General

  • Target

    2025-03-08_9b5aa9ef676c151c4ef03aa0c5be4012_luca-stealer_magniber

  • Size

    10.1MB

  • Sample

    250308-zgqy2sssew

  • MD5

    9b5aa9ef676c151c4ef03aa0c5be4012

  • SHA1

    2fc8b80b8e64bddd92f8c03467f18ad15295b5bb

  • SHA256

    4afff31f271c8c11c1ee362f610cb5f97a64844097e19b73aca86ef40e8685ce

  • SHA512

    ad12713a2deffaab31117f3e715aa63103e11a7e785a2900f82bf0b2d293216b2e1eedff595685667eb9d5319b994a41919ae17ca76344d183cb4dbfcaa36918

  • SSDEEP

    196608:3Nsg4AMgAGNsg4AMgAdNsg4AMgAVNsg4AMgAHFKzYN5:3Gg4a1Gg4aSGg4aOGg4a6

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      2025-03-08_9b5aa9ef676c151c4ef03aa0c5be4012_luca-stealer_magniber

    • Size

      10.1MB

    • MD5

      9b5aa9ef676c151c4ef03aa0c5be4012

    • SHA1

      2fc8b80b8e64bddd92f8c03467f18ad15295b5bb

    • SHA256

      4afff31f271c8c11c1ee362f610cb5f97a64844097e19b73aca86ef40e8685ce

    • SHA512

      ad12713a2deffaab31117f3e715aa63103e11a7e785a2900f82bf0b2d293216b2e1eedff595685667eb9d5319b994a41919ae17ca76344d183cb4dbfcaa36918

    • SSDEEP

      196608:3Nsg4AMgAGNsg4AMgAdNsg4AMgAVNsg4AMgAHFKzYN5:3Gg4a1Gg4aSGg4aOGg4a6

    • Xred

      Xred is backdoor written in Delphi.

    • Xred family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks