General

  • Target

    2025-03-08_c0bf08af30d838aa29d253b81d051fd3_luca-stealer_magniber

  • Size

    11.5MB

  • Sample

    250308-zp85lastdt

  • MD5

    c0bf08af30d838aa29d253b81d051fd3

  • SHA1

    296634c744ad06d2e01be9eb85ba07ba2446244c

  • SHA256

    fc71b10342b64839cbea5a28c82513aeaf0f59389116245795c0727f85e349e9

  • SHA512

    ce628ef7a9a4137d4b9fa4fe403b46e373d15b4c9cdb0e382032354ba71177868d195a545d68feabe31a76c5a410227470909021e2659fc3bdb0856abf7ad702

  • SSDEEP

    196608:JNsg4AMgAbNsg4AMgADNsg4AMgAWNsg4AMgAtNsg4AMgAfFKzYNE:JGg4awGg4aEGg4a5Gg4amGg4ab

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      2025-03-08_c0bf08af30d838aa29d253b81d051fd3_luca-stealer_magniber

    • Size

      11.5MB

    • MD5

      c0bf08af30d838aa29d253b81d051fd3

    • SHA1

      296634c744ad06d2e01be9eb85ba07ba2446244c

    • SHA256

      fc71b10342b64839cbea5a28c82513aeaf0f59389116245795c0727f85e349e9

    • SHA512

      ce628ef7a9a4137d4b9fa4fe403b46e373d15b4c9cdb0e382032354ba71177868d195a545d68feabe31a76c5a410227470909021e2659fc3bdb0856abf7ad702

    • SSDEEP

      196608:JNsg4AMgAbNsg4AMgADNsg4AMgAWNsg4AMgAtNsg4AMgAfFKzYNE:JGg4awGg4aEGg4a5Gg4amGg4ab

    • Xred

      Xred is backdoor written in Delphi.

    • Xred family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks