General

  • Target

    VMProtect.exe

  • Size

    19.3MB

  • Sample

    250309-gnb5csyjs8

  • MD5

    9a8d80c3947af3a8669b90e968dc1b16

  • SHA1

    8a21e94e984848288c1392fd3c7305f49f52f8ca

  • SHA256

    fbc8f536d7689df0887baebaa76fd1bc534ee7e32735d9e7d81c4dfcabbf29ae

  • SHA512

    5344873ad571da2c83999eaacf65fcb61e7939b9a1d66dd3cdcd6858fdd13a81092be293e70830819e0127653b830f2960178998b55014dc3a4d632043d8b6b6

  • SSDEEP

    393216:1LPBrXw0fdCHkfgS3TX+xuE4EDxOfXaGtaBiVOElnxTY6BjD:lFXfdCHkBpEDQPaGoQVOElxTvh

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      VMProtect.exe

    • Size

      19.3MB

    • MD5

      9a8d80c3947af3a8669b90e968dc1b16

    • SHA1

      8a21e94e984848288c1392fd3c7305f49f52f8ca

    • SHA256

      fbc8f536d7689df0887baebaa76fd1bc534ee7e32735d9e7d81c4dfcabbf29ae

    • SHA512

      5344873ad571da2c83999eaacf65fcb61e7939b9a1d66dd3cdcd6858fdd13a81092be293e70830819e0127653b830f2960178998b55014dc3a4d632043d8b6b6

    • SSDEEP

      393216:1LPBrXw0fdCHkfgS3TX+xuE4EDxOfXaGtaBiVOElnxTY6BjD:lFXfdCHkBpEDQPaGoQVOElxTvh

    • Xred

      Xred is backdoor written in Delphi.

    • Xred family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks