General
-
Target
565df4bb4f0a2488f515a0ebf1de9fbd0af2b69c54ef1f0a4e066a2632a6bb13
-
Size
3.7MB
-
Sample
250217-3k9r4svkg1
-
MD5
d1cba134b4521df7c56d7fee4189d503
-
SHA1
9a64d0a88884629e85a37429b836c98d424f35ea
-
SHA256
565df4bb4f0a2488f515a0ebf1de9fbd0af2b69c54ef1f0a4e066a2632a6bb13
-
SHA512
a698e48fc5b3bcf34cca0c25dbe352b16bf196d3bfcddc2626e95ed7d2c2703fed070c893b65f73cb41078b243004aad5a55e75e8d169400a1bf7e0d30bc15f4
-
SSDEEP
98304:Knsmtk2ar0SK+48FFNFF3CF7DFFFEw3nNY2Drs0Vq5Vse9LngNkteBb:ELfS2/sh5V1nWkteBb
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Targets
-
-
Target
565df4bb4f0a2488f515a0ebf1de9fbd0af2b69c54ef1f0a4e066a2632a6bb13
-
Size
3.7MB
-
MD5
d1cba134b4521df7c56d7fee4189d503
-
SHA1
9a64d0a88884629e85a37429b836c98d424f35ea
-
SHA256
565df4bb4f0a2488f515a0ebf1de9fbd0af2b69c54ef1f0a4e066a2632a6bb13
-
SHA512
a698e48fc5b3bcf34cca0c25dbe352b16bf196d3bfcddc2626e95ed7d2c2703fed070c893b65f73cb41078b243004aad5a55e75e8d169400a1bf7e0d30bc15f4
-
SSDEEP
98304:Knsmtk2ar0SK+48FFNFF3CF7DFFFEw3nNY2Drs0Vq5Vse9LngNkteBb:ELfS2/sh5V1nWkteBb
Score10/10-
Xred
Xred is backdoor written in Delphi.
-
Xred family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-