General

  • Target

    setup.exe

  • Size

    773KB

  • Sample

    250310-xsgteavmt4

  • MD5

    77b6f725c18f72e0057295d3cfec939d

  • SHA1

    5b548186f780b3353d040234e0aec44e496239fa

  • SHA256

    7ce2e37d8bdb815c8d5cf28fad885bca624278c7d88780dc2fc15a74ee66bd1a

  • SHA512

    c31a1e3a2898249802ac144f4dad011160c145cf187468eb56108997c16977d836c6410b8b272bfc9a1261416afd3a7f54de0df9c4aa762bfc52732a211b3cff

  • SSDEEP

    12288:WMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9WGg6xy:WnsJ39LyjbJkQFMhmC+6GD9WE0

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      setup.exe

    • Size

      773KB

    • MD5

      77b6f725c18f72e0057295d3cfec939d

    • SHA1

      5b548186f780b3353d040234e0aec44e496239fa

    • SHA256

      7ce2e37d8bdb815c8d5cf28fad885bca624278c7d88780dc2fc15a74ee66bd1a

    • SHA512

      c31a1e3a2898249802ac144f4dad011160c145cf187468eb56108997c16977d836c6410b8b272bfc9a1261416afd3a7f54de0df9c4aa762bfc52732a211b3cff

    • SSDEEP

      12288:WMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9WGg6xy:WnsJ39LyjbJkQFMhmC+6GD9WE0

    • Modifies WinLogon for persistence

    • Xred

      Xred is backdoor written in Delphi.

    • Xred family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks