Overview

overview

10

Static

static

10

ZTWorker.dll

windows10-2004-x64

3

ZTool.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    b1e7f990d09c0c3813821c6c1c8aed7f9839f881c99a82124dfaaed23fdd79a5

  • Size

    3.2MB

  • Sample

    250517-lyy44acp6v

  • MD5

    d8997ce0f52fb875f4f94dd922e351cd

  • SHA1

    819b50f57ba2fb33712192a2ee29aaf68fdf265d

  • SHA256

    b1e7f990d09c0c3813821c6c1c8aed7f9839f881c99a82124dfaaed23fdd79a5

  • SHA512

    ce7d4b879ce625afe06d91ba84f9c80628bbe20d776d8db9fca6358e5fc5060f82165994c4f011bf82696d6f64f152fd9e0c6f951e912cfcc3c545dfe01acef2

  • SSDEEP

    98304:VquzDnyT3aS4SSnuV6mRjgTry4Lw7wTmteJeRWsbZR:VDHvWSvTrCjxRnZR

Score
10/10
xredbackdoordiscoverymacropersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      ZTWorker.dll

    • Size

      2.1MB

    • MD5

      476b4234120d15d2163d9bef20dad340

    • SHA1

      f037e141fe36b179c6570bec3403185769c30644

    • SHA256

      ee343bf150e0bb66fe92072b0927d13fdbe369657fbded0bb07f943751eaf1d7

    • SHA512

      7edec07c91bed3676c1917cb7dde0aad001ceb54cdcfe353d3cc2eb28cea134c5df224765c3ff9a4658ade65972716b7ffd5cf69d6c6ee93f81fe200cbbf1ff4

    • SSDEEP

      49152:d+3fQqmxwH96VpWdCZkvgM6AJvGkxcWGxgZA3HlG:d+3foxY9Sp6Gkv/BJvGk8xgZA3H

    Score
    3/10
    discovery
    behavioral1

    • Target

      ZTool.exe

    • Size

      4.0MB

    • MD5

      c2660af1ad716b8095a6b3e8d143d4f8

    • SHA1

      e4441022f28853b70857365e0d63d455aceb84ce

    • SHA256

      29dfbbc2c092c011193569cda9e4af204235778fa0e29fdbd916fe84ed3a4323

    • SHA512

      d117aef7d23fe03b46e0373bf6653cdbf3eda51627a80117f2c6667ec892a7de3f5a5c0a26c18e906b227c19a0b817792d2a30c309149a48364aad8dc4702ff4

    • SSDEEP

      98304:2nsmtk2ae/Xkm6hkE3qVRChlkYKcqFrFLOAkGkzdnEVomFHKnPv:oLtsmaI6LkYKcqFrFLOyomFHKnPv

    Score
    10/10
    xredbackdoordiscoverymacropersistence

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Suspicious Office macro

      Office document equipped with macros.

      macro

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral2

MITRE ATT&CK Enterprise v16

Tasks