Overview

overview

10

Static

static

10

Loader.exe

windows7-x64

10

Loader.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-02-2025 11:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Loader.exe

  • Size

    773KB

  • MD5

    61fc70e411c67a361a29a477b45d0699

  • SHA1

    1e70bb1eacbbfaf4c1efa45b639e1f1f9b1a56ff

  • SHA256

    fcfaedcd7aec7af6a21ae11d5deffb5392c4e8af1de18f14e0c69a6ffd965eaa

  • SHA512

    be301e0375fcf78c5513abb6be5a5ea16c93fbe7450bcd5dc4e2912a3124603f05b21566a3f4e445cca830e78ec95ade66e46731dd43664a05e1c23e11fa9004

  • SSDEEP

    12288:2MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V93Aj:2nsJ39LyjbJkQFMhmC+6GD9A

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1488
    • C:\Users\Admin\AppData\Local\Temp\._cache_Loader.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Loader.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4220
      • C:\Users\Admin\AppData\Local\Temp\Microsoft\Illyrian Loader.exe
        "C:\Users\Admin\AppData\Local\Temp\Microsoft\Illyrian Loader.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: AddClipboardFormatListener
        PID:3404
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4912
        • C:\Users\Admin\AppData\Local\Temp\Microsoft\Illyrian Loader.exe
          "C:\Users\Admin\AppData\Local\Temp\Microsoft\Illyrian Loader.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          PID:3556
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    773KB

    MD5

    61fc70e411c67a361a29a477b45d0699

    SHA1

    1e70bb1eacbbfaf4c1efa45b639e1f1f9b1a56ff

    SHA256

    fcfaedcd7aec7af6a21ae11d5deffb5392c4e8af1de18f14e0c69a6ffd965eaa

    SHA512

    be301e0375fcf78c5513abb6be5a5ea16c93fbe7450bcd5dc4e2912a3124603f05b21566a3f4e445cca830e78ec95ade66e46731dd43664a05e1c23e11fa9004

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_Loader.exe
    Filesize

    20KB

    MD5

    69fc4445680ba8d528b9375a51b64a5f

    SHA1

    6bb0d2700109720c39857cba23ae4dbf042a991a

    SHA256

    260738a960c38e729df6c08d45b6f396c37f0b2887d0fb541dbf58e3f0b2dceb

    SHA512

    4225558650fd346b510449a5b9d07103037dce292ebdea296959f6e8437c9124e6aad446c309da201789f422822bf7b58c66aec3d2a6be77d4f837cc14a97408

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3CB75E00
    Filesize

    22KB

    MD5

    131cdc50a5bf6ffd15f4ce2915afe689

    SHA1

    4cf4d9ed8819390999fd93d6d304575580b1ed71

    SHA256

    e95e71d70cae0334bb8c6f07fc89b7f26ced6a570cfad6582bd18c840b25f2aa

    SHA512

    f7cc018c094736b25d420d2ab9cd9d73c7bbf6fb24e6def82f8f809ad5d20137de7bda5f91fdb3490f496a25ab98197efb80229f43c06865c434199ab3a391ba

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Yg1znwEW.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • memory/1488-132-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download

  • memory/1488-0-0x0000000002250000-0x0000000002251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3052-294-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download

  • memory/3052-289-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download

  • memory/3052-266-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download

  • memory/3052-265-0x0000000000400000-0x00000000004C7000-memory.dmp

    Filesize

    796KB

    Download

  • memory/4220-71-0x0000000000F00000-0x0000000000F0C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4220-137-0x00007FF9AFF60000-0x00007FF9B0A21000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4220-207-0x00007FF9AFF60000-0x00007FF9B0A21000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4220-70-0x00007FF9AFF63000-0x00007FF9AFF65000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4872-212-0x00007FF98E370000-0x00007FF98E380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4872-217-0x00007FF98BCB0000-0x00007FF98BCC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4872-216-0x00007FF98BCB0000-0x00007FF98BCC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4872-215-0x00007FF98E370000-0x00007FF98E380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4872-214-0x00007FF98E370000-0x00007FF98E380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4872-213-0x00007FF98E370000-0x00007FF98E380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4872-211-0x00007FF98E370000-0x00007FF98E380000-memory.dmp

    Filesize

    64KB

    Download