Overview

overview

10

Static

static

3

Output.exe

windows10-ltsc 2021-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Output.exe

  • Size

    56.3MB

  • Sample

    250226-xyrwkazps7

  • MD5

    f21bab83ac325830cf3aab824cc1fadf

  • SHA1

    0cab604f8e23814a0d9e43dc63e3bebce5336168

  • SHA256

    fd2af290651593318f6181ffbbf227f8ae72c1ab1deb2a2ffae91d7a8988c8da

  • SHA512

    6cfa5d269e041870ad38c6c162cc2090df296b056eb89bc7afb790342797cf983a6906733bb27acfcbca7674dd18366c24003818cd4b8dc34b141ddb9a802537

  • SSDEEP

    1572864:5WWXtHc1Y6Iv97dZJl+T/pq5Z4vA9jtycxrSuICF98bh:5Lc1Y6IJfI/U5ZWotFnxSbh

Score
10/10
xredxwormbackdoordiscoverymacropersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

209.50.250.24:4562

Attributes
  • install_file

    USB.exe

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      Output.exe

    • Size

      56.3MB

    • MD5

      f21bab83ac325830cf3aab824cc1fadf

    • SHA1

      0cab604f8e23814a0d9e43dc63e3bebce5336168

    • SHA256

      fd2af290651593318f6181ffbbf227f8ae72c1ab1deb2a2ffae91d7a8988c8da

    • SHA512

      6cfa5d269e041870ad38c6c162cc2090df296b056eb89bc7afb790342797cf983a6906733bb27acfcbca7674dd18366c24003818cd4b8dc34b141ddb9a802537

    • SSDEEP

      1572864:5WWXtHc1Y6Iv97dZJl+T/pq5Z4vA9jtycxrSuICF98bh:5Lc1Y6IJfI/U5ZWotFnxSbh

    Score
    10/10
    xredxwormbackdoordiscoverymacropersistencerattrojan

    • Detect Xworm Payload

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Suspicious Office macro

      Office document equipped with macros.

      macro

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks