Overview

overview

10

Static

static

10

2025-04-10...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/04/2025, 13:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-10_8a9021f1bd1200640095efa630e09461_black-basta_darkgate_elex_luca-stealer.exe

  • Size

    13.9MB

  • MD5

    8a9021f1bd1200640095efa630e09461

  • SHA1

    f6516a39d14fe5100b031a1c2a5a56106ab46a5e

  • SHA256

    dd7b904ba6b48edb78f664be1ff660faf373ecbc6e00bedae0c707ba12b399d5

  • SHA512

    01fb9af6a96ba486344b9b3d990f70f63011ac1a710e9771f7aead5a5cf12b6b796c28e575b7b7ce79e8d47b133b010703f49e37d4e2e2d713a3578f1a423dc5

  • SSDEEP

    393216:v9DRSlptVYmfr7yBG/4bEXtOiHCFQbPlU:lEpttD7yBG/USt/So+

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-10_8a9021f1bd1200640095efa630e09461_black-basta_darkgate_elex_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-10_8a9021f1bd1200640095efa630e09461_black-basta_darkgate_elex_luca-stealer.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Users\Admin\AppData\Local\Temp\._cache_2025-04-10_8a9021f1bd1200640095efa630e09461_black-basta_darkgate_elex_luca-stealer.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_2025-04-10_8a9021f1bd1200640095efa630e09461_black-basta_darkgate_elex_luca-stealer.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5012
      • C:\Windows\Temp\{FBDFA030-ACCB-40E9-95CC-F585E6A09F05}\.cr\._cache_2025-04-10_8a9021f1bd1200640095efa630e09461_black-basta_darkgate_elex_luca-stealer.exe
        "C:\Windows\Temp\{FBDFA030-ACCB-40E9-95CC-F585E6A09F05}\.cr\._cache_2025-04-10_8a9021f1bd1200640095efa630e09461_black-basta_darkgate_elex_luca-stealer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\._cache_2025-04-10_8a9021f1bd1200640095efa630e09461_black-basta_darkgate_elex_luca-stealer.exe" -burn.filehandle.attached=540 -burn.filehandle.self=652
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:3600
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:5996
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1204
        • C:\Windows\Temp\{70F330DC-DE30-466F-858C-A8E275602E1A}\.cr\._cache_Synaptics.exe
          "C:\Windows\Temp\{70F330DC-DE30-466F-858C-A8E275602E1A}\.cr\._cache_Synaptics.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 InjUpdate
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:652
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Synaptics\Synaptics.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\ProgramData\Synaptics\Synaptics.exe
      C:\ProgramData\Synaptics\Synaptics.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2308
      • C:\Windows\SysWOW64\._cache_Synaptics.exe
        "C:\Windows\system32\._cache_Synaptics.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3076
        • C:\Windows\Temp\{9FD0F688-E0E9-470F-BB48-4316CC2D877F}\.cr\._cache_Synaptics.exe
          "C:\Windows\Temp\{9FD0F688-E0E9-470F-BB48-4316CC2D877F}\.cr\._cache_Synaptics.exe" -burn.clean.room="C:\Windows\SysWOW64\._cache_Synaptics.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:4880
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:6104

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    13.9MB

    MD5

    8a9021f1bd1200640095efa630e09461

    SHA1

    f6516a39d14fe5100b031a1c2a5a56106ab46a5e

    SHA256

    dd7b904ba6b48edb78f664be1ff660faf373ecbc6e00bedae0c707ba12b399d5

    SHA512

    01fb9af6a96ba486344b9b3d990f70f63011ac1a710e9771f7aead5a5cf12b6b796c28e575b7b7ce79e8d47b133b010703f49e37d4e2e2d713a3578f1a423dc5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_2025-04-10_8a9021f1bd1200640095efa630e09461_black-basta_darkgate_elex_luca-stealer.exe
    Filesize

    13.2MB

    MD5

    0d762264d9765e21c15a58edc43f4706

    SHA1

    64ce52d26d6930f5a110112487239e491ab1b1ee

    SHA256

    c61cef97487536e766130fa8714dd1b4143f6738bfb71806018eee1b5fe6f057

    SHA512

    a07dcabb588886c73865c8bde027d16ce9c8c14c480286f5697620c6d47f20727c208704047512e4ba55e9dc64ac7940b31910a7df0d1b7dc5569f37270f0441

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\01775E00
    Filesize

    23KB

    MD5

    3816cd1b86c4db90fc1f87c43df2cc44

    SHA1

    94a355ac80756792760d7ba7a570a10f3bac4e00

    SHA256

    9862cb9966197785e87067f0134f696e561875a731c801aaa7f486d2dbd19ecc

    SHA512

    18206f44ac3e57fb90589fc85fef9c0689e04755cde14bd62e181e3960e35e0adbf9a3d13e26a5b20fb78a03ae6d2497acbdc1e87148ac88c0da29e4fa427c68

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gFgQmomp.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Windows\Temp\{17D07EDC-5D1A-40EA-A3FE-FC18DC8DCD88}\.ba\logo.png
    Filesize

    1KB

    MD5

    d6bd210f227442b3362493d046cea233

    SHA1

    ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

    SHA256

    335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

    SHA512

    464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

    Download Submit

  • C:\Windows\Temp\{17D07EDC-5D1A-40EA-A3FE-FC18DC8DCD88}\.ba\wixstdba.dll
    Filesize

    191KB

    MD5

    eab9caf4277829abdf6223ec1efa0edd

    SHA1

    74862ecf349a9bedd32699f2a7a4e00b4727543d

    SHA256

    a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

    SHA512

    45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

    Download Submit

  • C:\Windows\Temp\{5685712F-3452-4984-BE3D-B49658E7DBCC}\.ba\BootstrapperApplicationData.xml
    Filesize

    12KB

    MD5

    a8fe0b5c48b92ed6be2313c170a53251

    SHA1

    ec6a3a9584a2765431f0f7cfe106028e00de6f0d

    SHA256

    648a91521f20660a182590e218c212d7a618e96bb7fcac30e22ba77b5ffb829e

    SHA512

    f0854f08c97eb95474b51b7b6be56a4396a8067c4d82260083440be91d202cf296a38764e7460d547cdabc688c0d923d1430568b81ee3faa823f8457d06db535

    Download Submit

  • C:\Windows\Temp\{5685712F-3452-4984-BE3D-B49658E7DBCC}\.ba\license.rtf
    Filesize

    9KB

    MD5

    04b33f0a9081c10e85d0e495a1294f83

    SHA1

    1efe2fb2d014a731b752672745f9ffecdd716412

    SHA256

    8099dc3cf9502c335da829e5c755948a12e3e6de490eb492a99deb673d883d8b

    SHA512

    d1dbed00df921169dd61501e2a3e95e6d7807348b188be9dd8fc63423501e4d848ece19ac466c3cacfccc6084e0eb2f457dc957990f6f511df10fd426e432685

    Download Submit

  • C:\Windows\Temp\{5685712F-3452-4984-BE3D-B49658E7DBCC}\.ba\thm.wxl
    Filesize

    2KB

    MD5

    fbfcbc4dacc566a3c426f43ce10907b6

    SHA1

    63c45f9a771161740e100faf710f30eed017d723

    SHA256

    70400f181d00e1769774ff36bcd8b1ab5fbc431418067d31b876d18cc04ef4ce

    SHA512

    063fb6685ee8d2fa57863a74d66a83c819fe848ba3072b6e7d1b4fe397a9b24a1037183bb2fda776033c0936be83888a6456aae947e240521e2ab75d984ee35e

    Download Submit

  • C:\Windows\Temp\{5685712F-3452-4984-BE3D-B49658E7DBCC}\.ba\thm.xml
    Filesize

    8KB

    MD5

    f62729c6d2540015e072514226c121c7

    SHA1

    c1e189d693f41ac2eafcc363f7890fc0fea6979c

    SHA256

    f13bae0ec08c91b4a315bb2d86ee48fade597e7a5440dce6f751f98a3a4d6916

    SHA512

    cbbfbfa7e013a2b85b78d71d32fdf65323534816978e7544ca6cea5286a0f6e8e7e5ffc4c538200211f11b94373d5658732d5d8aa1d01f9ccfdbf20f154f1471

    Download Submit

  • C:\Windows\Temp\{FBDFA030-ACCB-40E9-95CC-F585E6A09F05}\.cr\._cache_2025-04-10_8a9021f1bd1200640095efa630e09461_black-basta_darkgate_elex_luca-stealer.exe
    Filesize

    634KB

    MD5

    f4a0575355c8110fecdf2acbe161c964

    SHA1

    b9482cd6ec6dc673a0163a8d3e833bab24efdcd8

    SHA256

    3ee99421e4582ebc46a23a947fc76149bee1b21538f3fd74d29967a6f517e7f6

    SHA512

    72c1d740736b60a07027384c0aca8fe74c1aea85ffa4bd0cefe0e048f21ad9744b5e75a2f68c44f38517cfbd0e6f87a508722ad113626e74aedc046c81c163c6

    Download Submit

  • memory/2212-164-0x0000000000400000-0x00000000011F8000-memory.dmp

    Filesize

    14.0MB

    Download

  • memory/2212-0-0x0000000002F80000-0x0000000002F81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2308-296-0x0000000000400000-0x00000000011F8000-memory.dmp

    Filesize

    14.0MB

    Download

  • memory/5996-445-0x0000000000400000-0x00000000011F8000-memory.dmp

    Filesize

    14.0MB

    Download

  • memory/5996-482-0x0000000000400000-0x00000000011F8000-memory.dmp

    Filesize

    14.0MB

    Download

  • memory/5996-571-0x0000000000400000-0x00000000011F8000-memory.dmp

    Filesize

    14.0MB

    Download

  • memory/6104-307-0x00007FFF47CF0000-0x00007FFF47D00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/6104-303-0x00007FFF47CF0000-0x00007FFF47D00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/6104-302-0x00007FFF47CF0000-0x00007FFF47D00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/6104-396-0x00007FFF453C0000-0x00007FFF453D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/6104-398-0x00007FFF453C0000-0x00007FFF453D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/6104-308-0x00007FFF47CF0000-0x00007FFF47D00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/6104-299-0x00007FFF47CF0000-0x00007FFF47D00000-memory.dmp

    Filesize

    64KB

    Download