xred | a267fb3c7bf28403c6ba48ef5d69cd4ffb80a16ff5cfb4884dbae4fa25ef9517 | Triage

Sharing

General

Target

SpyNoteX_U.rar
Size

198.2MB
Sample

250219-dq5ynsxn13
MD5

a9199153c0aa419f2623285fe10c79c1
SHA1

4f938082eda7c09c6ce21f0ea192c346fbca4616
SHA256

a267fb3c7bf28403c6ba48ef5d69cd4ffb80a16ff5cfb4884dbae4fa25ef9517
SHA512

6f6060fd226a72c018bfcb827a574b9ec7a21cc6ac161337f62fb4ca3a315b866c436ebde1aa4a63d691f6229a2d1187396bcb3e6c7006df97d7a36f87a14191
SSDEEP

6291456:bRJU7Yb4ixaLrYIsoLC2K3vLlNubgiVXdk1DAMOqQ:bHU7Yb4TMMoXuMvBXOl

Score

10^/10

xred backdoor defense_evasion discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Targets

- Target
  
  SpyNoteX_U.rar
- Size
  
  198.2MB
- MD5
  
  a9199153c0aa419f2623285fe10c79c1
- SHA1
  
  4f938082eda7c09c6ce21f0ea192c346fbca4616
- SHA256
  
  a267fb3c7bf28403c6ba48ef5d69cd4ffb80a16ff5cfb4884dbae4fa25ef9517
- SHA512
  
  6f6060fd226a72c018bfcb827a574b9ec7a21cc6ac161337f62fb4ca3a315b866c436ebde1aa4a63d691f6229a2d1187396bcb3e6c7006df97d7a36f87a14191
- SSDEEP
  
  6291456:bRJU7Yb4ixaLrYIsoLC2K3vLlNubgiVXdk1DAMOqQ:bHU7Yb4TMMoXuMvBXOl
Score

10^/10

xred backdoor defense_evasion discovery persistence
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Looks for VirtualBox Guest Additions in registry
  defense_evasion
- Looks for VMWare Tools registry key
  defense_evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xredbackdoordefense_evasiondiscoverypersistence

behavioral2