General
-
Target
2025-02-03_a9c2d5309c9857b744a916ccfebdf934_avoslocker_hijackloader_luca-stealer
-
Size
3.6MB
-
Sample
250203-1ep5eawkhr
-
MD5
a9c2d5309c9857b744a916ccfebdf934
-
SHA1
1ee77cb17ce8e3ca56ca97a8b0fc744375a0750d
-
SHA256
b9e28fad46c8b07ca6c9e244e9979f2ce1a734869e4279fa84cad2a8654546bd
-
SHA512
dda48337ec029bc37eb42dc0861ac9786fa3c959d639f9b2671a138c9e3217bdd5f7237dec637418e8eb76a9c6db3176f982621afd0da60fee91f7961d3a1e23
-
SSDEEP
98304:eZNVWg4AxEfkzA8OU/jIEeQfoR/IuOFVjUu5:8Nsg4AMgA8FIF0wu
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Targets
-
-
Target
2025-02-03_a9c2d5309c9857b744a916ccfebdf934_avoslocker_hijackloader_luca-stealer
-
Size
3.6MB
-
MD5
a9c2d5309c9857b744a916ccfebdf934
-
SHA1
1ee77cb17ce8e3ca56ca97a8b0fc744375a0750d
-
SHA256
b9e28fad46c8b07ca6c9e244e9979f2ce1a734869e4279fa84cad2a8654546bd
-
SHA512
dda48337ec029bc37eb42dc0861ac9786fa3c959d639f9b2671a138c9e3217bdd5f7237dec637418e8eb76a9c6db3176f982621afd0da60fee91f7961d3a1e23
-
SSDEEP
98304:eZNVWg4AxEfkzA8OU/jIEeQfoR/IuOFVjUu5:8Nsg4AMgA8FIF0wu
Score10/10-
Xred
Xred is backdoor written in Delphi.
-
Xred family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2