xred

General

Target

g.exe
Size

106KB
Sample

250207-sa3wpsvpf1
MD5

f52a1ae522be2d339ac6a8272780ad38
SHA1

cf6d8643f690eafe02c1e29861ab687cf8270ca9
SHA256

68178b1f58efb2930e9153ec8697f09bc35bc479314adb0db8f199e0016fe749
SHA512

44e3d79dc7f128c7548a255674827b948f78889d1d063e90b0e9a8fc4cc4463aec50176c577888d1c5034f80a02e7440110c72d2fb47dbd0368a932f5caa0168
SSDEEP

1536:xxuiX2rv5jlwpxJbjrHbgvSAtdHxYSF739z98sW/do9dlzpvSvQfJZ:z4elzHbcxtxxYqr9pI4jvSvQfr

Score

10^/10

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Targets

- Target
  
  g.exe
- Size
  
  106KB
- MD5
  
  f52a1ae522be2d339ac6a8272780ad38
- SHA1
  
  cf6d8643f690eafe02c1e29861ab687cf8270ca9
- SHA256
  
  68178b1f58efb2930e9153ec8697f09bc35bc479314adb0db8f199e0016fe749
- SHA512
  
  44e3d79dc7f128c7548a255674827b948f78889d1d063e90b0e9a8fc4cc4463aec50176c577888d1c5034f80a02e7440110c72d2fb47dbd0368a932f5caa0168
- SSDEEP
  
  1536:xxuiX2rv5jlwpxJbjrHbgvSAtdHxYSF739z98sW/do9dlzpvSvQfJZ:z4elzHbcxtxxYqr9pI4jvSvQfr
Score

10^/10

xred backdoor bootkit defense_evasion discovery evasion execution exploit impact persistence privilege_escalation pyinstaller ransomware spyware stealer trojan
- Modifies Windows Defender DisableAntiSpyware settings
  evasion trojan
- Modifies Windows Defender Real-time Protection settings
  defense_evasion trojan
- UAC bypass
  defense_evasion trojan
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Disables RegEdit via registry modification
  defense_evasion
- Disables Task Manager via registry modification
  defense_evasion
- Disables cmd.exe use via registry modification
  defense_evasion
- Drops file in Drivers directory
- Possible privilege escalation attempt
  exploit
- Drops startup file
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
  defense_evasion
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
behavioral1