File name:	Synaptics.exe
Full analysis:	https://app.any.run/tasks/1c002e0a-0b0e-47d4-9845-adba705739e5
Verdict:	Malicious activity
Threats:	A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. XRed operates as a stealthy backdoor, enabling cybercriminals to gain unauthorized remote access to infected systems. XRed has gained particular notoriety for its distribution through trojanized legitimate software and hardware drivers, making it exceptionally dangerous due to its ability to masquerade as trusted applications. Malware Trends Tracker >>>
Analysis date:	February 01, 2025, 09:21:14
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	xred backdoor hausbomber delphi dyndns
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:	85E3D4AC5A6EF32FB93764C090EF32B7
SHA1:	ADEDB0AAB26D15CF96F66FDA8B4CFBBDCC15EF52
SHA256:	4E5CC8CB98584335400D00F0A0803C3E0202761F3FBE50BCAB3858A80DF255E1
SSDEEP:	12288:j3H6yScLnqOl0r5Zu0LMFbtizFJ6rAPvOxrcg0i7u48m+LXsSl:j3HzLnqOaNMCFJ6kPvOxrcg0i7uF/XsE

.exe	\|	Win32 Executable Borland Delphi 7 (96.4)
.exe	\|	Win32 Executable Delphi generic (2)
.exe	\|	Win32 Executable (generic) (0.6)
.exe	\|	Win16/32 Executable Delphi generic (0.3)
.exe	\|	Generic Win/DOS Executable (0.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	1992:06:19 22:22:17+00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	629760
InitializedDataSize:	151552
UninitializedDataSize:	-
EntryPoint:	0x9ab80
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.4
ProductVersionNumber:	1.0.0.4
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Turkish
CharacterSet:	Windows, Turkish
CompanyName:	Synaptics
FileDescription:	Synaptics Pointing Device Driver
FileVersion:	1.0.0.4
InternalName:	-
LegalCopyright:	-
LegalTrademarks:	-
OriginalFileName:	-
ProductName:	Synaptics Pointing Device Driver
ProductVersion:	1.0.0.0
Comments:	-


(PID) Process:	(6552) Synaptics.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A78039010000FB9A790967ADD111ABCD00C04FC309367D000000
(PID) Process:	(6552) Synaptics.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Synaptics Pointing Device Driver
Value: C:\ProgramData\Synaptics\Synaptics.exe
(PID) Process:	(6552) Synaptics.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100004E3AAA90BA1C3342B8BB535773D484498D000000
(PID) Process:	(6552) Synaptics.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E232827701000060B81DB4E48ED2119906E49FADC173CA9C0000006078A409B011A54DAFA526D86198A780390100004E3AAA90BA1C3342B8BB535773D484498D000000
(PID) Process:	(6780) ._cache_Synaptics.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6780) ._cache_Synaptics.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6780) ._cache_Synaptics.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(6780) ._cache_Synaptics.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(6780) ._cache_Synaptics.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(6780) ._cache_Synaptics.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576

