www.cisa.gov
Open in
urlscan Pro
2a02:26f0:480:5af::447a
Public Scan
URL:
https://www.cisa.gov/news-events/analysis-reports/ar23-074a
Submission: On June 23 via api from TR — Scanned from DE
Submission: On June 23 via api from TR — Scanned from DE
Form analysis 2 forms found in the DOM
<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id1">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id1" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form><form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id2">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id51" class="gstl_51 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti51" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id2" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st51" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb51" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>Text Content
Skip to main content
An official website of the United States government
Here’s how you know
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United
States.
Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the
.gov website. Share sensitive information only on official, secure websites.
Cybersecurity & Infrastructure Security Agency
America's Cyber Defense Agency
Search
×
search
Menu
Close
×
search
* Topics
Topics
Cybersecurity Best Practices
Cyber Threats and Advisories
Critical Infrastructure Security and Resilience
Election Security
Emergency Communications
Industrial Control Systems
Information and Communications Technology Supply Chain Security
Partnerships and Collaboration
Physical Security
Risk Management
How can we help?
GovernmentEducational InstitutionsIndustryState, Local, Tribal, and
TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help
Locally
* Spotlight
* Resources & Tools
Resources & Tools
All Resources & Tools
Services
Programs
Resources
Training
Groups
* News & Events
News & Events
News
Events
Cybersecurity Alerts & Advisories
Directives
Request a CISA Speaker
Congressional Testimony
* Careers
Careers
Benefits & Perks
HireVue Applicant Reasonable Accommodations Process
Hiring
Resume & Application Tips
Students & Recent Graduates
Veteran and Military Spouses
Work @ CISA
* About
About
Culture
Divisions & Offices
Regions
Leadership
Doing Business with CISA
Contact Us
Site Links
Reporting Employee and Contractor Misconduct
CISA GitHub
Report a Cyber Issue
America's Cyber Defense Agency
Breadcrumb
1. Home
2. News & Events
3. Cybersecurity Advisories
4. Analysis Report
Share:
Analysis Report
MAR-10413062-1.V1 TELERIK VULNERABILITY IN U.S. GOVERNMENT IIS SERVER
Release Date
March 15, 2023
Alert Code
AR23-074A
NOTIFICATION
This report is provided "as is" for informational purposes only. The Department
of Homeland Security (DHS) does not provide any warranties of any kind regarding
any information contained herein. The DHS does not endorse any commercial
product or service referenced in this bulletin or otherwise.
This document is marked TLP:CLEAR--Disclosure is not limited. Sources may use
TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in
accordance with applicable rules and procedures for public release. Subject to
standard copyright rules, TLP:CLEAR information may be distributed without
restriction. For more information on the Traffic Light Protocol (TLP), see
http://www.cisa.gov/tlp.
SUMMARY
DESCRIPTION
CISA received 18 files for analysis from a forensic analysis engagement
conducted at a Federal Civilian Executive Branch (FCEB) agency.
When 11 of the dynamic link library (DLL) files are loaded, the files can read,
create, and delete files. If the DLL contains a hardcoded Internet Protocol (IP)
address, status messages will be sent to the IP. One DLL file will attempt to
collect the target system's Transmission Control Protocol (TCP) connection
table, and exfiltrate it to a remote Command and Control server (C2). Five of
the files drop and decode a reverse shell utility that can send and receive data
and commands. In addition, the files drop and decode an Active Server Pages
(ASPX) webshell. Two DLL files are capable of loading and executing payloads.
CISA has provided Indicators of Compromise (IOCs) and YARA rules for detection
within this Malware Analysis Report (MAR).
For more information about this compromise, see Joint Cybersecurity Advisory
Threat Actors Exploit Progress Telerik Vulnerability in U.S. Government IIS
Server.
Download the PDF version of this report:
MAR-10413062-1.v1 Telerik Vulnerability in U.S. Government IIS Server (PDF, 3.91
MB )
For a downloadable copy of IOCs, see
AA23-074A STIX XML (XML, 30.96 KB )
SUBMITTED FILES (18)
11415ac829c17bd8a9c4cef12c3fbc23095cbb3113c89405e489ead5138384cd
(1597974061[.]4531896[.]png)
144492284bcbc0110d34a2b9a44bef90ed0d6cda746df6058b49d3789b0f851d
(1666006114[.]5570521[.]txt)
508dd87110cb5bf5d156a13c2430c215035db216f20f546e4acec476e8d55370
(xesmartshell[.]tmp)
707d22cacdbd94a3e6dc884242c0565bdf10a0be42990cd7a5497b124474889b
(1665130178[.]9134793[.]dll)
72f7d4d3b9d2e406fa781176bd93e8deee0fb1598b67587e1928455b66b73911
(1594142927[.]995679[.]png)
74544d31cbbf003bc33e7099811f62a37110556b6c1a644393fddd0bac753730
(1665131078[.]6907752[.]dll)
78a926f899320ee6f05ab96f17622fb68e674296689e8649c95f95dade91e933
(1596686310[.]434117[.]png)
833e9cf75079ce796ef60fc7039a0b098be4ce8d259ffa53fe2855df110b2e5d
(1665128935[.]8063045[.]dll)
853e8388c9a72a7a54129151884da46075d45a5bcd19c37a7857e268137935aa
(1667466391[.]0658665[.]dll)
8a5fc2b8ecb7ac6c0db76049d7e09470dbc24f1a90026a431285244818866505
(1596923477[.]4946315[.]png)
a14e2209136dad4f824c6f5986ec5d73d9cc7c86006fd2ceabe34de801062f6b
(1665909724[.]4648924[.]dll)
b4222cffcdb9fb0eda5aa1703a067021bedd8cf7180cdfc5454d0f07d7eaf18f
(1665129315[.]9536858[.]dll)
d69ac887ecc2b714b7f5e59e95a4e8ed2466bed753c4ac328931212c46050b35
(1667465147[.]4282858[.]dll)
d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8c67a6baf46c4c19c2
(SortVistaCompat)
dedf082f523dfcb75dee0480a2d8a087e3231f89fa34fcd2b7f74866a7b6608f
(1665214140[.]9324195[.]dll)
e044bce06ea49d1eed5e1ec59327316481b8339c3b6e1aecfbb516f56d66e913
(1667465048[.]8995082[.]dll)
e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea72cd23f1d5e331ff5a
(1596835329[.]5015914[.]png)
f5cafe99bccb9d813909876fa536cc980c45687d0f411c5f4b5346dcf6b304e4
(1665132690[.]6040645[.]dll)
ADDITIONAL FILES (6)
08375e2d187ee53ed263ee6529645e03ead1a8e77afd723a3e0495201452d415 (small[.]aspx)
11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad
(XEReverseShell[.]exe)
1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2 (xesvrs[.]exe)
5cbba90ba539d4eb6097169b0e9acf40b8c4740a01ddb70c67a8fb1fc3524570 (small[.]txt)
815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f
(XEReverseShell[.]exe)
a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c
(Multi-OS_ReverseShell[.]exe)
DOMAINS (3)
hivnd[.]com
xegroups[.]com
xework[.]com
IPS (4)
137[.]184[.]130[.]162
144[.]96[.]103[.]245
184[.]168[.]104[.]171
45[.]77[.]212[.]12
FINDINGS
144492284BCBC0110D34A2B9A44BEF90ED0D6CDA746DF6058B49D3789B0F851D
TAGS
wiper
DETAILS
Name 1666006114.5570521.txt Size 12288 bytes Type PE32+ executable (DLL) (GUI)
x86-64 Mono/.Net assembly, for MS Windows MD5 8e33e1e407fc9ff537b63be3ab78cb40
SHA1 1228a2269610fcd20d6b0cf982b759b4c7612f34 SHA256
144492284bcbc0110d34a2b9a44bef90ed0d6cda746df6058b49d3789b0f851d SHA512
d5b0ee2931ada3f3c51a201433e9b907d4efdbb88fb3825613f6ed16e80be2ddb4d23ccc8ee5d1af14ee13045b6d80f2909d007d016c8cf0436b0462fcb92732
ssdeep
96:/sJBSe0UzgkuQZR39ZoUnXpxs1bc9m4oJ1nbBeFsPW0dfk/QSvlWHaRA3naHrt/y:/ESvLkKUXpxsNcgb9pvRYGsrhUU/HkY
Entropy 4.610852
ANTIVIRUS
No matches found.
YARA RULES
* rule CISA_10413062_04 : wiper compromises_data_availability
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10413062"
Date = "2022-11-21"
Last_Modified = "20221123_2000"
Actor = "n/a"
Family = "n/a"
Capabilities = "compromises-data-availability"
Malware_Type = "wiper"
Tool_Type = "n/a"
Description = "Detect portable executable file that deletes .dll
files"
MD5 = "8e33e1e407fc9ff537b63be3ab78cb40"
SHA256 =
"144492284bcbc0110d34a2b9a44bef90ed0d6cda746df6058b49d3789b0f851d"
strings:
$s1 = { (43 | 63) 3a 5c (57 | 77) (49 | 69) (4e | 6e) (44 | 64) (4f |
6f) (57 | 77) (53 | 73) 5c (54 | 74) (65 | 45) (4d | 6d) (50 | 70) }
$s2 = { 43 72 65 61 74 65 54 68 72 65 61 64 }
$s3 = { 54 65 6c 65 72 69 69 6b 2e 64 6c 6c }
condition:
uint16(0) == 0x5a4d and all of ($s*)
}
* rule CISA_10413062_07 : wiper compromises_data_availability
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10413062"
Date = "2022-11-30"
Last_Modified = "20221130_1700"
Actor = "n/a"
Family = "n/a"
Capabilities = "compromises-data-availability"
Malware_Type = "wiper"
Tool_Type = "n/a"
Description = "Detects managed malware code in C# DLL samples"
MD5 = "8e33e1e407fc9ff537b63be3ab78cb40"
SHA256 =
"144492284bcbc0110d34a2b9a44bef90ed0d6cda746df6058b49d3789b0f851d"
strings:
$s0 = { 4D 61 69 6E 00 61 72 67 73 00 2E 63 74 6F 72 00 57 72 69 74 65
4C 69 6E 65 }
$s1 = { 46 69 6E 64 46 69 72 73 74 46 69 6C 65 41 00 00 90 01 46 69 6E
64 }
$s2 = { 43 3A 5C 77 69 6E 64 6F 77 73 5C 74 65 6D 70 }
$s3 = { 54 65 6C 65 72 69 69 6B 2E 64 6C 6C }
$s4 = { 76 34 2E 30 2E 33 30 33 31 39 }
condition:
all of them
}
SSDEEP MATCHES
No matches found.
DESCRIPTION
This file is a malicious .NET DLL, which contains malicious unmanaged 64-bit
Intel code. This DLL deletes files that end in ".dll" from C:\windows\temp.
E044BCE06EA49D1EED5E1EC59327316481B8339C3B6E1AECFBB516F56D66E913
TAGS
information-stealer
DETAILS
Name 1667465048.8995082.dll Size 13312 bytes Type PE32+ executable (DLL) (GUI)
x86-64 Mono/.Net assembly, for MS Windows MD5 f6f47911ac32afd786a765dcb1f26722
SHA1 533bfde3f801f7e1c7b519dcb07e7f21e6546306 SHA256
e044bce06ea49d1eed5e1ec59327316481b8339c3b6e1aecfbb516f56d66e913 SHA512
6cbc2e9114dba4f5ba37dbeec3de5610abfc2a23e2c3d74b5943d88392235fe741dca73bb560bb33e366d2d780708e7b7dc40186c46148b45761bb32034c67ff
ssdeep 192:UqLqxAm19p0WSLQs68UbUA+RaYlLWcTU/:zIAkXON6LUAY4cT Entropy 4.929398
ANTIVIRUS
No matches found.
YARA RULES
* rule CISA_10413062_01 : exfiltrates_data
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10413062"
Date = "2022-11-21"
Last_Modified = "20221123_2000"
Actor = "n/a"
Family = "n/a"
Capabilities = "exfiltrates-data"
Malware_Type = "n/a"
Tool_Type = "n/a"
Description = "Detect portable executable samples that exfiltrate
.config data"
MD5_1 = "f6f47911ac32afd786a765dcb1f26722"
SHA256_1 =
"e044bce06ea49d1eed5e1ec59327316481b8339c3b6e1aecfbb516f56d66e913"
MD5_2 = "cd6c11f89b392988e0de3ffe048a561b"
SHA256_2 =
"d69ac887ecc2b714b7f5e59e95a4e8ed2466bed753c4ac328931212c46050b35"
strings:
$s1 = { (43 | 63) 3a 5c (49 | 69) (4e | 6e) (45 | 65) (54 | 74) (50 |
70) (55 | 75) (62 | 42) 5c (54 | 74) (45 | 65) (4d | 6d) (50 | 70) }
$s2 = { (44 | 64) 3a 5c (49 | 69) (4e | 6e) (45 | 65) (54 | 74) (50 |
70) (55 | 75) (62 | 42) 5c (54 | 74) (45 | 65) (4d | 6d) (50 | 70) }
$s3 = { (45 | 65) 3a 5c (49 | 69) (4e | 6e) (45 | 65) (54 | 74) (50 |
70) (55 | 75) (62 | 42) 5c (54 | 74) (45 | 65) (4d | 6d) (50 | 70) }
$t4 = { 2e 43 4f (4e | 6e) (46 | 66) (69 | 49) (47 | 67) }
$t5 = { 2e 43 6f (4e | 6e) (46 | 66) (69 | 49) (47 | 67) }
$t6 = { 2e 63 4f (4e | 6e) (46 | 66) (69 | 49) (47 | 67) }
$t7 = { 2e 63 6f (4e | 6e) (46 | 66) (69 | 49) (47 | 67) }
$s8 = { 70 68 79 73 69 63 61 6c 50 61 74 68 3d }
$s9 = { 2f 3e }
$s10 = { 34 35 2e 37 }
$s11 = { 37 2e 32 31 }
$s12 = { 32 2e 31 32 }
$s13 = { 43 72 65 61 74 65 54 68 72 65 61 64 }
condition:
uint16(0) == 0x5a4d and 1 of ($t*) and all of ($s*)
}
* rule CISA_10413062_06 : exfiltrates_data
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10413062"
Date = "2022-11-30"
Last_Modified = "20221130_1700"
Actor = "n/a"
Family = "n/a"
Capabilities = "exfiltrates-data"
Malware_Type = "n/a"
Tool_Type = "n/a"
Description = "Detects managed malware code in C# DLL samples"
MD5 = "f6f47911ac32afd786a765dcb1f26722"
SHA256 =
"e044bce06ea49d1eed5e1ec59327316481b8339c3b6e1aecfbb516f56d66e913"
strings:
$s0 = { 4E 65 74 6B 65 6C 2E 64 6C 6C }
$s1 = { 76 34 2E 30 2E 33 30 33 31 39 }
$s2 = { 70 68 79 73 69 63 61 6C 50 61 74 68 3D }
$s3 = { 2E 63 6F 6E 66 69 67 00 2B 5F 2B 5F 2B }
$s4 = { 43 3A 5C 69 6E 65 74 70 75 62 5C 74 65 6D 70 }
condition:
all of them
}
SSDEEP MATCHES
No matches found.
RELATIONSHIPS
e044bce06e.... Connected_To 45[.]77[.]212[.]12
DESCRIPTION
This file is a malicious .NET DLL, which contains malicious unmanaged 64-bit
Intel code. Loading this DLL will send "+_+_+" to 45[.]77[.]212[.]12 over port
443. Then, C:\inetpub\temp, D:\inetpub\temp, and E:\inetpub\temp are scanned
recursively for files that end in .config.
When a .config file is found, the DLL will look for the strings “physicalPath=”
and “/>” within the file. If there is data between those two strings, it will be
sent to the IP.
If there was an error calling CreateFileA, “Errorcode: {Error_Code}” will be
sent to the IP. If there was an error calling VirtualAlloc, “VirtualAlloc
failed” will be sent to the IP. If there was an error while calling ReadFile,
“read file failed” will be sent to the IP.
45[.]77[.]212[.]12
TAGS
command-and-control
PORTS
* 443 TCP
WHOIS
NetRange: 45[.]76[.]0[.]0 - 45[.]77[.]255[.]255
CIDR: 45[.]76[.]0[.]0/15
NetName: CONSTANT
NetHandle: NET-45-76-0-0-1
Parent: NET45 (NET-45-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS20473
Organization: The Constant Company, LLC (CHOOP-1)
RegDate: 2015-04-24
Updated: 2022-09-20
Comment: Geofeed hxxps://geofeed[.]constant[.]com/
Ref: hxxps://rdap[.]arin[.]net/registry/ip/45[.]76[.]0[.]0
OrgName: The Constant Company, LLC
OrgId: CHOOP-1
Address: 319 Clematis St. Suite 900
City: West Palm Beach
StateProv: FL
PostalCode: 33401
Country: US
RegDate: 2006-10-03
Updated: 2021-03-30
Comment: hxxp://www[.]constant[.]com/
Ref: hxxps://rdap[.]arin[.]net/registry/entity/choop-1
OrgNOCHandle: NETWO1159-ARIN
OrgNOCName: Network Operations
OrgNOCPhone: +1-973-849-0500
OrgNOCEmail: network[@]constant[.]com
OrgNOCRef: hxxps://rdap[.]arin[.]net/registry/entity/netwo1159-arin
OrgAbuseHandle: ABUSE1143-ARIN
OrgAbuseName: Abuse Department
OrgAbusePhone: +1-973-849-0500
OrgAbuseEmail: abuse[@]constant[.]com
OrgAbuseRef: hxxps://rdap[.]arin[.]net/registry/entity/abuse1143-arin
OrgTechHandle: NETWO1159-ARIN
OrgTechName: Network Operations
OrgTechPhone: +1-973-849-0500
OrgTechEmail: network[@]constant[.]com
OrgTechRef: hxxps://rdap[.]arin[.]net/registry/entity/netwo1159-arin
NetRange: 45[.]77[.]212[.]0 - 45[.]77[.]213[.]255
CIDR: 45[.]77[.]212[.]0/23
NetName: NET-45-77-212-0-23
NetHandle: NET-45-77-212-0-1
Parent: CONSTANT (NET-45-76-0-0-1)
NetType: Reassigned
OriginAS:
Organization: Vultr Holdings, LLC (VHL-59)
RegDate: 2017-11-21
Updated: 2017-11-21
Ref: hxxps://rdap[.]arin[.]net/registry/ip/45[.]77[.]212[.]0
OrgName: Vultr Holdings, LLC
OrgId: VHL-59
Address: 2001 6th Avenue, Suite 300
Address: 2001 Sixth LLC
City: Seattle
StateProv: WA
PostalCode: 98121
Country: US
RegDate: 2015-03-05
Updated: 2015-03-05
Ref: hxxps://rdap[.]arin[.]net/registry/entity/vhl-59
OrgAbuseHandle: VULTR-ARIN
OrgAbuseName: Vultr Abuse
OrgAbusePhone: +1-973-849-0500
OrgAbuseEmail: abuse[@]vultr[.]com
OrgAbuseRef: hxxps://rdap[.]arin[.]net/registry/entity/vultr-arin
OrgTechHandle: VULTR-ARIN
OrgTechName: Vultr Abuse
OrgTechPhone: +1-973-849-0500
OrgTechEmail: abuse[@]vultr[.]com
OrgTechRef: hxxps://rdap[.]arin[.]net/registry/entity/vultr-arin
RELATIONSHIPS
45[.]77[.]212[.]12 Connected_From
e044bce06ea49d1eed5e1ec59327316481b8339c3b6e1aecfbb516f56d66e913
45[.]77[.]212[.]12 Connected_From
d69ac887ecc2b714b7f5e59e95a4e8ed2466bed753c4ac328931212c46050b35
45[.]77[.]212[.]12 Connected_From
853e8388c9a72a7a54129151884da46075d45a5bcd19c37a7857e268137935aa
45[.]77[.]212[.]12 Connected_From
a14e2209136dad4f824c6f5986ec5d73d9cc7c86006fd2ceabe34de801062f6b
DESCRIPTION
This IP was utilized by multiple malicious applications in this report as a C2
server. It is utilized by the malware to send status information from commands
executed on system, as well as a location to exfiltrate sensitive system and
network information.
D69AC887ECC2B714B7F5E59E95A4E8ED2466BED753C4AC328931212C46050B35
TAGS
information-stealer
DETAILS
Name 1667465147.4282858.dll Size 13312 bytes Type PE32+ executable (DLL) (GUI)
x86-64 Mono/.Net assembly, for MS Windows MD5 cd6c11f89b392988e0de3ffe048a561b
SHA1 6a2291e077c476d03ffe98b6f3228c82c5b451e4 SHA256
d69ac887ecc2b714b7f5e59e95a4e8ed2466bed753c4ac328931212c46050b35 SHA512
a31374d97f0b4e32d14a839b7e943f2385820cd4174114675fa217b921bbbd92792a829ccef9c4bdbc01efa5d8f654a5684527ada02b415fe5bc04384934086c
ssdeep 192:U7LqxAm19p0WSLQs68UbUA+RR6uVLWcTU/:WIAkXON6LUA2IcT Entropy 4.931255
ANTIVIRUS
No matches found.
YARA RULES
* rule CISA_10413062_01 : exfiltrates_data
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10413062"
Date = "2022-11-21"
Last_Modified = "20221123_2000"
Actor = "n/a"
Family = "n/a"
Capabilities = "exfiltrates-data"
Malware_Type = "n/a"
Tool_Type = "n/a"
Description = "Detect portable executable samples that exfiltrate
.config data"
MD5_1 = "f6f47911ac32afd786a765dcb1f26722"
SHA256_1 =
"e044bce06ea49d1eed5e1ec59327316481b8339c3b6e1aecfbb516f56d66e913"
MD5_2 = "cd6c11f89b392988e0de3ffe048a561b"
SHA256_2 =
"d69ac887ecc2b714b7f5e59e95a4e8ed2466bed753c4ac328931212c46050b35"
strings:
$s1 = { (43 | 63) 3a 5c (49 | 69) (4e | 6e) (45 | 65) (54 | 74) (50 |
70) (55 | 75) (62 | 42) 5c (54 | 74) (45 | 65) (4d | 6d) (50 | 70) }
$s2 = { (44 | 64) 3a 5c (49 | 69) (4e | 6e) (45 | 65) (54 | 74) (50 |
70) (55 | 75) (62 | 42) 5c (54 | 74) (45 | 65) (4d | 6d) (50 | 70) }
$s3 = { (45 | 65) 3a 5c (49 | 69) (4e | 6e) (45 | 65) (54 | 74) (50 |
70) (55 | 75) (62 | 42) 5c (54 | 74) (45 | 65) (4d | 6d) (50 | 70) }
$t4 = { 2e 43 4f (4e | 6e) (46 | 66) (69 | 49) (47 | 67) }
$t5 = { 2e 43 6f (4e | 6e) (46 | 66) (69 | 49) (47 | 67) }
$t6 = { 2e 63 4f (4e | 6e) (46 | 66) (69 | 49) (47 | 67) }
$t7 = { 2e 63 6f (4e | 6e) (46 | 66) (69 | 49) (47 | 67) }
$s8 = { 70 68 79 73 69 63 61 6c 50 61 74 68 3d }
$s9 = { 2f 3e }
$s10 = { 34 35 2e 37 }
$s11 = { 37 2e 32 31 }
$s12 = { 32 2e 31 32 }
$s13 = { 43 72 65 61 74 65 54 68 72 65 61 64 }
condition:
uint16(0) == 0x5a4d and 1 of ($t*) and all of ($s*)
}
SSDEEP MATCHES
No matches found.
RELATIONSHIPS
d69ac887ec.... Connected_To 45[.]77[.]212[.]12
DESCRIPTION
This file is a malicious .NET DLL, which contains malicious unmanaged 64-bit
Intel code. The file has the same functionality as "1667465048[.]8995082[.]dll"
(e044bce06e...).
853E8388C9A72A7A54129151884DA46075D45A5BCD19C37A7857E268137935AA
TAGS
information-stealer
DETAILS
Name 1667466391.0658665.dll Size 12800 bytes Type PE32+ executable (DLL) (GUI)
x86-64 Mono/.Net assembly, for MS Windows MD5 cece36ea4e328f093517ff68d0ed085c
SHA1 02df1d2e88a8317215e34cb248b5a0f7a0af830a SHA256
853e8388c9a72a7a54129151884da46075d45a5bcd19c37a7857e268137935aa SHA512
db34c0e32d87ee1f83d0805edba0af32385e673ded3e4215ae2b4d6e87594192e16def9284604cd88a88a0421a27f14afe0b1a54a40541cfef51e9ad2d1ad25f
ssdeep
96:9aIum+vgUGsgUxbCfVYfqAs1eAQ6vCJJ4n6qsPYsCx5lAPRa7U2eOvTyYiiZfPRa:9I8nBUffqAsMu6gxQH2eCkmXNnnUU/l
Entropy 4.659841
ANTIVIRUS
No matches found.
