xred | c50928dd7e0138f769ffdc30d0be023142ab3765371ec5f046c6389801840384 | Triage

Submit
Reports

Overview

overview

Static

static

1

0bbe93a978...1d.vbs

windows7-x64

0bbe93a978...1d.vbs

windows10-2004-x64

Sharing

General

Target

0bbe93a978862e8499f795575fe9eb1d.vbs
Size

631B
Sample

250201-ta8yds1lfr
MD5

0bbe93a978862e8499f795575fe9eb1d
SHA1

995628d7e88ecf1815c7137967fe1a26fe6e2ded
SHA256

c50928dd7e0138f769ffdc30d0be023142ab3765371ec5f046c6389801840384
SHA512

2b05ad6c70b8f72d917eb239ac3efd3c366663218110000714b1dc499e75dec40529c4480d1d58f9854bd6210a09d1024996ed0df13570db8e05a0cb87d6ad47

Score

10^/10

xred backdoor discovery macro persistence upx

Static task

static1

Behavioral task

behavioral1

Sample

0bbe93a978862e8499f795575fe9eb1d.vbs

Resource

win7-20240903-en

xred backdoor discovery macro persistence upx

windows7-x64

21 signatures

150 seconds

Behavioral task

behavioral2

Sample

0bbe93a978862e8499f795575fe9eb1d.vbs

Resource

win10v2004-20250129-en

xred backdoor discovery persistence upx

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Targets

- Target
  
  0bbe93a978862e8499f795575fe9eb1d.vbs
- Size
  
  631B
- MD5
  
  0bbe93a978862e8499f795575fe9eb1d
- SHA1
  
  995628d7e88ecf1815c7137967fe1a26fe6e2ded
- SHA256
  
  c50928dd7e0138f769ffdc30d0be023142ab3765371ec5f046c6389801840384
- SHA512
  
  2b05ad6c70b8f72d917eb239ac3efd3c366663218110000714b1dc499e75dec40529c4480d1d58f9854bd6210a09d1024996ed0df13570db8e05a0cb87d6ad47
Score

10^/10

xred backdoor discovery macro persistence upx
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Blocklisted process makes network request
- Downloads MZ/PE file
- Suspicious Office macro
  Office document equipped with macros.
  macro
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xredbackdoordiscoverymacropersistenceupx

behavioral2

xredbackdoordiscoverypersistenceupx

© 2018-2025

Terms | Privacy