Extracted

• • Target

    0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe

  • Size

    10.9MB

  • MD5

    f7e1cfc6c7f7ff4dd762af36588cda54

  • SHA1

    583e0bfed1a770d4d60fcdb3ed9abe701b7f0f49

  • SHA256

    0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe

  • SHA512

    77f775a2a001a2cbf2146d1c0200f158a7217cf96bc796678b3d1879f0705115239c72c5530cbf930aed57eed18080c7d7dfb784e3d17799f9578cd911530820

  • SSDEEP

    196608:y0I9SsDPwSQZmqFcfpckEi3+9Yq2AyqRZ6VkdLko5pxK13gmli:y0I9HDPwjZ3FAbEdm1qRdlWBgmli

  Score

  10^/10

  xredbackdoordiscoverypersistenceupxvmprotectadwareprivilege_escalationstealer

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred

  • Xred family

    xred

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Loads dropped DLL

  • VMProtect packed file

    Detects executables packed with VMProtect commercial packer.

    vmprotect

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Installs/modifies Browser Helper Object

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware

  • Drops file in System32 directory

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2