Overview

overview

10

Static

static

3

2025-02-20...er.exe

windows7-x64

10

2025-02-20...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-02-2025 20:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-02-20_48245c77b542f34da1e454a462ada162_avoslocker_hijackloader_luca-stealer.exe

  • Size

    6.4MB

  • MD5

    48245c77b542f34da1e454a462ada162

  • SHA1

    ab18508160b133b49d0f47dcc1aa795b54823709

  • SHA256

    6e80d8e4275dddd3ea245b33aa1cc9f3c4cf6d22398e70a8bdac9c73dfcdd838

  • SHA512

    8b303fc594160a824482433046951d06ce909e1851f019672f50c5706b1d08491420f7bbf77884686faffbf0cc908966f7863233f73fdf015be0691bf732b41f

  • SSDEEP

    196608:4Nsg4AMgA2Nsg4AMgAANsg4AMgA8FIF0wu3:4Gg4aBGg4anGg4aD3

Score
10/10
xredbackdoorcollectiondiscoveryexecutionpersistencespywarestealer

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-02-20_48245c77b542f34da1e454a462ada162_avoslocker_hijackloader_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-02-20_48245c77b542f34da1e454a462ada162_avoslocker_hijackloader_luca-stealer.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2025-02-20_48245c77b542f34da1e454a462ada162_avoslocker_hijackloader_luca-stealer.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2816
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sXLAWJKdeDZVj.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2912
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sXLAWJKdeDZVj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5F21.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2388
    • C:\Users\Admin\AppData\Local\Temp\2025-02-20_48245c77b542f34da1e454a462ada162_avoslocker_hijackloader_luca-stealer.exe
      "C:\Users\Admin\AppData\Local\Temp\2025-02-20_48245c77b542f34da1e454a462ada162_avoslocker_hijackloader_luca-stealer.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2568
      • C:\Users\Admin\AppData\Local\Temp\._cache_2025-02-20_48245c77b542f34da1e454a462ada162_avoslocker_hijackloader_luca-stealer.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_2025-02-20_48245c77b542f34da1e454a462ada162_avoslocker_hijackloader_luca-stealer.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:536
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1744
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Synaptics\Synaptics.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:988
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sXLAWJKdeDZVj.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1300
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sXLAWJKdeDZVj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDA0A.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2404
        • C:\ProgramData\Synaptics\Synaptics.exe
          "C:\ProgramData\Synaptics\Synaptics.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1972
          • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
            "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
            5⤵
            • Executes dropped EXE
            • Accesses Microsoft Outlook profiles
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:1900
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    6.4MB

    MD5

    48245c77b542f34da1e454a462ada162

    SHA1

    ab18508160b133b49d0f47dcc1aa795b54823709

    SHA256

    6e80d8e4275dddd3ea245b33aa1cc9f3c4cf6d22398e70a8bdac9c73dfcdd838

    SHA512

    8b303fc594160a824482433046951d06ce909e1851f019672f50c5706b1d08491420f7bbf77884686faffbf0cc908966f7863233f73fdf015be0691bf732b41f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_2025-02-20_48245c77b542f34da1e454a462ada162_avoslocker_hijackloader_luca-stealer.exe
    Filesize

    91KB

    MD5

    b45e3c4c10da3da0c69e2f90dc3dfb10

    SHA1

    61a36473ced38978793a9af1aea1fc528eebe457

    SHA256

    b6fe518ed8ca7ee32f79bb5dd52ab8250cc595d1aa8daec123cef383c6b0bdb6

    SHA512

    44d0c2e0904702dd22c92004415ef3c821bf63de0fb0cc6d7cca41eab36f32531530dd5fdb48017fc5405c7554ae6387514ef3f4e74eea4b36a14d587742e15b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3ieDGIOe.xlsm
    Filesize

    26KB

    MD5

    ff1f761f6d7b6492753f8ac3d84f579b

    SHA1

    cf7942bbc58ae3d1527df91118b5a0244b99c157

    SHA256

    e5f2924ff6e9d6d66de71701a6c2cd539650d85ad1f929bf630b8cf70413bec3

    SHA512

    00ff3550235fb4fa5853ce8e9581de162e962d24b16809c0b7dff20b49e5e951505a4cf3d2e903758e67faebac0caa228542fe0cfa97ea04eb4c9b91d90a6697

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3ieDGIOe.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3ieDGIOe.xlsm
    Filesize

    29KB

    MD5

    a38d2678781d72da770f5268aa6ed3c0

    SHA1

    ae7691a327a0dcfe24b7f37580235167c6b91077

    SHA256

    9d10fa5619b01457ea80bb960609dad282eca079a7fcce7b76d3a0ffd04c92e9

    SHA512

    fe7b49abf6ad914018750e79310f8cf94d741eb246d0bc00528069b63ef1d8b4e75bb2e83a074bdf2e7dd5cff790ea35c29ef818ad0dde54b26b090980fadcf8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3ieDGIOe.xlsm
    Filesize

    29KB

    MD5

    6301541e6f776b9a4e17928967861316

    SHA1

    f0c740ea7e24b8ad2884c9ac5342cbbad814b559

    SHA256

    f57d23f10e10f60c0ac1ae83f8284430ec8e2b58a21a5217902dcb72d7c2bcba

    SHA512

    6e84f454695ad8402c0e7a3189d25f85ae0bf2b4e6448f2459386533c0bc0e1063f548462416777c8d6dfa096644070142a31ff6950d4ed011a1998f365521ff

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3ieDGIOe.xlsm
    Filesize

    30KB

    MD5

    6db9e78b68389613d33199544743a640

    SHA1

    6c9e1af4cfdd49a8b44f47bb65c06fa7d48e71fc

    SHA256

    ada80cc1fb09082f52e27e6c813bec10eae73b268188e67084020590cd8873de

    SHA512

    09d70666b18134d5d9c7366e728045e2680840b5d880e92da97e0bbebb75a1d2620d9de7a3d7124708a1df4e5554d322cfb78c4502ac6e2093b4152501168296

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp5F21.tmp
    Filesize

    1KB

    MD5

    1a6f091575e68f2f425396e53a9effc9

    SHA1

    24b391e2e075a4ab0e587ecc098d9750486a220a

    SHA256

    0366be5662d005ef118b923e5eebdadc839beeb6e3af6b6c78e856963015eb7d

    SHA512

    a876c85a51459376f3d68f55741ed4d503760d9949aa7eada0ff5e12f4a688b378f01c1e2f3d252e58fb0a638c3206e788c18e6431bcf13e976da557cb3e81df

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\~$3ieDGIOe.xlsm
    Filesize

    165B

    MD5

    ff09371174f7c701e75f357a187c06e8

    SHA1

    57f9a638fd652922d7eb23236c80055a91724503

    SHA256

    e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

    SHA512

    e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LJYELQ4PJHZAQHM3CD0G.temp
    Filesize

    7KB

    MD5

    beb92e1ed42afec01b1f9ddc5dd809ad

    SHA1

    56b5c58c3d5a0294744e6f567314a41f67f00b97

    SHA256

    514aff6c379cdbe33b20df6e56e67d1e286c41e5e70763f1d557ba5ee71bfc08

    SHA512

    9d4aa72a56c158abff1dd7619672a240b515595ff559c0a79cd1f3f6c42724771cdc2848d7bcf41b8935b683240761d6c1666ee7e34a3a9643268199789a756b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    49fe6c6d0d8af17a1a0f54d8834ee864

    SHA1

    aac50a0759cb2896b012f992ac4b48d7ff48068c

    SHA256

    4e6819a4e004f947e4e42eb57b7b8aefd3436fe94de5a6398f08b3dfa8bf9129

    SHA512

    6651fb23698b43d063c7ba78019ccb3f07d9dd42bf464214eb3d067c6e423a1dd84d6505d94f891c2c379d517bd3f9ba2366eabf06d03fa754afefe6b29462fd

    Download Submit

  • memory/536-55-0x00000000013C0000-0x00000000013DE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1744-62-0x0000000000AE0000-0x0000000001146000-memory.dmp

    Filesize

    6.4MB

    Download

  • memory/1868-4-0x0000000000A70000-0x0000000000A8E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1868-7-0x0000000006090000-0x00000000061AE000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1868-6-0x0000000074670000-0x0000000074D5E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1868-5-0x000000007467E000-0x000000007467F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1868-37-0x0000000074670000-0x0000000074D5E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1868-0-0x000000007467E000-0x000000007467F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1868-3-0x0000000005120000-0x000000000527C000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/1868-2-0x0000000074670000-0x0000000074D5E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1868-1-0x0000000000C10000-0x0000000001276000-memory.dmp

    Filesize

    6.4MB

    Download

  • memory/1900-103-0x0000000000BA0000-0x0000000000BBE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1972-181-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/1972-183-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/1972-211-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/1972-86-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1972-89-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/1972-180-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2436-182-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2436-104-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2568-26-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2568-28-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2568-20-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2568-22-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2568-24-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2568-30-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2568-32-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2568-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2568-35-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2568-36-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download