General
-
Target
364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
-
Size
1.8MB
-
Sample
250224-1ckf5sxmz8
-
MD5
1d1940b7775280d355fa25e70d7f17ec
-
SHA1
cf79bbeaa4e37d9cbcb99b18ca04f52be2124793
-
SHA256
364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775
-
SHA512
fd4b749a3c8293612087cb9e9d8db559d0ab05125f8517886f214d304d086022472237c1db834548cefccd1a8c305eb78be967f21988d06c43a7c6164beb8496
-
SSDEEP
49152:bnsHyjtk2MYC5GDkY80D4YSbxIWvbqmmdtL4i96Ua:bnsmtk2a9YRmbSIKSi9e
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Targets
-
-
Target
364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
-
Size
1.8MB
-
MD5
1d1940b7775280d355fa25e70d7f17ec
-
SHA1
cf79bbeaa4e37d9cbcb99b18ca04f52be2124793
-
SHA256
364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775
-
SHA512
fd4b749a3c8293612087cb9e9d8db559d0ab05125f8517886f214d304d086022472237c1db834548cefccd1a8c305eb78be967f21988d06c43a7c6164beb8496
-
SSDEEP
49152:bnsHyjtk2MYC5GDkY80D4YSbxIWvbqmmdtL4i96Ua:bnsmtk2a9YRmbSIKSi9e
Score10/10-
Modifies firewall policy service
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass
-
Windows security bypass
-
Xred
Xred is backdoor written in Delphi.
-
Xred family
-
Suspicious Office macro
Office document equipped with macros.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6