YARA RULES
* rule CISA_10413062_02 : information_stealer information_gathering
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10413062"
Date = "2022-11-21"
Last_Modified = "20221123_2000"
Actor = "n/a"
Family = "n/a"
Capabilities = "n/a"
Malware_Type = "n/a"
Tool_Type = "information-gathering"
Description = "Detect portable executable file that creates and
deletes a file"
MD5 = "cece36ea4e328f093517ff68d0ed085c"
SHA256 =
"853e8388c9a72a7a54129151884da46075d45a5bcd19c37a7857e268137935aa"
strings:
$s1 = { 34 35 2e 37 }
$s2 = { 37 2e 32 31 }
$s3 = { 32 2e 31 32 }
$s4 = { (45 | 65) 3a 5c (57 | 77) (45 | 65) (42 | 62) (53 | 73) (49 |
69) (54 | 74) (45 | 65) (53 | 73) 5c (4d | 6d) (45 | 65) (49 | 69) (53 | 73)
5c }
$s5 = { 43 72 65 61 74 65 46 69 6c 65 }
$s6 = { 57 72 69 74 65 46 69 6c 65 }
$s7 = { 44 65 6c 65 74 65 46 69 6c 65 }
$s8 = { 43 72 65 61 74 65 54 68 72 65 61 64 }
condition:
uint16(0) == 0x5a4d and all of ($s*)
}
* rule CISA_10413062_08 : information_stealer information_gathering
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10413062"
Date = "2022-11-30"
Last_Modified = "20221130_1700"
Actor = "n/a"
Family = "n/a"
Capabilities = "n/a"
Malware_Type = "n/a"
Tool_Type = "information-gathering"
Description = "Detects managed malware code in C# DLL samples"
MD5 = "cece36ea4e328f093517ff68d0ed085c"
SHA256 =
"853e8388c9a72a7a54129151884da46075d45a5bcd19c37a7857e268137935aa"
strings:
$s0 = { 43 72 65 61 74 65 46 69 6C 65 20 45 72 72 6F 72 }
$s1 = { 57 72 69 74 65 46 69 6C 65 20 45 72 72 6F 72 }
$s2 = { 44 65 6C 65 74 65 46 69 6C 65 41 20 66 61 69 6C }
$s3 = { 45 3A 5C 77 65 62 73 69 74 65 73 5C 4D 45 49 53 }
$s4 = { 76 34 2E 30 2E 33 30 33 31 39 }
condition:
all of them
}
SSDEEP MATCHES
No matches found.
RELATIONSHIPS
853e8388c9.... Connected_To 45[.]77[.]212[.]12
DESCRIPTION
This file is a malicious .NET DLL, which contains malicious unmanaged 64-bit
Intel code. Loading this DLL will send "+_+_+" to 45[.]77[.]212[.]12 over port
443. The DLL will then create E:\websites\<redacted>\ico[.]txt and write “111”
to that file. If there was an error creating the file, “CreateFile Error code:
{Error_Code}” will be sent to the IP and execution ends. If there was an error
writing to the file, “WriteFile Error code: {Error_Code}” will be sent to the IP
and execution ends. If there are no errors, “CreateFileA OK” will be sent. The
DLL will then delete E:\websites\<redacted>\ico[.]txt. If successful,
“DeleteFileA OK” will be sent to the IP. If there was an error “DeleteFileA
failed” will be sent to the IP.
Analysis indicates the purpose of this application is to provide a remote
operator the ability to determine whether or not they can write files to the
system's web server directory. This capability will likely allow the operator to
determine whether or not they can remotely install a webshell to allow
convenient and persistent remote access to the compromised system.
SCREENSHOTS
Figure 1 - This code illustrates the malware attempting to create a file on the
targeted system within the E:\\websites\ directory. This appears to be a test to
ensure the remote operator can remotely install web application code onto the
target.
A14E2209136DAD4F824C6F5986EC5D73D9CC7C86006FD2CEABE34DE801062F6B
TAGS
trojan
DETAILS
Name 1665909724.4648924.dll Size 13312 bytes Type PE32+ executable (DLL) (GUI)
x86-64 Mono/.Net assembly, for MS Windows MD5 bad264a0529cacea56a845bd9d11d55b
SHA1 76df69648631be3c6262d6e51f066d397563f097 SHA256
a14e2209136dad4f824c6f5986ec5d73d9cc7c86006fd2ceabe34de801062f6b SHA512
a60338de4fada1967776a8a060cb495140fe6a09291a4ffb3326e72c6c6f2312d5bd68a5e5f63aef8928468fe5f31a4cedf0ec8703781b4e4cb577da1789d005
ssdeep 192:Ub+8o8o9a0ybzz3O8dMFoTaVyiD4TaZNU/4E4:U6NybG8duvVZNZJ Entropy
4.637910
ANTIVIRUS
No matches found.
YARA RULES
No matches found.
SSDEEP MATCHES
No matches found.
RELATIONSHIPS
a14e220913.... Connected_To 45[.]77[.]212[.]12
DESCRIPTION
This file is a malicious .NET DLL, which contains malicious unmanaged 64-bit
Intel code. Static analysis indicates that the primary purpose of this code is
to obtain a copy of the targeted system's TCP connection table via the
GetTcpTable API, and export it to the malware's remote C2 server
45[.]77[.]212[.]12.
The purpose of this application is to allow a remote operator to determine what
systems the targeted system currently has an established TCP session with. This
capability will allow the operator to more efficiently profile the targeted
network.
SCREENSHOTS
Figure 2 - The malicious binary loading its C2 IP 45[.]77[.]212[.]12 onto the
stack.
Figure 3 - The malware obtaining a copy of the targeted system's TCP connection
table. Analysis indicates the TCP table will be exfiltrated to the remote C2
server.
8A5FC2B8ECB7AC6C0DB76049D7E09470DBC24F1A90026A431285244818866505
TAGS
droppertrojan
DETAILS
Name 1596923477.4946315.png Size 143872 bytes Type PE32+ executable (DLL) (GUI)
x86-64 Mono/.Net assembly, for MS Windows MD5 7947ce86923d732e6963c79aea757036
SHA1 3489d69540a435df50e9d5d80fb59c3c3a0080b4 SHA256
8a5fc2b8ecb7ac6c0db76049d7e09470dbc24f1a90026a431285244818866505 SHA512
4f78863442191e255e58a65c01ac5ad85d78a8edfd2b08cfaa74492c9b65ff0caba17267f7f7b9a29bd006a4561e63d0007d7eef6195c65e6d956a2e55f6bb67
ssdeep 3072:C82Xor1heBTboWWziX5HxtBY42UVJhG4k6F:cXorrUbo3ez Entropy 6.242970
ANTIVIRUS
Avira HEUR/AGEN.1229794 Bitdefender Gen:Variant.Tedy.146424 Emsisoft
Gen:Variant.Tedy.146424 (B) ESET a variant of Win64/Agent.AQS trojan K7 Riskware
( 0040eff71 )
YARA RULES
* rule CISA_10413062_10 : XEReverseShell trojan backdoor downloader dropper
webshell remote_access communicates_with_C2 exfiltrates_data
installs_other_components
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10413062"
Date = "2022-11-23"
Last_Modified = "20221215_1930"
Actor = "n/a"
Family = "XEReverseShell"
Capabilities = "remote-access communicates-with-C2 exfiltrates-data
installs-other-components"
Malware_Type = "trojan backdoor downloader dropper webshell"
Tool_Type = "remote-access"
Description = "Detects XEReverseShell samples"
MD5_1 = "37e173b932596af62fefc4dc10c8551d"
SHA256_1 =
"815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f"
MD5_2 = "0bcceb4fdfb12db21fdfc3a42b9c4693"
SHA256_2 =
"508dd87110cb5bf5d156a13c2430c215035db216f20f546e4acec476e8d55370"
MD5_3 = "42d7b2e1bcf75f9c469afa340f078c86"
SHA256_3 =
"d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8c67a6baf46c4c19c2"
MD5_4 = "d85880ad1e87c4266f899eca02207dd4"
SHA256_4 =
"1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2"
MD5_5 = "eaa579d911b8a47eaaea744d59d14708"
SHA256_5 =
"11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad"
MD5_6 = "f968639a4840535a6ecda1cbe3065260"
SHA256_6 =
"a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c"
MD5_7 = "137423d7b7f5a5684a9b1457f46fdfb2"
SHA256_7 =
"e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea72cd23f1d5e331ff5a"
MD5_8 = "7947ce86923d732e6963c79aea757036"
SHA256_8 =
"8a5fc2b8ecb7ac6c0db76049d7e09470dbc24f1a90026a431285244818866505"
MD5_9 = "d3cf1d590b2a63ae6070dd0011390f03"
SHA256_9 =
"78a926f899320ee6f05ab96f17622fb68e674296689e8649c95f95dade91e933"
strings:
$s1 = { 50 67 42 59 52 56 4a 6c 64 6d 56 79 63 32 56 54 61 47 56 73 }
$s2 = { 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 }
$s3 = { 78 65 73 76 72 73 2e 65 78 65 }
$s4 = { 58 45 52 65 76 65 72 73 65 53 68 65 6c 6c }
$s5 = { 57 45 56 53 5a 58 5a 6c 63 6e 4e 6c 55 32 }
$s6 = { 59 00 32 00 31 00 6b 00 4c 00 6d 00 56 00 34 00 5a 00 51 00 3d
00 3d }
condition:
2 of them
}
SSDEEP MATCHES
No matches found.
RELATIONSHIPS
8a5fc2b8ec.... Dropped
11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad
DESCRIPTION
This artifact is a DLL that drops and executes a reverse shell utility. When the
DLL is loaded, it will drop an embedded and base64 encoded payload named
‘sortcombat’ into the path C:\Windows\Temp. The program will then invoke the
Windows command-line utility certutil[.]exe with the –decode option and write
the new file as sortcombat[.]exe into C:\Windows\Temp. Cmd[.]exe is then invoked
to execute sortcombat[.]exe.
11D8B9BE14097614DEDD68839C85E3E8FEEC08CDAB675A5E89C5B055A6A68BAD
TAGS
backdoordecryptordroppertrojan
DETAILS
Name XEReverseShell.exe Size 10752 bytes Type PE32 executable (GUI) Intel 80386
Mono/.Net assembly, for MS Windows MD5 eaa579d911b8a47eaaea744d59d14708 SHA1
db086131afaec88f4a4daa23973d214d666d39c0 SHA256
11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad SHA512
7b24349db93c8be641268cbbbea5c10ca29d8278817d17f461879afe6aa7ee2919201b422f7cfed3e30c8e1d4792dea10f1e5d656ca4e8360eea1a7f9956afb5
ssdeep 192:sleM/+Kcp/5wep7fJ34R+cOqlY8zury3SFj+et:XKS/zy/7Y8zUy8Vt Entropy
5.003852 Path C:\Windows\Temp
ANTIVIRUS
AhnLab Trojan/Win.REVSHELL Avira TR/Agent.otyay ESET a variant of MSIL/Agent.CYN
trojan IKARUS Trojan.MSIL.Agent K7 Trojan ( 0056c3b91 ) NANOAV
Trojan.Win32.Generic.htepmy Trend Micro Trojan.74E45304 Trend Micro HouseCall
Trojan.74E45304 VirusBlokAda TScope.Trojan.MSIL Zillya!
Trojan.Agent.Win32.1371510
YARA RULES
* rule CISA_10413062_10 : XEReverseShell trojan backdoor downloader dropper
webshell remote_access communicates_with_C2 exfiltrates_data
installs_other_components
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10413062"
Date = "2022-11-23"
Last_Modified = "20221215_1930"
Actor = "n/a"
Family = "XEReverseShell"
Capabilities = "remote-access communicates-with-C2 exfiltrates-data
installs-other-components"
Malware_Type = "trojan backdoor downloader dropper webshell"
Tool_Type = "remote-access"
Description = "Detects XEReverseShell samples"
MD5_1 = "37e173b932596af62fefc4dc10c8551d"
SHA256_1 =
"815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f"
MD5_2 = "0bcceb4fdfb12db21fdfc3a42b9c4693"
SHA256_2 =
"508dd87110cb5bf5d156a13c2430c215035db216f20f546e4acec476e8d55370"
MD5_3 = "42d7b2e1bcf75f9c469afa340f078c86"
SHA256_3 =
"d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8c67a6baf46c4c19c2"
MD5_4 = "d85880ad1e87c4266f899eca02207dd4"
SHA256_4 =
"1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2"
MD5_5 = "eaa579d911b8a47eaaea744d59d14708"
SHA256_5 =
"11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad"
MD5_6 = "f968639a4840535a6ecda1cbe3065260"
SHA256_6 =
"a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c"
MD5_7 = "137423d7b7f5a5684a9b1457f46fdfb2"
SHA256_7 =
"e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea72cd23f1d5e331ff5a"
MD5_8 = "7947ce86923d732e6963c79aea757036"
SHA256_8 =
"8a5fc2b8ecb7ac6c0db76049d7e09470dbc24f1a90026a431285244818866505"
MD5_9 = "d3cf1d590b2a63ae6070dd0011390f03"
SHA256_9 =
"78a926f899320ee6f05ab96f17622fb68e674296689e8649c95f95dade91e933"
strings:
$s1 = { 50 67 42 59 52 56 4a 6c 64 6d 56 79 63 32 56 54 61 47 56 73 }
$s2 = { 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 }
$s3 = { 78 65 73 76 72 73 2e 65 78 65 }
$s4 = { 58 45 52 65 76 65 72 73 65 53 68 65 6c 6c }
$s5 = { 57 45 56 53 5a 58 5a 6c 63 6e 4e 6c 55 32 }
$s6 = { 59 00 32 00 31 00 6b 00 4c 00 6d 00 56 00 34 00 5a 00 51 00 3d
00 3d }
condition:
2 of them
}
SSDEEP MATCHES
No matches found.
RELATIONSHIPS
11d8b9be14.... Dropped_By
8a5fc2b8ecb7ac6c0db76049d7e09470dbc24f1a90026a431285244818866505 11d8b9be14....
Downloaded 5cbba90ba539d4eb6097169b0e9acf40b8c4740a01ddb70c67a8fb1fc3524570
11d8b9be14.... Connected_To xework[.]com
DESCRIPTION
This artifact is a reverse shell utility with the internal name of
‘XEReverseShell[.]exe’ that is dropped by "1596923477[.]4946315[.]png"
(8a5fc2b8ec...) into C:\Windows\Temp as sortcombat[.]exe. When this utility is
executed it will attempt to connect to the domain xework[.]com to obtain the IP
address of the C2 and port number to listen on. If no IP address or port number
is obtained the program will terminate.
---Begin HTTP Sessions---
GET /masterip HTTP/1[.]1
Host: xework[.]com
Connection: Keep-Alive
GET /masterport HTTP/1[.]1
Host: xework[.]com
---End HTTP Sessions---
Upon receipt of the port number, XEReverseShell[.]exe will establish a listener
on the port to accept streamed data. The utility is able to read or write
streamed data and pass incoming commands to a command shell.
The program will check the OS Version of the system to determine what type of
command shell is required. For Windows systems it will invoke Y21kLmV4ZQ==
(cmd[.]exe), and for Linux it will invoke L2Jpbi9iYXNo (/bin/bash).
XEReverseShell collects the path to the web server system files, current
username, APP_POOL (IIS Application Pool configuration), ComputerName,
OSVersion, Internet IP, Local IP and Reverse Domain. If it cannot identify the
Internet IP address or Reverse Domain the utility attempts to connect to
api[.]hackertarget[.]com/reverselookup/?q= to identify the IP address or
retrieve answer records for the domain. Api[.]hackertarget[.]com is a legitimate
website hosted for blue teams and penetration testers.
XEReverseShell will send the system data to the C2 in the following format:
---Begin---
WEBSITE PATH
------------------------[ XE ReverseShell ]-----------------------
CURRENT USERNAME
APP POOL
COMPUTER NAME
SYSTEM
INTERNET IP LOCAL IP
REVERSE DOMAIN
---End---
The utility will expect the command ‘xesetshell’ from the C2. If the command is
received it will connect to the C2 and download a file called small[.]txt
(5cbba90ba5...). Small[.]txt is a base64 encoded webshell that the program
decodes as small[.]aspx and places in the path C:\Windows\Temp.
If the utility receives the command ‘xequit’ it will sleep for a period of time
determined by the adversary.
XEWORK[.]COM
TAGS
command-and-control
PORTS
* 80 TCP
HTTP SESSIONS
* GET /masterip HTTP/1[.]1
Host: xework[.]com
Connection: Keep-Alive
* GET /masterport HTTP/1[.]1
Host: xework[.]com
WHOIS
Domain Name: XEWORK[.]COM
Registry Domain ID: 1568779295_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois[.]godaddy[.]com
Registrar URL: hxxp://www[.]godaddy[.]com
Updated Date: 2022-09-06T10:32:23Z
Creation Date: 2009-09-11T22:17:25Z
Registry Expiry Date: 2026-09-11T22:17:25Z
Registrar: GoDaddy[.]com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse[@]godaddy[.]com
Registrar Abuse Contact Phone: 480-624-2505
Domain Status: ok hxxps://icann[.]org/epp#ok
Name Server: NS05[.]DOMAINCONTROL[.]COM
Name Server: NS06[.]DOMAINCONTROL[.]COM
DNSSEC: unsigned
Domain Name: XEWORK[.]COM
Registry Domain ID: 1568779295_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois[.]godaddy[.]com
Registrar URL: hxxps://www[.]godaddy[.]com
Updated Date: 2018-03-05T23:44:55Z
Creation Date: 2009-09-11T17:17:25Z
Registrar Registration Expiration Date: 2026-09-11T17:17:25Z
Registrar: GoDaddy[.]com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse[@]godaddy[.]com
Registrar Abuse Contact Phone: +1[.]4806242505
Domain Status: ok hxxps://icann[.]org/epp#ok
Registry Registrant ID: Not Available From Registry
Registrant Name: Registration Private
Registrant Organization: Domains By Proxy, LLC
Registrant Street: DomainsByProxy[.]com
Registrant Street: 2155 E Warner Rd
Registrant City: Tempe
Registrant State/Province: Arizona
Registrant Postal Code: 85284
Registrant Country: US
Registrant Phone: +1[.]4806242599
Registrant Phone Ext:
Registrant Fax: +1[.]4806242598
Registrant Fax Ext:
Registrant Email: Select Contact Domain Holder link at
hxxps://www[.]godaddy[.]com/whois/results.aspx?domain=xework.com
Registry Admin ID: Not Available From Registry
Admin Name: Registration Private
Admin Organization: Domains By Proxy, LLC
Admin Street: DomainsByProxy[.]com
Admin Street: 2155 E Warner Rd
Admin City: Tempe
Admin State/Province: Arizona
Admin Postal Code: 85284
Admin Country: US
Admin Phone: +1[.]4806242599
Admin Phone Ext:
Admin Fax: +1[.]4806242598
Admin Fax Ext:
Admin Email: Select Contact Domain Holder link at
hxxps://www[.]godaddy[.]com/whois/results.aspx?domain=xework.com
Registry Tech ID: Not Available From Registry
Tech Name: Registration Private
Tech Organization: Domains By Proxy, LLC
Tech Street: DomainsByProxy[.]com
Tech Street: 2155 E Warner Rd
Tech City: Tempe
Tech State/Province: Arizona
Tech Postal Code: 85284
Tech Country: US
Tech Phone: +1[.]4806242599
Tech Phone Ext:
Tech Fax: +1[.]4806242598
Tech Fax Ext:
Tech Email: Select Contact Domain Holder link at
hxxps://www[.]godaddy[.]com/whois/results.aspx?domain=xework.com
Name Server: NS05[.]DOMAINCONTROL[.]COM
Name Server: NS06[.]DOMAINCONTROL[.]COM
DNSSEC: unsigned
RELATIONSHIPS
xework[.]com Connected_From
11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad xework[.]com
Connected_From a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c
xework[.]com Resolved_To 184[.]168[.]104[.]171 xework[.]com Resolved_To
144[.]96[.]103[.]245
DESCRIPTION
At the time of analysis, the files "XEReverseShell[.]exe" (11d8b9be14...) and
"Multi-OS_ReverseShell[.]exe" (a0ab222673...) attempted to connect to this
domain.
184[.]168[.]104[.]171
RELATIONSHIPS
184[.]168[.]104[.]171 Resolved_To xegroups[.]com 184[.]168[.]104[.]171
Resolved_To hivnd[.]com 184[.]168[.]104[.]171 Resolved_To xework[.]com
DESCRIPTION
At the time of analysis, the domains xework[.]com, xegroups[.]com, and
hivnd[.]com resolved to this IP address.
144[.]96[.]103[.]245
RELATIONSHIPS
144[.]96[.]103[.]245 Resolved_To xework[.]com
DESCRIPTION
The domain xework[.]com returned this IP address as the masterip for the reverse
shell.
5CBBA90BA539D4EB6097169B0E9ACF40B8C4740A01DDB70C67A8FB1FC3524570
TAGS
downloaderuploaderwebshell
DETAILS
Name small.txt Size 8900 bytes Type ASCII text, with very long lines, with no
line terminators MD5 d75ab9cb786b6f125e4cdbc92a73fa21 SHA1
d5cdda25247c3e6f1fd099077fae156ed7bada4f SHA256
5cbba90ba539d4eb6097169b0e9acf40b8c4740a01ddb70c67a8fb1fc3524570 SHA512
b49caa7b6fdbeba5ba8e615e9297bd52e89e2eb9af220a63064fe3479c8ffcafe21f6f446a8acb23073478284bfb8b963e223ff76baa4c1dd95e15f364579ae2
ssdeep 192:xNXm9xavX5N7R9e9WO7tAp1qTzUUCDhI5L6WrG/ht:x1my/5N7R9eO1qTwUei5baJt
Entropy 5.730812 Path C:\Windows\Temp
ANTIVIRUS
No matches found.
YARA RULES
No matches found.
SSDEEP MATCHES
No matches found.
RELATIONSHIPS
5cbba90ba5.... Related_To
08375e2d187ee53ed263ee6529645e03ead1a8e77afd723a3e0495201452d415 5cbba90ba5....
Downloaded_By 11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad
DESCRIPTION
This artifact is a base64 encoded text file that is downloaded by
"XEReverseShell[.]exe" (11d8b9be14...) and decoded as small[.]aspx. Then it is
placed in the path C:\Windows\Temp.
08375E2D187EE53ED263EE6529645E03EAD1A8E77AFD723A3E0495201452D415
TAGS
downloadertrojanuploaderwebshell
DETAILS
Name small.aspx Size 6674 bytes Type HTML document, ASCII text, with CRLF line
terminators MD5 ce8481189008d7f4a685615508110d88 SHA1
2ec08e86c5605c1d5b4b979067148c5e4d334979 SHA256
08375e2d187ee53ed263ee6529645e03ead1a8e77afd723a3e0495201452d415 SHA512
48e28bbc4b3f852cb050fbc2566eae1f8f4d34d2452c1855f07619f6ecbbaeb1afd5b6279273876653b5f08204a48e56fbf7eb3299973949ccd58cab05ef4611
ssdeep
192:HK9wCk78M7t/H1dRfHWgWOWPlWbDLAMEM26C9tTVUFF:QLw8EfHWgWOWPlW3LcM26C9tTOF
Entropy 5.426950 Path C:\Windows\Temp
ANTIVIRUS
AhnLab WebShell/ASP.Generic.S1358 Avira BDC/ASPShell.G2 ESET ASP/Webshell.IW
trojan IKARUS Trojan.ASP.Agent Trend Micro Backdoo.994AB529 Trend Micro
HouseCall Backdoo.994AB529
YARA RULES
* rule CISA_10413062_09 : trojan webshell
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10413062"
Date = "2022-12-05"
Last_Modified = "20221215_1930"
Actor = "n/a"
Family = "n/a"
Capabilities = "n/a"
Malware_Type = "trojan downloader webshell"
Tool_Type = "n/a"
Description = "Detects ASPX Webshell samples"
MD5_1 = "ce8481189008d7f4a685615508110d88"
SHA256_1 =
"08375e2d187ee53ed263ee6529645e03ead1a8e77afd723a3e0495201452d415"
strings:
$s1 = { 50 61 67 65 20 4c 61 6e 67 75 61 67 65 3d 22 43 23 22 }
$s2 = { 72 75 6e 61 74 3d 22 73 65 72 76 65 72 22 }
$s3 = { 44 72 69 76 65 49 6e 66 6f }
$s4 = { 74 78 74 43 6d 64 49 6e }
$s5 = { 63 6d 64 55 70 6c 6f 61 64 }
$s6 = { 50 61 73 73 54 68 72 6f 75 67 68 }
condition:
all of them
}
SSDEEP MATCHES
No matches found.
