General

  • Target

    2025-03-10_faa1fc9de78b81c78bfd33a4b1ea3f7f_luca-stealer_magniber

  • Size

    10.1MB

  • Sample

    250310-sw8dbazves

  • MD5

    faa1fc9de78b81c78bfd33a4b1ea3f7f

  • SHA1

    5d59ccd14fc10bbaea114281d7641f9499fdeed0

  • SHA256

    c7a93935fead2a31277e876b2bf97660295b71c4cc4251e658c9cafd967417a9

  • SHA512

    dc9c1f4521637aee2b06f896f6917dee72af2ad79b5693723a5fa32385a298b22038bbf6f8494c2a7330eb267658b9127ccc09df7ef8148fe867a65a5d28a260

  • SSDEEP

    196608:3Nsg4AMgAGNsg4AMgAdNsg4AMgAVNsg4AMgAHFKzYNm:3Gg4a1Gg4aSGg4aOGg4aF

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      2025-03-10_faa1fc9de78b81c78bfd33a4b1ea3f7f_luca-stealer_magniber

    • Size

      10.1MB

    • MD5

      faa1fc9de78b81c78bfd33a4b1ea3f7f

    • SHA1

      5d59ccd14fc10bbaea114281d7641f9499fdeed0

    • SHA256

      c7a93935fead2a31277e876b2bf97660295b71c4cc4251e658c9cafd967417a9

    • SHA512

      dc9c1f4521637aee2b06f896f6917dee72af2ad79b5693723a5fa32385a298b22038bbf6f8494c2a7330eb267658b9127ccc09df7ef8148fe867a65a5d28a260

    • SSDEEP

      196608:3Nsg4AMgAGNsg4AMgAdNsg4AMgAVNsg4AMgAHFKzYNm:3Gg4a1Gg4aSGg4aOGg4aF

    • Xred

      Xred is backdoor written in Delphi.

    • Xred family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks