Extracted

• • Target

    2025-02-07_1c2c0733a8c291197f53f966e00ed105_avoslocker_hijackloader_luca-stealer

  • Size

    6.4MB

  • MD5

    1c2c0733a8c291197f53f966e00ed105

  • SHA1

    a531510fade885c05b46c0f15318342b37a971f5

  • SHA256

    c5d2e5e777e44354a9fd79551e042c4f0a08128e0ac85cee606d83065614b3ee

  • SHA512

    81d6f7a869b26e80a4704fe7d4775b3fd722bec938e8d07a686edad429d0e099db31fafce965996daae6973613c6c49761a7d2f305a37224840b1295df87f577

  • SSDEEP

    196608:4Nsg4AMgA2Nsg4AMgAANsg4AMgA8FIF0wu:4Gg4aBGg4anGg4aD

  Score

  10^/10

  discoveryexecutionxredbackdoorcollectionpersistencespywarestealer

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred

  • Xred family

    xred

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2