RELATIONSHIPS
08375e2d18.... Related_To
5cbba90ba539d4eb6097169b0e9acf40b8c4740a01ddb70c67a8fb1fc3524570 08375e2d18....
Dropped_By 815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f
08375e2d18.... Dropped_By
1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2 08375e2d18....
Dropped_By a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c
DESCRIPTION
This artifact is an ASPX webshell. The webshell is able to enumerate drives on
the system, send, receive and delete files, and also execute incoming commands.
The webshell contains an interface for easily browsing for files, directories,
or drives on the system. It can sort files by size or MAC time, and allows the
user to upload or download files to any directory.
78A926F899320EE6F05AB96F17622FB68E674296689E8649C95F95DADE91E933
TAGS
decryptordroppertrojan
DETAILS
Name 1596686310.434117.png Size 165376 bytes Type PE32+ executable (DLL) (GUI)
x86-64 Mono/.Net assembly, for MS Windows MD5 d3cf1d590b2a63ae6070dd0011390f03
SHA1 395c45a16e491652b53b845cc3618cfe2c022f09 SHA256
78a926f899320ee6f05ab96f17622fb68e674296689e8649c95f95dade91e933 SHA512
728bce79d8b2c14048a9cebedcf5e3fb671f60d484405746b50de304c5739fb16cb68f6e5099bb0e85b37d7f181881257618617e55a7520eabd8d89f2ffecaa0
ssdeep 3072:gfiiSHmmxCxt1bWWehJoDWN7WJ2UVC+4EWU+/E:MSHmsm1b34VUWU1 Entropy
6.238663
ANTIVIRUS
Bitdefender Gen:Variant.Tedy.146424 Emsisoft Gen:Variant.Tedy.146424 (B) ESET a
variant of Win64/Agent.AQS trojan
YARA RULES
* rule CISA_10413062_10 : XEReverseShell trojan backdoor downloader dropper
webshell remote_access communicates_with_C2 exfiltrates_data
installs_other_components
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10413062"
Date = "2022-11-23"
Last_Modified = "20221215_1930"
Actor = "n/a"
Family = "XEReverseShell"
Capabilities = "remote-access communicates-with-C2 exfiltrates-data
installs-other-components"
Malware_Type = "trojan backdoor downloader dropper webshell"
Tool_Type = "remote-access"
Description = "Detects XEReverseShell samples"
MD5_1 = "37e173b932596af62fefc4dc10c8551d"
SHA256_1 =
"815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f"
MD5_2 = "0bcceb4fdfb12db21fdfc3a42b9c4693"
SHA256_2 =
"508dd87110cb5bf5d156a13c2430c215035db216f20f546e4acec476e8d55370"
MD5_3 = "42d7b2e1bcf75f9c469afa340f078c86"
SHA256_3 =
"d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8c67a6baf46c4c19c2"
MD5_4 = "d85880ad1e87c4266f899eca02207dd4"
SHA256_4 =
"1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2"
MD5_5 = "eaa579d911b8a47eaaea744d59d14708"
SHA256_5 =
"11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad"
MD5_6 = "f968639a4840535a6ecda1cbe3065260"
SHA256_6 =
"a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c"
MD5_7 = "137423d7b7f5a5684a9b1457f46fdfb2"
SHA256_7 =
"e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea72cd23f1d5e331ff5a"
MD5_8 = "7947ce86923d732e6963c79aea757036"
SHA256_8 =
"8a5fc2b8ecb7ac6c0db76049d7e09470dbc24f1a90026a431285244818866505"
MD5_9 = "d3cf1d590b2a63ae6070dd0011390f03"
SHA256_9 =
"78a926f899320ee6f05ab96f17622fb68e674296689e8649c95f95dade91e933"
strings:
$s1 = { 50 67 42 59 52 56 4a 6c 64 6d 56 79 63 32 56 54 61 47 56 73 }
$s2 = { 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 }
$s3 = { 78 65 73 76 72 73 2e 65 78 65 }
$s4 = { 58 45 52 65 76 65 72 73 65 53 68 65 6c 6c }
$s5 = { 57 45 56 53 5a 58 5a 6c 63 6e 4e 6c 55 32 }
&nbsnbsp; $s6 = { 59 00 32 00 31 00 6b 00 4c 00 6d 00 56 00 34 00 5a 00
51 00 3d 00 3d }
condition:
2 of them
}
SSDEEP MATCHES
No matches found.
RELATIONSHIPS
78a926f899.... Dropped
815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f
DESCRIPTION
This artifact is a DLL that drops and executes a reverse shell utility. When the
DLL is loaded it will drop an embedded and base64 encoded payload named
‘xesmartshell’ (508dd87110...) into the path C:\Windows\Temp. The program will
then invoke certutil[.]exe with the –decode option and write the new file as
xesvrs[.]exe (1fed0766f5...) into C:\Windows\Temp. Cmd[.]exe is then invoked to
execute the reverse shell.
815D262D38A26D5695606D03D5A1A49B9C00915EAD1D8A2C04EB47846100E93F
TAGS
backdoordecryptordroppertrojan
DETAILS
Name XEReverseShell.exe Size 26624 bytes Type PE32 executable (GUI) Intel 80386
Mono/.Net assembly, for MS Windows MD5 37e173b932596af62fefc4dc10c8551d SHA1
342e7fe54de2a60bbb82d29af375385d4ba335fe SHA256
815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f SHA512
d4f823e08ee697d2900ca7efcb6edecb3000a140d90cb20e6ef587d8107e249a01771a783863ab155cec87e082ca57ad84da4b54ecac073a15a3b106933cf43c
ssdeep 768:jEyUcAiat1Nk8JIN9F76BnwRigRI1n4N:AyszWSEigm4N Entropy 4.348908 Path
C:\Windows\Temp
ANTIVIRUS
Avira HEUR/AGEN.1236126 Bitdefender Gen:Heur.Bodegun.19 Comodo Malware Emsisoft
Gen:Heur.Bodegun.19 (B) ESET MSIL/Agent.CYN trojan IKARUS
Backdoor.MSIL.Bladabindi K7 Riskware ( 0040eff71 ) McAfee
GenericRXLT-TK!37E173B93259 NANOAV Trojan.Win32.Generic.htfhkw VirusBlokAda
TScope.Trojan.MSIL Zillya! Trojan.Agent.Win32.1367166
YARA RULES
* rule CISA_10413062_10 : XEReverseShell trojan backdoor downloader dropper
webshell remote_access communicates_with_C2 exfiltrates_data
installs_other_components
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10413062"
Date = "2022-11-23"
Last_Modified = "20221215_1930"
Actor = "n/a"
Family = "XEReverseShell"
Capabilities = "remote-access communicates-with-C2 exfiltrates-data
installs-other-components"
Malware_Type = "trojan backdoor downloader dropper webshell"
Tool_Type = "remote-access"
Description = "Detects XEReverseShell samples"
MD5_1 = "37e173b932596af62fefc4dc10c8551d"
SHA256_1 =
"815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f"
MD5_2 = "0bcceb4fdfb12db21fdfc3a42b9c4693"
SHA256_2 =
"508dd87110cb5bf5d156a13c2430c215035db216f20f546e4acec476e8d55370"
MD5_3 = "42d7b2e1bcf75f9c469afa340f078c86"
SHA256_3 =
"d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8c67a6baf46c4c19c2"
MD5_4 = "d85880ad1e87c4266f899eca02207dd4"
SHA256_4 =
"1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2"
MD5_5 = "eaa579d911b8a47eaaea744d59d14708"
SHA256_5 =
"11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad"
MD5_6 = "f968639a4840535a6ecda1cbe3065260"
SHA256_6 =
"a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c"
MD5_7 = "137423d7b7f5a5684a9b1457f46fdfb2"
SHA256_7 =
"e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea72cd23f1d5e331ff5a"
MD5_8 = "7947ce86923d732e6963c79aea757036"
SHA256_8 =
"8a5fc2b8ecb7ac6c0db76049d7e09470dbc24f1a90026a431285244818866505"
MD5_9 = "d3cf1d590b2a63ae6070dd0011390f03"
SHA256_9 =
"78a926f899320ee6f05ab96f17622fb68e674296689e8649c95f95dade91e933"
strings:
$s1 = { 50 67 42 59 52 56 4a 6c 64 6d 56 79 63 32 56 54 61 47 56 73 }
$s2 = { 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 }
$s3 = { 78 65 73 76 72 73 2e 65 78 65 }
$s4 = { 58 45 52 65 76 65 72 73 65 53 68 65 6c 6c }
$s5 = { 57 45 56 53 5a 58 5a 6c 63 6e 4e 6c 55 32 }
$s6 = { 59 00 32 00 31 00 6b 00 4c 00 6d 00 56 00 34 00 5a 00 51 00 3d
00 3d }
condition:
2 of them
}
SSDEEP MATCHES
No matches found.
RELATIONSHIPS
815d262d38.... Dropped
08375e2d187ee53ed263ee6529645e03ead1a8e77afd723a3e0495201452d415 815d262d38....
Dropped_By 78a926f899320ee6f05ab96f17622fb68e674296689e8649c95f95dade91e933
815d262d38.... Connected_To xegroups[.]com
DESCRIPTION
This artifact is a reverse shell utility named ‘XE ReverseShell[.]exe’ that is
dropped and decoded by "1596686310[.]434117[.]png" (78a926f899...). When the
utility is executed it will attempt to connect to the domain xegroups[.]com to
obtain the IP address of the C2 and port number to listen on. If no IP address
or port number is obtained the program will terminate.
---Begin HTTP Session---
GET /masterip HTTP/1[.]1
Host: xegroups[.]com
Connection: Keep-Alive
GET /masterport HTTP/1[.]1
Host: xegroups[.]com
---End HTTP Session---
Upon receipt of the port number, XE ReverseShell will establish a listener on
the port to accept streamed data. The utility is able to read or write streamed
data and pass incoming commands to a command shell.
The program will check the OS Version of the system to determine what type of
command shell is required. For Windows systems it will invoke Y21kLmV4ZQ==
(cmd[.]exe), and for Linux it will invoke L2Jpbi9iYXNo (/bin/bash).
XE ReverseShell collects the path to the web server system files, current
username, APP_POOL (IIS Application Pool configuration), ComputerName,
OSVersion, Internet IP, Local IP and Reverse Domain
XEReverseShell will send the system data to the C2 in the following format:
---Begin---
---------------[ XE ReverseShell ]---------------
CURRENT USERNAME
APP POOL APP_POOL_CONFIG
COMPUTER NAME
SYSTEM LOCAL IP
-----------------------------------------------------
---End---
After the listener is set, the utility will execute the ‘setshell’ command that
drops an embedded ASPX webshell (08375e2d18...). If the utility receives the
command ‘xequit’ it will sleep for a period of time determined by the adversary.
XEGROUPS[.]COM
TAGS
command-and-control
PORTS
* 443 TCP
HTTP SESSIONS
* GET /masterip HTTP/1[.]1
Host: xegroups[.]com
Connection: Keep-Alive
* GET /masterport HTTP/1[.]1
Host: xegroups[.]com
Connection: Keep-Alive
WHOIS
Domain Name: XEGROUPS[.]COM
Registry Domain ID: 1688868944_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois[.]godaddy[.]com
Registrar URL: hxxp://www[.]godaddy[.]com
Updated Date: 2022-09-10T12:19:48Z
Creation Date: 2011-11-25T06:06:37Z
Registry Expiry Date: 2026-11-25T06:06:37Z
Registrar: GoDaddy[.]com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse[@]godaddy[.]com
Registrar Abuse Contact Phone: 480-624-2505
Domain Status: ok hxxps://icann[.]org/epp#ok
Name Server: NS15[.]DOMAINCONTROL[.]COM
Name Server: NS16[.]DOMAINCONTROL[.]COM
Name Server: PDNS05[.]DOMAINCONTROL[.]COM
Name Server: PDNS06[.]DOMAINCONTROL[.]COM
DNSSEC: unsigned
Domain Name: XEGROUPS[.]COM
Registry Domain ID: 1688868944_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois[.]godaddy[.]com
Registrar URL: hxxps://www[.]godaddy[.]com
Updated Date: 2022-03-31T11:16:55Z
Creation Date: 2011-11-25T01:06:37Z
Registrar Registration Expiration Date: 2026-11-25T01:06:37Z
Registrar: GoDaddy[.]com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse[@]godaddy[.]com
Registrar Abuse Contact Phone: +1[.]4806242505
Domain Status: ok hxxps://icann[.]org/epp#ok
Registry Registrant ID: Not Available From Registry
Registrant Name: Registration Private
Registrant Organization: Domains By Proxy, LLC
Registrant Street: DomainsByProxy[.]com
Registrant Street: 2155 E Warner Rd
Registrant City: Tempe
Registrant State/Province: Arizona
Registrant Postal Code: 85284
Registrant Country: US
Registrant Phone: +1[.]4806242599
Registrant Phone Ext:
Registrant Fax: +1[.]4806242598
Registrant Fax Ext:
Registrant Email: Select Contact Domain Holder link at
hxxps://www[.]godaddy[.]com/whois/results.aspx?domain=xegroups.com
Registry Admin ID: Not Available From Registry
Admin Name: Registration Private
Admin Organization: Domains By Proxy, LLC
Admin Street: DomainsByProxy[.]com
Admin Street: 2155 E Warner Rd
Admin City: Tempe
Admin State/Province: Arizona
Admin Postal Code: 85284
Admin Country: US
Admin Phone: +1[.]4806242599
Admin Phone Ext:
Admin Fax: +1[.]4806242598
Admin Fax Ext:
Admin Email: Select Contact Domain Holder link at
hxxps://www[.]godaddy[.]com/whois/results.aspx?domain=xegroups.com
Registry Tech ID: Not Available From Registry
Tech Name: Registration Private
Tech Organization: Domains By Proxy, LLC
Tech Street: DomainsByProxy[.]com
Tech Street: 2155 E Warner Rd
Tech City: Tempe
Tech State/Province: Arizona
Tech Postal Code: 85284
Tech Country: US
Tech Phone: +1[.]4806242599
Tech Phone Ext:
Tech Fax: +1[.]4806242598
Tech Fax Ext:
Tech Email: Select Contact Domain Holder link at
hxxps://www[.]godaddy[.]com/whois/results.aspx?domain=xegroups.com
Name Server: NS15[.]DOMAINCONTROL[.]COM
Name Server: NS16[.]DOMAINCONTROL[.]COM
Name Server: PDNS05[.]DOMAINCONTROL[.]COM
Name Server: PDNS06[.]DOMAINCONTROL[.]COM
DNSSEC: unsigned
RELATIONSHIPS
xegroups[.]com Resolved_To 184[.]168[.]104[.]171 xegroups[.]com Connected_From
815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f xegroups[.]com
Connected_From 1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2
DESCRIPTION
At the time of analysis, the files "XEReverseShell[.]exe" (815d262d38...) and
"Multi-OS_ReverseShell[.]exe" (1fed0766f56...) attempted to connect to this
domain.
508DD87110CB5BF5D156A13C2430C215035DB216F20F546E4ACEC476E8D55370
TAGS
backdoordecryptordownloaderdropperloadertrojan
DETAILS
Name xesmartshell.tmp Size 35499 bytes Type ASCII text, with very long lines,
with no line terminators MD5 0bcceb4fdfb12db21fdfc3a42b9c4693 SHA1
f57d14e291eba19ce484ec4702a7e1f67eaeb7a0 SHA256
508dd87110cb5bf5d156a13c2430c215035db216f20f546e4acec476e8d55370 SHA512
0734d29669a988680e1fedade894d541e37b301460761e247acaa77265d694c441dbff5dca3c7603a77384a969fdd45e375040c582f2de7479fbbcb105a52e20
ssdeep
768:lcK0h28/Z2uPn9V+58vQK9Pu605OF18oukmsuH9wuHE2suSxFuPR22p1Ek:lc8k2Y9VN9Pj0UF101Ek
Entropy 4.370109 Path C:\Windows\Temp
ANTIVIRUS
Bitdefender Gen:Heur.Bodegun.19 Emsisoft Gen:Heur.Bodegun.19 (B) IKARUS
Trojan-Downloader.MSIL.Agent
YARA RULES
* rule CISA_10413062_10 : XEReverseShell trojan backdoor downloader dropper
webshell remote_access communicates_with_C2 exfiltrates_data
installs_other_components
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10413062"
Date = "2022-11-23"
Last_Modified = "20221215_1930"
Actor = "n/a"
Family = "XEReverseShell"
Capabilities = "remote-access communicates-with-C2 exfiltrates-data
installs-other-components"
Malware_Type = "trojan backdoor downloader dropper webshell"
Tool_Type = "remote-access"
Description = "Detects XEReverseShell samples"
MD5_1 = "37e173b932596af62fefc4dc10c8551d"
SHA256_1 =
"815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f"
MD5_2 = "0bcceb4fdfb12db21fdfc3a42b9c4693"
SHA256_2 =
"508dd87110cb5bf5d156a13c2430c215035db216f20f546e4acec476e8d55370"
MD5_3 = "42d7b2e1bcf75f9c469afa340f078c86"
SHA256_3 =
"d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8c67a6baf46c4c19c2"
MD5_4 = "d85880ad1e87c4266f899eca02207dd4"
SHA256_4 =
"1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2"
MD5_5 = "eaa579d911b8a47eaaea744d59d14708"
SHA256_5 =
"11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad"
MD5_6 = "f968639a4840535a6ecda1cbe3065260"
SHA256_6 =
"a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c"
MD5_7 = "137423d7b7f5a5684a9b1457f46fdfb2"
SHA256_7 =
"e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea72cd23f1d5e331ff5a"
MD5_8 = "7947ce86923d732e6963c79aea757036"
SHA256_8 =
"8a5fc2b8ecb7ac6c0db76049d7e09470dbc24f1a90026a431285244818866505"
MD5_9 = "d3cf1d590b2a63ae6070dd0011390f03"
SHA256_9 =
"78a926f899320ee6f05ab96f17622fb68e674296689e8649c95f95dade91e933"
strings:
$s1 = { 50 67 42 59 52 56 4a 6c 64 6d 56 79 63 32 56 54 61 47 56 73 }
$s2 = { 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 }
$s3 = { 78 65 73 76 72 73 2e 65 78 65 }
$s4 = { 58 45 52 65 76 65 72 73 65 53 68 65 6c 6c }
$s5 = { 57 45 56 53 5a 58 5a 6c 63 6e 4e 6c 55 32 }
$s6 = { 59 00 32 00 31 00 6b 00 4c 00 6d 00 56 00 34 00 5a 00 51 00 3d
00 3d }
condition:
2 of them
}
SSDEEP MATCHES
No matches found.
RELATIONSHIPS
508dd87110.... Related_To
1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2
DESCRIPTION
This artifact is a base64 encoded file. The file will be decoded using the
command-line utility certutil[.]exe and executed as xesvrs[.]exe
(1fed0766f5...).
1FED0766F564DC05A119BC7FA0B6670F0DA23504E23ECE94A5AE27787B674CD2
TAGS
backdoordecryptordroppertrojan
DETAILS
Name xesvrs.exe Size 30719 bytes Type PE32 executable (GUI) Intel 80386
Mono/.Net assembly, for MS Windows MD5 d85880ad1e87c4266f899eca02207dd4 SHA1
a7fc982d1fc30548cbe43cf643be22a31323f23b SHA256
1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2 SHA512
a16333b864b1ec58db6e3a8bc18c9aa4c09ad71fcbe68054c0bfb6a0c41584750962388b153d72bcb238c2b6d7e14bc5b39af896fecc61ce646443e12369a24e
ssdeep 768:jEyUcAiat1Nk8JIN9F76BnwRigRI1n4Nkn:AyszWSEigm4N+ Entropy 4.381223
Path C:\Windows\Temp
ANTIVIRUS
Avira HEUR/AGEN.1236126 Bitdefender Gen:Heur.Bodegun.19 Emsisoft
Gen:Heur.Bodegun.19 (B) ESET MSIL/Agent.CYN trojan K7 Riskware ( 0040eff71 )
McAfee GenericRXLT-TK!D85880AD1E87 VirusBlokAda TScope.Trojan.MSIL
YARA RULES
* rule CISA_10413062_10 : XEReverseShell trojan backdoor downloader dropper
webshell remote_access communicates_with_C2 exfiltrates_data
installs_other_components
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10413062"
Date = "2022-11-23"
Last_Modified = "20221215_1930"
Actor = "n/a"
Family = "XEReverseShell"
Capabilities = "remote-access communicates-with-C2 exfiltrates-data
installs-other-components"
Malware_Type = "trojan backdoor downloader dropper webshell"
Tool_Type = "remote-access"
Description = "Detects XEReverseShell samples"
MD5_1 = "37e173b932596af62fefc4dc10c8551d"
SHA256_1 =
"815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f"
MD5_2 = "0bcceb4fdfb12db21fdfc3a42b9c4693"
SHA256_2 =
"508dd87110cb5bf5d156a13c2430c215035db216f20f546e4acec476e8d55370"
MD5_3 = "42d7b2e1bcf75f9c469afa340f078c86"
SHA256_3 =
"d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8c67a6baf46c4c19c2"
MD5_4 = "d85880ad1e87c4266f899eca02207dd4"
SHA256_4 =
"1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2"
MD5_5 = "eaa579d911b8a47eaaea744d59d14708"
SHA256_5 =
"11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad"
MD5_6 = "f968639a4840535a6ecda1cbe3065260"
SHA256_6 =
"a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c"
MD5_7 = "137423d7b7f5a5684a9b1457f46fdfb2"
SHA256_7 =
"e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea72cd23f1d5e331ff5a"
MD5_8 = "7947ce86923d732e6963c79aea757036"
SHA256_8 =
"8a5fc2b8ecb7ac6c0db76049d7e09470dbc24f1a90026a431285244818866505"
MD5_9 = "d3cf1d590b2a63ae6070dd0011390f03"
SHA256_9 =
"78a926f899320ee6f05ab96f17622fb68e674296689e8649c95f95dade91e933"
strings:
$s1 = { 50 67 42 59 52 56 4a 6c 64 6d 56 79 63 32 56 54 61 47 56 73 }
$s2 = { 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 }
$s3 = { 78 65 73 76 72 73 2e 65 78 65 }
$s4 = { 58 45 52 65 76 65 72 73 65 53 68 65 6c 6c }
$s5 = { 57 45 56 53 5a 58 5a 6c 63 6e 4e 6c 55 32 }
$s6 = { 59 00 32 00 31 00 6b 00 4c 00 6d 00 56 00 34 00 5a 00 51 00 3d
00 3d }
condition:
2 of them
}
SSDEEP MATCHES
No matches found.
RELATIONSHIPS
1fed0766f5.... Dropped
08375e2d187ee53ed263ee6529645e03ead1a8e77afd723a3e0495201452d415 1fed0766f5....
Related_To 508dd87110cb5bf5d156a13c2430c215035db216f20f546e4acec476e8d55370
1fed0766f5.... Related_To
d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8c67a6baf46c4c19c2 1fed0766f5....
Connected_To xegroups[.]com
DESCRIPTION
This artifact is a reverse shell utility named ‘Multi-OS ReverseShell[.]exe’
that is decoded from xesmartshell[.]tmp (508dd87110...). When the utility is
executed it will attempt to connect to the domain xegroups[.]com using Secure
Sockets Layer (SSL) to obtain the IP address of the C2 and port number to listen
on. If no IP address or port number is obtained the program will terminate.
Upon receipt of the port number, Multi-OS ReverseShell will establish a listener
on the port to accept streamed data. If a port number is not returned, the
program will listen on TCP 3979 by default.
The utility is able to read or write streamed data and pass incoming commands to
a command shell.
The program will check the OS Version of the system to determine what type of
command shell is required. For Windows systems it will invoke Y21kLmV4ZQ==
(cmd[.]exe), and for Linux it will invoke L2Jpbi9iYXNo (/bin/bash).
Multi-OS ReverseShell collects the path to the web server system files, current
username, APP_POOL (IIS Application Pool configuration), ComputerName,
OSVersion, Internet IP, Local IP and Reverse Domain
XEReverseShell will send the system data to the C2 in the following format:
---Begin---
---[ X ReverseShell ]---
CURRENT USERNAME
APP POOL APP_POOL_CONFIG
COMPUTER NAME
SYSTEM LOCAL IP
-----------------------------
---End---
After the listener is set, the utility will execute the ‘setshell’ command that
drops an embedded ASPX webshell (08375e2d18...). If the utility receives the
command ‘xequit’ it will sleep for a period of time determined by the adversary.
E45AD91F12188A7C3D4891B70E1EE87A3F23EB981804EA72CD23F1D5E331FF5A
TAGS
decryptordroppertrojan
DETAILS
Name 1596835329.5015914.png Size 165888 bytes Type PE32+ executable (DLL) (GUI)
x86-64 Mono/.Net assembly, for MS Windows MD5 137423d7b7f5a5684a9b1457f46fdfb2
SHA1 679a6b4b7fa0978e38b327e318059c26b883b064 SHA256
e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea72cd23f1d5e331ff5a SHA512
d56ed37959b6ea37d0f2e58d6f1f61b7b85fa593d1228a402c9798c945e52432008c7a897a6b8e40bfd33fae22df34db93ce46a83f728675e109d828bc1cb995
ssdeep 3072:orofuzXob2OYWWibJXDYipzo2UVX+pnn/quS/eSzYU:FfuzXZOY3aSinn/quS/eSz
Entropy 6.244787
ANTIVIRUS
Bitdefender Gen:Variant.Tedy.146424 Emsisoft Gen:Variant.Tedy.146424 (B) ESET a
variant of Win64/Agent.AQS trojan K7 Trojan ( 0058b2b81 ) McAfee RDN/Generic
Exploit Zillya! Trojan.Agent.Win64.22713
YARA RULES
* rule CISA_10413062_10 : XEReverseShell trojan backdoor downloader dropper
webshell remote_access communicates_with_C2 exfiltrates_data
installs_other_components
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10413062"
Date = "2022-11-23"
Last_Modified = "20221215_1930"
Actor = "n/a"
Family = "XEReverseShell"
Capabilities = "remote-access communicates-with-C2 exfiltrates-data
installs-other-components"
Malware_Type = "trojan backdoor downloader dropper webshell"
Tool_Type = "remote-access"
Description = "Detects XEReverseShell samples"
MD5_1 = "37e173b932596af62fefc4dc10c8551d"
SHA256_1 =
"815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f"
MD5_2 = "0bcceb4fdfb12db21fdfc3a42b9c4693"
SHA256_2 =
"508dd87110cb5bf5d156a13c2430c215035db216f20f546e4acec476e8d55370"
MD5_3 = "42d7b2e1bcf75f9c469afa340f078c86"
SHA256_3 =
"d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8c67a6baf46c4c19c2"
MD5_4 = "d85880ad1e87c4266f899eca02207dd4"
SHA256_4 =
"1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2"
MD5_5 = "eaa579d911b8a47eaaea744d59d14708"
SHA256_5 =
"11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad"
MD5_6 = "f968639a4840535a6ecda1cbe3065260"
SHA256_6 =
"a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c"
MD5_7 = "137423d7b7f5a5684a9b1457f46fdfb2"
SHA256_7 =
"e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea72cd23f1d5e331ff5a"
MD5_8 = "7947ce86923d732e6963c79aea757036"
SHA256_8 =
"8a5fc2b8ecb7ac6c0db76049d7e09470dbc24f1a90026a431285244818866505"
MD5_9 = "d3cf1d590b2a63ae6070dd0011390f03"
SHA256_9 =
"78a926f899320ee6f05ab96f17622fb68e674296689e8649c95f95dade91e933"
strings:
$s1 = { 50 67 42 59 52 56 4a 6c 64 6d 56 79 63 32 56 54 61 47 56 73 }
$s2 = { 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 }
$s3 = { 78 65 73 76 72 73 2e 65 78 65 }
$s4 = { 58 45 52 65 76 65 72 73 65 53 68 65 6c 6c }
$s5 = { 57 45 56 53 5a 58 5a 6c 63 6e 4e 6c 55 32 }
$s6 = { 59 00 32 00 31 00 6b 00 4c 00 6d 00 56 00 34 00 5a 00 51 00 3d
00 3d }
condition:
2 of them
}
SSDEEP MATCHES
No matches found.
RELATIONSHIPS
e45ad91f12.... Related_To
d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8c67a6baf46c4c19c2 e45ad91f12....
Dropped a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c
DESCRIPTION
This artifact is a DLL that drops and executes a reverse shell utility. When the
DLL is loaded it will drop an embedded and base64 encoded payload named
‘SortVistaCompat’ (d9273a16f9...) into the path C:\Windows\Temp. The program
will then invoke the command-line utility certutil[.]exe with the –decode option
and write the new file as xesvrs[.]exe (1fed0766f5...) into C:\Windows\Temp.
Cmd[.]exe is then invoked to execute the dropped file.
D9273A16F979ADEE1AFB6E55697D3B7AB42FD75051786F8C67A6BAF46C4C19C2
TAGS
backdoordroppertrojan
DETAILS
Name SortVistaCompat Size 36183 bytes Type ASCII text, with very long lines,
with no line terminators MD5 42d7b2e1bcf75f9c469afa340f078c86 SHA1
490a804022bcf79688422821df6012c429cec391 SHA256
d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8c67a6baf46c4c19c2 SHA512
127f3a7d8a74d6dcbb400313d305ac228be42a55a07c17af4d1243e6797b3059bde5590953616f8715a9fa1ec11ebfa94de9d7413c14c9c6d6b0a5d5b65dc091
ssdeep
768:7inoJ6DKT4LxIgO2xl7wZLLbuM33kIBn37/vSHpaTNu8ETudlSCusxJ5caWYGx3c:OnoJe+gO2xJKuMnkCnz6HUTCJSTJ
Entropy 4.388474 Path C:\Windows\Temp
ANTIVIRUS
Bitdefender Gen:Heur.Bodegun.19 Comodo Malware Emsisoft Gen:Heur.Bodegun.19 (B)
IKARUS Trojan.MSIL.Agent NANOAV Trojan.Win32.Generic.hthjis
YARA RULES
* rule CISA_10413062_10 : XEReverseShell trojan backdoor downloader dropper
webshell remote_access communicates_with_C2 exfiltrates_data
installs_other_components
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10413062"
Date = "2022-11-23"
Last_Modified = "20221215_1930"
Actor = "n/a"
Family = "XEReverseShell"
Capabilities = "remote-access communicates-with-C2 exfiltrates-data
installs-other-components"
Malware_Type = "trojan backdoor downloader dropper webshell"
Tool_Type = "remote-access"
Description = "Detects XEReverseShell samples"
MD5_1 = "37e173b932596af62fefc4dc10c8551d"
SHA256_1 =
"815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f"
MD5_2 = "0bcceb4fdfb12db21fdfc3a42b9c4693"
SHA256_2 =
"508dd87110cb5bf5d156a13c2430c215035db216f20f546e4acec476e8d55370"
MD5_3 = "42d7b2e1bcf75f9c469afa340f078c86"
SHA256_3 =
"d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8c67a6baf46c4c19c2"
MD5_4 = "d85880ad1e87c4266f899eca02207dd4"
SHA256_4 =
"1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2"
MD5_5 = "eaa579d911b8a47eaaea744d59d14708"
SHA256_5 =
"11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad"
MD5_6 = "f968639a4840535a6ecda1cbe3065260"
SHA256_6 =
"a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c"
MD5_7 = "137423d7b7f5a5684a9b1457f46fdfb2"
SHA256_7 =
"e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea72cd23f1d5e331ff5a"
MD5_8 = "7947ce86923d732e6963c79aea757036"
SHA256_8 =
"8a5fc2b8ecb7ac6c0db76049d7e09470dbc24f1a90026a431285244818866505"
MD5_9 = "d3cf1d590b2a63ae6070dd0011390f03"
SHA256_9 =
"78a926f899320ee6f05ab96f17622fb68e674296689e8649c95f95dade91e933"
strings:
$s1 = { 50 67 42 59 52 56 4a 6c 64 6d 56 79 63 32 56 54 61 47 56 73 }
$s2 = { 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 }
$s3 = { 78 65 73 76 72 73 2e 65 78 65 }
$s4 = { 58 45 52 65 76 65 72 73 65 53 68 65 6c 6c }
$s5 = { 57 45 56 53 5a 58 5a 6c 63 6e 4e 6c 55 32 }
$s6 = { 59 00 32 00 31 00 6b 00 4c 00 6d 00 56 00 34 00 5a 00 51 00 3d
00 3d }
condition:
2 of them
}
SSDEEP MATCHES
No matches found.
RELATIONSHIPS
d9273a16f9.... Related_To
1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2 d9273a16f9....
Related_To e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea72cd23f1d5e331ff5a
DESCRIPTION
This artifact is a base64 encoded file. The file will be decoded using the
command-line utility certutil[.]exe and executed as xesvrs[.]exe
(1fed0766f5...).
A0AB222673D35D750A0290DB1B0CE890B9D40C2AB67BFEBB62E1A006E9F2479C
TAGS
backdoordecryptordroppertrojan
DETAILS
Name Multi-OS_ReverseShell.exe Size 27136 bytes Type PE32 executable (GUI) Intel
80386 Mono/.Net assembly, for MS Windows MD5 f968639a4840535a6ecda1cbe3065260
SHA1 7d6a87fa147d36ec7c46fddbb42ba7665f502207 SHA256
a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c SHA512
80a5b1054a7efc7fd7a98a3b13ec13d806f9c7a421f61300812799a87a9f4f96059db54a9318b382d4a4f71364944e2bb1a45af946b1965f056f6a4bad37c6d1
ssdeep 768:zwEtSNcAiat1Nk8JIN9F76BnwRigRI1terN:zfA/zWSEig1rN Entropy 4.404027
Path C:\Windows\Temp
ANTIVIRUS
Avira HEUR/AGEN.1236126 Bitdefender Gen:Heur.Bodegun.19 Emsisoft
Gen:Heur.Bodegun.19 (B) ESET a variant of MSIL/Agent.CYN trojan IKARUS
Backdoor.MSIL.Bladabindi K7 Riskware ( 0040eff71 ) McAfee
GenericRXLT-TK!F968639A4840 NANOAV Trojan.Win32.Generic.hthjis Trend Micro
Backdoo.52B82A20 Trend Micro HouseCall Backdoo.52B82A20 VirusBlokAda
TScope.Trojan.MSIL Zillya! Trojan.Agent.Win32.1371723
YARA RULES
* rule CISA_10413062_10 : XEReverseShell trojan backdoor downloader dropper
webshell remote_access communicates_with_C2 exfiltrates_data
installs_other_components
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10413062"
Date = "2022-11-23"
Last_Modified = "20221215_1930"
Actor = "n/a"
Family = "XEReverseShell"
Capabilities = "remote-access communicates-with-C2 exfiltrates-data
installs-other-components"
Malware_Type = "trojan backdoor downloader dropper webshell"
Tool_Type = "remote-access"
Description = "Detects XEReverseShell samples"
MD5_1 = "37e173b932596af62fefc4dc10c8551d"
SHA256_1 =
"815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f"
MD5_2 = "0bcceb4fdfb12db21fdfc3a42b9c4693"
SHA256_2 =
"508dd87110cb5bf5d156a13c2430c215035db216f20f546e4acec476e8d55370"
MD5_3 = "42d7b2e1bcf75f9c469afa340f078c86"
SHA256_3 =
"d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8c67a6baf46c4c19c2"
MD5_4 = "d85880ad1e87c4266f899eca02207dd4"
SHA256_4 =
"1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2"
MD5_5 = "eaa579d911b8a47eaaea744d59d14708"
SHA256_5 =
"11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad"
MD5_6 = "f968639a4840535a6ecda1cbe3065260"
SHA256_6 =
"a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c"
MD5_7 = "137423d7b7f5a5684a9b1457f46fdfb2"
SHA256_7 =
"e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea72cd23f1d5e331ff5a"
MD5_8 = "7947ce86923d732e6963c79aea757036"
SHA256_8 =
"8a5fc2b8ecb7ac6c0db76049d7e09470dbc24f1a90026a431285244818866505"
MD5_9 = "d3cf1d590b2a63ae6070dd0011390f03"
SHA256_9 =
"78a926f899320ee6f05ab96f17622fb68e674296689e8649c95f95dade91e933"
strings:
$s1 = { 50 67 42 59 52 56 4a 6c 64 6d 56 79 63 32 56 54 61 47 56 73 }
$s2 = { 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 }
$s3 = { 78 65 73 76 72 73 2e 65 78 65 }
$s4 = { 58 45 52 65 76 65 72 73 65 53 68 65 6c 6c }
$s5 = { 57 45 56 53 5a 58 5a 6c 63 6e 4e 6c 55 32 }
$s6 = { 59 00 32 00 31 00 6b 00 4c 00 6d 00 56 00 34 00 5a 00 51 00 3d
00 3d }
condition:
2 of them
}
SSDEEP MATCHES
No matches found.
RELATIONSHIPS
a0ab222673.... Dropped
08375e2d187ee53ed263ee6529645e03ead1a8e77afd723a3e0495201452d415 a0ab222673....
