Overview

overview

10

Static

static

10

2025-02-01...er.exe

windows7-x64

10

2025-02-01...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-02-2025 11:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-02-01_4b87b7448d0aaf1611dd75168e05f3fb_darkgate_luca-stealer_magniber.exe

  • Size

    20.6MB

  • MD5

    4b87b7448d0aaf1611dd75168e05f3fb

  • SHA1

    48366ee5d9504ea32cca7280ca355031b2d892e1

  • SHA256

    3c3d7e16843be0a6e741a93f8b6e05ac39f5cb716c2f6a3efe6131c207bd19fe

  • SHA512

    e6e61a69fb4abf79c05a8fb6693dee51439ecfcc26965417d5614ec275c8d9d68702eccb29e053a20f3e01bd39872bd628626dcf4b1c23bbe375cc69ab2f8f2b

  • SSDEEP

    393216:EUVeyIB6YW/oLBLxss1p15V3qKBtO0iglAlbM1UsjDAvYmgNBOGQI9Bd/zsE9:/K6YTLzs05V3/EGA2GsjcAmsMG/9DAE9

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Detected Nirsoft tools 5 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-02-01_4b87b7448d0aaf1611dd75168e05f3fb_darkgate_luca-stealer_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-02-01_4b87b7448d0aaf1611dd75168e05f3fb_darkgate_luca-stealer_magniber.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4056
    • C:\Users\Admin\AppData\Local\Temp\._cache_2025-02-01_4b87b7448d0aaf1611dd75168e05f3fb_darkgate_luca-stealer_magniber.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_2025-02-01_4b87b7448d0aaf1611dd75168e05f3fb_darkgate_luca-stealer_magniber.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4108
      • C:\Windows\system32\cmd.exe
        "C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSTools "C:\Users\Admin\AppData\Local\Temp\KMSTools.tmp" /Y
        3⤵
          PID:3960
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4248
        • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:4480
          • C:\Windows\system32\cmd.exe
            "C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSTools "C:\Users\Admin\AppData\Local\Temp\KMSTools.tmp" /Y
            4⤵
              PID:4720
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x49c 0x2d8
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:856
      • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
        1⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:1304

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Synaptics\Synaptics.exe
        Filesize

        20.6MB

        MD5

        4b87b7448d0aaf1611dd75168e05f3fb

        SHA1

        48366ee5d9504ea32cca7280ca355031b2d892e1

        SHA256

        3c3d7e16843be0a6e741a93f8b6e05ac39f5cb716c2f6a3efe6131c207bd19fe

        SHA512

        e6e61a69fb4abf79c05a8fb6693dee51439ecfcc26965417d5614ec275c8d9d68702eccb29e053a20f3e01bd39872bd628626dcf4b1c23bbe375cc69ab2f8f2b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\._cache_2025-02-01_4b87b7448d0aaf1611dd75168e05f3fb_darkgate_luca-stealer_magniber.exe
        Filesize

        19.8MB

        MD5

        c8c03628fd548c4725505d7f54958dd6

        SHA1

        9d5f52ba4e2a99baefb559cdc5f078fb678b2e19

        SHA256

        cda31522b7cf502870861b98bf4ba1926a9aa1e0cf8650496a2ffb78eb1038e6

        SHA512

        392fa18a6e6a100aaf8f91d7251f71bfc3ceeea45b59a0c87575045f8b46d99d31cc7436a1cb4d00ac25a64a8eafbafcc91411e74c0411aa8e8552fff74d0d70

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\AFA75E00
        Filesize

        21KB

        MD5

        107a84b555e2e035468b0548e0591bb0

        SHA1

        f84f70f7ebcc738e78ca498edc383e7e75c78e07

        SHA256

        d69e22e25d6c93d8136a45fee103850d1e1a9ed53072634c6a54d6ac79460db2

        SHA512

        7461a9795fd88f8c5322696a3e058679e04490d1490c2520f81228d9219cb941ed0dec4467e0be75b9ed03271b6823259eaaedbfec3b93dd8b080e1ffedc0671

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nP6QsetK.xlsm
        Filesize

        17KB

        MD5

        e566fc53051035e1e6fd0ed1823de0f9

        SHA1

        00bc96c48b98676ecd67e81a6f1d7754e4156044

        SHA256

        8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

        SHA512

        a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

        Download Submit

      • memory/1304-192-0x00007FFF065F0000-0x00007FFF06600000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1304-189-0x00007FFF08EF0000-0x00007FFF08F00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1304-188-0x00007FFF08EF0000-0x00007FFF08F00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1304-191-0x00007FFF08EF0000-0x00007FFF08F00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1304-187-0x00007FFF08EF0000-0x00007FFF08F00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1304-193-0x00007FFF065F0000-0x00007FFF06600000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1304-190-0x00007FFF08EF0000-0x00007FFF08F00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4056-0-0x0000000003620000-0x0000000003621000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4056-127-0x0000000000400000-0x0000000001895000-memory.dmp

        Filesize

        20.6MB

        Download

      • memory/4248-240-0x0000000000400000-0x0000000001895000-memory.dmp

        Filesize

        20.6MB

        Download

      • memory/4248-266-0x0000000000400000-0x0000000001895000-memory.dmp

        Filesize

        20.6MB

        Download