        Filesize

        20.6MB

        Download

      • memory/2952-158-0x0000000000400000-0x0000000001895000-memory.dmp

        Filesize

        20.6MB

        Download