General
-
Target
f9e30aeb60b38538b0e3fd8d817f2c53f2b138b477487b87e2c8d98591235fceN.exe
-
Size
1.4MB
-
Sample
250224-r95nxaykz3
-
MD5
57b47e90d5f0ae246a2f7d882f641b40
-
SHA1
a220da2df57f5514c458eed5d0e36bf52ea12fd0
-
SHA256
f9e30aeb60b38538b0e3fd8d817f2c53f2b138b477487b87e2c8d98591235fce
-
SHA512
0dfb58b3c779d8ab0f5ab5dfc26159954f9eadc7e830a897004ced10551950d370461820bd5307236015961312467d7689736dbb5291895f27c92afc932182aa
-
SSDEEP
24576:vnsJ39LyjbJkQFMhmC+6GR94dChNRASWgDxPWnP0LamWYC8Eud1n:vnsHyjtk2MYC5GRadWHyzGd1n
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Targets
-
-
Target
f9e30aeb60b38538b0e3fd8d817f2c53f2b138b477487b87e2c8d98591235fceN.exe
-
Size
1.4MB
-
MD5
57b47e90d5f0ae246a2f7d882f641b40
-
SHA1
a220da2df57f5514c458eed5d0e36bf52ea12fd0
-
SHA256
f9e30aeb60b38538b0e3fd8d817f2c53f2b138b477487b87e2c8d98591235fce
-
SHA512
0dfb58b3c779d8ab0f5ab5dfc26159954f9eadc7e830a897004ced10551950d370461820bd5307236015961312467d7689736dbb5291895f27c92afc932182aa
-
SSDEEP
24576:vnsJ39LyjbJkQFMhmC+6GR94dChNRASWgDxPWnP0LamWYC8Eud1n:vnsHyjtk2MYC5GRadWHyzGd1n
Score10/10-
Modifies firewall policy service
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass
-
Windows security bypass
-
Xred
Xred is backdoor written in Delphi.
-
Xred family
-
Suspicious Office macro
Office document equipped with macros.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6