PID	Process	Filename		Type
4724	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_._cache_Synaptic_fc3526a46a17956b3130c754264a32014e1a_82734048_42887177-4422-4738-9e7b-5df25d16c18d\Report.wer		—
		MD5:—	SHA256:—
4724	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\._cache_Synaptics.exe.6780.dmp		—
		MD5:—	SHA256:—
6552	Synaptics.exe	C:\ProgramData\Synaptics\Synaptics.exe		executable
		MD5:85E3D4AC5A6EF32FB93764C090EF32B7	SHA256:4E5CC8CB98584335400D00F0A0803C3E0202761F3FBE50BCAB3858A80DF255E1
6952	Synaptics.exe	C:\Users\admin\AppData\Local\Temp\LRhpRN3.ini		html
		MD5:54E5C11FAAE4FD9CC343DA715BBF3F88	SHA256:8B2B0D31279C057D46D374A4DC2D3BE39EDD6579F2CE074449D8BD3286278641
6552	Synaptics.exe	C:\ProgramData\Synaptics\RCX7CE4.tmp		executable
		MD5:80421089B46D27AD31BBA48F8946AF3F	SHA256:11F931102F640EA8406D95C2EEBEADD1462FD205BC651DAC57AC1BCAC922E8F5
4724	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER213.tmp.WERInternalMetadata.xml		binary
		MD5:AC18BC941B035E73F8D271813075F68E	SHA256:4F65E4F43480F2968E3E72C15D3010FC9656C633F45A2B4C5CFCC140746CD889
6552	Synaptics.exe	C:\Users\admin\Desktop\._cache_Synaptics.exe		executable
		MD5:2A94F3960C58C6E70826495F76D00B85	SHA256:2FCAD226B17131DA4274E1B9F8F31359BDD325C9568665F08FD1F6C5D06A23CE
4724	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA.tmp.dmp		binary
		MD5:C3AB6E45B37F3AE30B64966BA64C19FA	SHA256:F0A305C7564B46A74276FE1FFB834EC467235C581F6190C16A51EC23BEE024A0
4724	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER233.tmp.xml		xml
		MD5:438F1C92EE528D9C6268F55403219086	SHA256:2FB03E6070FF315A25B18EF05D419D12E3259BC51367C4A9B9DB468693BB1AF5
4724	WerFault.exe	C:\Windows\appcompat\Programs\Amcache.hve		binary
		MD5:08EDAE7C657EF70045ED43215D6C4342	SHA256:24A9AA60E22B6916E1BC10796CC9934F004772960CC63944EFEDCC87DB2B57D1

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	95.101.78.32:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6952	Synaptics.exe	GET	200	69.42.215.252:80	http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978	unknown	—	—	whitelisted
—	—	GET	—	151.101.194.49:443	https://urlhaus.abuse.ch/downloads/text_online/	unknown	—	—	—
—	—	GET	—	64.233.167.84:443	https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download	unknown	—	—	—
4712	MoUsoCoreWorker.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	95.101.78.32:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	2.23.181.156:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4712	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6952	Synaptics.exe	69.42.215.252:80	freedns.afraid.org	AWKNET	US	whitelisted
6780	._cache_Synaptics.exe	151.101.130.49:443	urlhaus.abuse.ch	FASTLY	US	whitelisted
3976	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted

Domain	IP	Reputation
google.com	216.58.212.174	whitelisted
crl.microsoft.com	95.101.78.32 95.101.78.42	whitelisted
www.microsoft.com	2.23.181.156	whitelisted
settings-win.data.microsoft.com	51.104.136.2	whitelisted
xred.mooo.com	—	whitelisted
freedns.afraid.org	69.42.215.252	whitelisted
urlhaus.abuse.ch	151.101.130.49 151.101.2.49 151.101.194.49 151.101.66.49	whitelisted
watson.events.data.microsoft.com	104.208.16.94	whitelisted
docs.google.com	216.58.212.174	whitelisted
self.events.data.microsoft.com	20.42.73.31	whitelisted

General Info

Synaptics.exe

85E3D4AC5A6EF32FB93764C090EF32B7

ADEDB0AAB26D15CF96F66FDA8B4CFBBDCC15EF52

4E5CC8CB98584335400D00F0A0803C3E0202761F3FBE50BCAB3858A80DF255E1

12288:j3H6yScLnqOl0r5Zu0LMFbtizFJ6rAPvOxrcg0i7u48m+LXsSl:j3HzLnqOaNMCFJ6kPvOxrcg0i7uF/XsE

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

XRED mutex has been found

XRED has been detected

HAUSBOMBER has been detected (YARA)

XRED has been detected (YARA)

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

There is functionality for communication over UDP network (YARA)

There is functionality for taking screenshot (YARA)

There is functionality for communication dyndns network (YARA)

Executes application which crashes

Checks Windows Trust Settings

INFO

Reads the computer name

The sample compiled with turkish language support

Process checks computer location settings

Creates files in the program directory

Checks supported languages

Reads the machine GUID from the registry

Disables trace logs

Checks proxy server information

Reads the software policy settings

Compiled with Borland Delphi (YARA)

Creates files or folders in the user directory

Create files in a temporary directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings