Overview

overview

10

Static

static

10

bluewing T...er.exe

windows7-x64

10

bluewing T...er.exe

windows10-2004-x64

10

bluewing T...er.exe

windows7-x64

1

bluewing T...er.exe

windows10-2004-x64

7

bluewing T...ss.exe

windows7-x64

1

bluewing T...ss.exe

windows10-2004-x64

1

bluewing T...er.exe

windows7-x64

1

bluewing T...er.exe

windows10-2004-x64

1

bluewing TS/rust.exe

windows7-x64

1

bluewing TS/rust.exe

windows10-2004-x64

6

bluewing T...sp.exe

windows7-x64

5

bluewing T...sp.exe

windows10-2004-x64

5

bluewing T...ll.exe

windows7-x64

5

bluewing T...ll.exe

windows10-2004-x64

5

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bluewing TS.zip

  • Size

    48.6MB

  • Sample

    250221-sc4wsawks7

  • MD5

    cd42cddb8a7e499433cab034fb5e09c7

  • SHA1

    649e2c5b1715541ab8b55611abc449c68a54dad3

  • SHA256

    734f289e454119f1bb31e9f4963c64e5230b51264229a1832b1707b9753f276c

  • SHA512

    1d7b20bce5567b51f5b01f6036e9101f544b48e724f49dafd97680939f3a12523c270057077cf62cdf40bb1f8b77d403139120ce39e5f30a5d5b1e40794d5b63

  • SSDEEP

    1572864:pUrvw7AW9+ZGai1WeDej5RTRQISXiIT8Xvnz:pgGa7eDiRTB8iIT8X/z

Score
10/10
xredbackdoordefense_evasiondiscoverypersistenceupx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      bluewing TS/BlueWing Cleaner.exe

    • Size

      1.2MB

    • MD5

      5c4c33c0e3914d6eb4471f0a7b87c8f8

    • SHA1

      fad32cd16ac549be1e019d3b683c005925ab1c3d

    • SHA256

      2fdc67ad98fe3cd9e7f1f2b7b67509b3870914aa7989cc097a99bcdf7dc6574d

    • SHA512

      a5007ba3918addb9569bbbb23efafd682b9c10e4f23121b96e1ab98f8beb48ec2daebbcd04406fc36e28073496cca42d430282a0bd5f3612371e5353f7333e36

    • SSDEEP

      24576:3nsJ39LyjbJkQFMhmC+6GD9DF2G0bIGsRTUpCz3:3nsHyjtk2MYC5GDzh0bIGK4O

    Score
    10/10
    xredbackdoordefense_evasiondiscoverypersistenceupx

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Looks for VirtualBox Guest Additions in registry

      defense_evasion

    • Looks for VMWare Tools registry key

      defense_evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

    • Target

      bluewing TS/Loader.exe

    • Size

      1.3MB

    • MD5

      a31c7aeb98cb02d7db58c570a9f18e63

    • SHA1

      6d9cf22847ce215100f0b0150c5fc9d579061a72

    • SHA256

      ca9d3a364ab00b6758fac81dca534c85de2acfe87e6aed985d55d733e05248f8

    • SHA512

      781f0de6b2cff9c0f92a8814a05e0ead65f3f32494a3ae8051de3dd04d3c1c42bbe44e376d9a642981fdefb4043f1f2e6ec65641ad6e593f453f6152d1f67ca9

    • SSDEEP

      24576:foWphKZ/21+sTZq1Hr5Ne8DmnH+ZjdGqEQw1KrF+XlJDXNqP/oY75vKWn1ceF1dl:fxphKZwlsHr5Ne8DmnH+VdGqEKrF+Xl4

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral3behavioral4

    • Target

      bluewing TS/bluewing bypass.exe

    • Size

      16.8MB

    • MD5

      526f48ff5e2e6502792de77301bdabd8

    • SHA1

      3ace17d3fca1e01a04733da0c4a8ae014c235d7c

    • SHA256

      fa5045f42fe977d5a35e87526544752241031a3b9e5c854a5b8d9c65cae263ec

    • SHA512

      11a7ab6e098b67b2ca48290d0f428cf495ea2814b11f48751fdfd3ad72d6fa4612f09a70d350fcfed7bd1ed790f5f0d51ac8f27dc51762b6dc548ace632c00f5

    • SSDEEP

      393216:G6prs3Ndv3LvOqUCZbIDK/wiyXPL+JWsBmvd4bafJ6wFct:T1s3Ndv3IYbqK/whXDeWsBmqaB6wCt

    Score
    1/10
    behavioral5behavioral6

    • Target

      bluewing TS/bluewing woofer.exe

    • Size

      17.2MB

    • MD5

      e2443a82501780eab2a68b1edc94a0e4

    • SHA1

      4418de72270d6a5774a355477dac0aa35cee72aa

    • SHA256

      87774fd5d36f01751b6a7dca58ab9c7325e734b4806e73b30d037e1e7ec409f5

    • SHA512

      863e69bac7b7c9b514af881e68464415d03033443cc5124c1fcd570dce14229c21c54255bbbf9161ca83a60c5ac201ad3be626d3398906e60300295322537e25

    • SSDEEP

      393216:yjQmfOlxOTfcnGM8FJolxLyWPoqUFzt0ZXB/RmyW4xa0:SLODOj8gXolxLyWQJzCZX1

    Score
    1/10
    behavioral7behavioral8

    • Target

      bluewing TS/rust.exe

    • Size

      10.0MB

    • MD5

      dd6d31286e7369ae5a1bf9a6105f6e4c

    • SHA1

      b9a3527c90563335ff808cf707ae8988a96f390b

    • SHA256

      a5b9eeaa0be03d8a921690ab724441d4b522147df249594720ce09d995726494

    • SHA512

      275594ccc76f3bcb9b4e377cb5e6e3d5f136e185174cba8c37a71865fa522fc85c5c04d0572d20da9d15210748a7e21c824398f74bb0191fa834c200b294312c

    • SSDEEP

      196608:KdztxExMp99eZwnNJ6Mj9B8ZLQoEA0o828LVVKPDE1WbSh68scT:KlkxU99emnNkMj92LQov0s8LXKGWbShV

    Score
    6/10
    discovery

    • Drops desktop.ini file(s)

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery
    behavioral10behavioral9

    • Target

      bluewing TS/valorant esp.exe

    • Size

      7.5MB

    • MD5

      90dc2034f9b34caa297d22ba110a648b

    • SHA1

      4aa18722f3c715107819252b14882e25faaf89d4

    • SHA256

      a92207cdaeabf1e5837d5c78c581c2af75052f6b6c162d666cd66931879d9f8e

    • SHA512

      556e09218bb190ab1a2158680d44a778236768c5c5e19339f303cda2bb27acb87fa1dbc34190b5cfd4acf27fc66894c79af067e5a10ce9229933829d972ff4c0

    • SSDEEP

      196608:GKIg67q6GENqJ9fWiTcJhtmLY0FL53d0S/lFAezL3D5te2:v1Q9GEN17tmc0p53dTjAe/33

    Score
    5/10

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral11behavioral12

    • Target

      bluewing TS/valorant full.exe

    • Size

      910KB

    • MD5

      a4589be07699d55f1e84de98fb8e14dc

    • SHA1

      409e3df648fcd2bd70d5569ba9e39faa4b6eefb3

    • SHA256

      54abc7b31f3167221eb186cf5a1ab9dc7b4945e9da4a241b46b7fbeb932fe3c7

    • SHA512

      313d34b55a8ffe68c208b800f77610b1cd2740f1b56939d1b95b8793b7c643da767237649c5534ea9eb39bd60e2776c2542fb38326bd817d728d8984b8fdcda6

    • SSDEEP

      24576:lKg+vBX4JpuCUX0Qpuvgdx/y5RL90q+wRw:z+Zupu/kqFdxENAwRw

    Score
    5/10
    upx

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral13behavioral14

MITRE ATT&CK Enterprise v15

Tasks