Dropped_By e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea72cd23f1d5e331ff5a
a0ab222673.... Connected_To xework[.]com
DESCRIPTION
This artifact is a reverse shell utility named ‘XEReverseShell[.]exe’ that is
dropped by "1596835329[.]5015914[.]png" (e45ad91f12...) into C:\Windows\Temp as
xesvrs[.]exe. When the utility is executed it will attempt to connect to the
domain xework[.]com to obtain the IP address of the C2 and port number to listen
on. If no IP address or port number is obtained the program will terminate.
---Begin HTTP Sessions---
GET /masterip HTTP/1[.]1
Host: xework[.]com
Connection: Keep-Alive
GET /masterport HTTP/1[.]1
Host: xework[.]com
---End HTTP Sessions---
Upon receipt of the port number, XEReverseShell will establish a listener on the
port to accept streamed data. The utility is able to read or write streamed data
and pass incoming commands to a command shell.
The program will check the OS Version of the system to determine what type of
command shell is required. For Windows systems it will invoke Y21kLmV4ZQ==
(cmd[.]exe), and for Linux it will invoke L2Jpbi9iYXNo (/bin/bash).
XEReverseShell collects the path to the web server system files, current
username, APP_POOL (IIS Application Pool configuration), ComputerName,
OSVersion, Internet IP, Local IP and Reverse Domain. If it cannot identify the
Internet IP address or Reverse Domain the utility attempts to connect to
api[.]hackertarget[.]com/reverselookup/?q= to identify the IP address or
retrieve answer records for the domain. Api[.]hackertarget[.]com is a legitimate
website hosted for blue teams and penetration testers.
XEReverseShell will send the system data to the C2 in the following format:
---Begin---
|
------------------------[ XE ReverseShell ]-----------------------
CURRENT USERNAME
APP POOL APP_POOL_CONFIG
COMPUTER NAME
SYSTEM
INTERNET IP LOCAL IP
REVERSE DOMAIN
-------------------------------------------------------------------------
---End---
After the listener is set, the program will drop and decode an embedded base64
encoded webshell named small[.]aspx (08375e2d18...) into the path
C:\Windows\Temp. If the utility receives the command ‘xequit’ it will sleep for
a period of time determined by the adversary.
11415AC829C17BD8A9C4CEF12C3FBC23095CBB3113C89405E489EAD5138384CD
TAGS
downloadertrojan
DETAILS
Name 1597974061.4531896.png Size 92160 bytes Type PE32+ executable (DLL) (GUI)
x86-64 Mono/.Net assembly, for MS Windows MD5 bf6722f2055b13a61dfb7233af8d966a
SHA1 161435d198f3dba6ac1ce045b73ccd61f7697146 SHA256
11415ac829c17bd8a9c4cef12c3fbc23095cbb3113c89405e489ead5138384cd SHA512
dc5dda0aab59c95af5d01b8491b428eee21a62fe1381d85a6faa0caf5d0a3022bcc02777d88b59cda304d57cac1308fdd6676d8040b618e76f28e05d1903c8ad
ssdeep
1536:P6qfkBhbpqNOQiazS7pG5lnMnoJSsFnJ5yvd2+D5lUBHTyRcf01sW7d09dlmv5fB:P6qMfbM88zCpuNMnoDByvd2+D5lUBHTJ
Entropy 5.822163
ANTIVIRUS
AhnLab Malware/Win.Generic Avira TR/Agent.brfsc Bitdefender
Gen:Variant.Tedy.146424 Emsisoft Gen:Variant.Tedy.146424 (B) ESET a variant of
Win64/Agent.AQS trojan IKARUS Trojan.Win64.Agent K7 Trojan ( 0057f7991 ) Zillya!
Trojan.Agent.Win64.8597
YARA RULES
No matches found.
SSDEEP MATCHES
No matches found.
RELATIONSHIPS
11415ac829.... Connected_To hivnd[.]com
DESCRIPTION
This artifact is a DLL that is designed to invoke PowerShell to download and
execute a file on the system. When the DLL is executed it will attempt to
connect to the Uniform Resource Locator (URL) hivnd[.]com/thumpxcache and
download a file to the path C:\Windows\Temp. The downloaded file is named
thumcache[.]exe and is invoked using cmd[.]exe[.]
The file thumcache[.]exe was not available for analysis.
HIVND[.]COM
TAGS
command-and-control
URLS
* hxxps://hivnd[.]com/thumpxcache
PORTS
* 443 TCP
WHOIS
Domain Name: HIVND[.]COM
Registry Domain ID: 1688870027_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois[.]godaddy[.]com
Registrar URL: hxxp://www[.]godaddy[.]com
Updated Date: 2022-09-10T12:20:07Z
Creation Date: 2011-11-25T06:18:30Z
Registry Expiry Date: 2026-11-25T06:18:30Z
Registrar: GoDaddy[.]com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse[@]godaddy[.]com
Registrar Abuse Contact Phone: 480-624-2505
Domain Status: ok hxxps://icann[.]org/epp#ok
Name Server: NS31[.]DOMAINCONTROL[.]COM
Name Server: NS32[.]DOMAINCONTROL[.]COM
Name Server: NS63[.]DOMAINCONTROL[.]COM
Name Server: NS64[.]DOMAINCONTROL[.]COM
Name Server: NS77[.]DOMAINCONTROL[.]COM
Name Server: NS78[.]DOMAINCONTROL[.]COM
Name Server: PDNS05[.]DOMAINCONTROL[.]COM
Name Server: PDNS06[.]DOMAINCONTROL[.]COM
DNSSEC: unsigned
Domain Name: HIVND[.]COM
Registry Domain ID: 1688870027_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois[.]godaddy[.]com
Registrar URL: hxxps://www[.]godaddy[.]com
Updated Date: 2018-03-05T23:44:55Z
Creation Date: 2011-11-25T01:18:30Z
Registrar Registration Expiration Date: 2026-11-25T01:18:30Z
Registrar: GoDaddy[.]com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse[@]godaddy[.]com
Registrar Abuse Contact Phone: +1[.]4806242505
Domain Status: ok hxxps://icann[.]org/epp#ok
Registry Registrant ID: Not Available From Registry
Registrant Name: Registration Private
Registrant Organization: Domains By Proxy, LLC
Registrant Street: DomainsByProxy[.]com
Registrant Street: 2155 E Warner Rd
Registrant City: Tempe
Registrant State/Province: Arizona
Registrant Postal Code: 85284
Registrant Country: US
Registrant Phone: +1[.]4806242599
Registrant Phone Ext:
Registrant Fax: +1[.]4806242598
Registrant Fax Ext:
Registrant Email: Select Contact Domain Holder link at
hxxps://www[.]godaddy[.]com/whois/results.aspx?domain=hivnd.com
Registry Admin ID: Not Available From Registry
Admin Name: Registration Private
Admin Organization: Domains By Proxy, LLC
Admin Street: DomainsByProxy[.]com
Admin Street: 2155 E Warner Rd
Admin City: Tempe
Admin State/Province: Arizona
Admin Postal Code: 85284
Admin Country: US
Admin Phone: +1[.]4806242599
Admin Phone Ext:
Admin Fax: +1[.]4806242598
Admin Fax Ext:
Admin Email: Select Contact Domain Holder link at
hxxps://www[.]godaddy[.]com/whois/results.aspx?domain=hivnd.com
Registry Tech ID: Not Available From Registry
Tech Name: Registration Private
Tech Organization: Domains By Proxy, LLC
Tech Street: DomainsByProxy[.]com
Tech Street: 2155 E Warner Rd
Tech City: Tempe
Tech State/Province: Arizona
Tech Postal Code: 85284
Tech Country: US
Tech Phone: +1[.]4806242599
Tech Phone Ext:
Tech Fax: +1[.]4806242598
Tech Fax Ext:
Tech Email: Select Contact Domain Holder link at
hxxps://www[.]godaddy[.]com/whois/results.aspx?domain=hivnd.com
Name Server: NS31[.]DOMAINCONTROL[.]COM
Name Server: NS32[.]DOMAINCONTROL[.]COM
Name Server: NS63[.]DOMAINCONTROL[.]COM
Name Server: NS64[.]DOMAINCONTROL[.]COM
Name Server: NS77[.]DOMAINCONTROL[.]COM
Name Server: NS78[.]DOMAINCONTROL[.]COM
Name Server: PDNS05[.]DOMAINCONTROL[.]COM
Name Server: PDNS06[.]DOMAINCONTROL[.]COM
DNSSEC: unsigned
RELATIONSHIPS
hivnd[.]com Connected_From
11415ac829c17bd8a9c4cef12c3fbc23095cbb3113c89405e489ead5138384cd hivnd[.]com
Resolved_To 184[.]168[.]104[.]171
DESCRIPTION
At the time of analysis, the file "1594142927[.]995679[.]png" (11415ac829...)
attempted to connect to this domain.
72F7D4D3B9D2E406FA781176BD93E8DEEE0FB1598B67587E1928455B66B73911
TAGS
trojan
DETAILS
Name 1594142927.995679.png Size 90624 bytes Type PE32+ executable (DLL) (GUI)
x86-64 Mono/.Net assembly, for MS Windows MD5 15abeb0916a402a107c401056ebf5ac6
SHA1 6b2cf97aa2adb09badbe571a4ff93bcd2398c399 SHA256
72f7d4d3b9d2e406fa781176bd93e8deee0fb1598b67587e1928455b66b73911 SHA512
6c1cae131f77043c2f53347f0eccc010e7178ed11735cf385e8d94c065c63026a6b2c82c4aafc57f9ea1a244963c0c5fc3e898655cc6e208d3c03ebed372564e
ssdeep
1536:gZ+EwudBL87aSQH7HfVf2oNkJ+aNIuTJ1ExXDihMvE00sWhd09dlunB:W+EwQLUa1H7Nf2oW7NIuTJ1ExXDihMvQ
Entropy 5.842722
ANTIVIRUS
Avira HEUR/AGEN.1251118 Bitdefender Gen:Variant.Tedy.146424 Emsisoft
Gen:Variant.Tedy.146424 (B) ESET a variant of Win64/Agent.ASC trojan IKARUS
Trojan.Win64.Agent K7 Trojan ( 00580e951 ) Zillya! Trojan.Agent.Win64.10088
YARA RULES
No matches found.
SSDEEP MATCHES
No matches found.
DESCRIPTION
This artifact is a DLL that is designed to download and execute a payload. The
file does not contain a URL to check for downloads. If the program determines
that it is running in a virtual environment, it will trigger an exception and
terminate.
833E9CF75079CE796EF60FC7039A0B098BE4CE8D259FFA53FE2855DF110B2E5D
TAGS
trojan
DETAILS
Name 1665128935.8063045.dll Size 118784 bytes Type PE32+ executable (DLL) (GUI)
x86-64 Mono/.Net assembly, for MS Windows MD5 cf96a7d57a2e28c288c75d371ca06f19
SHA1 f2dee8aa01f39543abe8d887cdeb301aa6a13088 SHA256
833e9cf75079ce796ef60fc7039a0b098be4ce8d259ffa53fe2855df110b2e5d SHA512
6e1d4476363b75c35db705f6ae73cd6d9f6da410a120aa3d8fd5a92fb84c5d78739e84c9f4c8385ddf0e766052627b0b50143253eae839e6e1922f22ab955ab0
ssdeep
1536:oUhdTegMhxsGrNzpZjh4E5F/693uSV81fm2jMuq/I4Jll6VsWDLdP9dlz+sTepP:bXTgIWpZSEfC+Q81O2jM/w4tsvZE
Entropy 6.102716
ANTIVIRUS
ESET a variant of Win64/Agent.ASC trojan McAfee GenericRXLC-WC!CF96A7D57A2E
YARA RULES
* rule CISA_10413062_13 : wiper information_gathering
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10413062"
Date = "2022-12-21"
Last_Modified = "20230106_1400"
Actor = "n/a"
Family = "n/a"
Capabilities = "information-gathering"
Malware_Type = "wiper"
Tool_Type = "n/a"
Description = "Detects PE information gathering samples"
SHA256_1 =
"dedf082f523dfcb75dee0480a2d8a087e3231f89fa34fcd2b7f74866a7b6608f"
SHA256_2 =
"f5cafe99bccb9d813909876fa536cc980c45687d0f411c5f4b5346dcf6b304e4"
SHA256_3 =
"74544d31cbbf003bc33e7099811f62a37110556b6c1a644393fddd0bac753730"
SHA256_4 =
"833e9cf75079ce796ef60fc7039a0b098be4ce8d259ffa53fe2855df110b2e5d"
strings:
$a1 = { 46 69 6e 64 46 69 72 73 74 46 69 6c 65 45 78 57 }
$a2 = { 46 69 6e 64 4e 65 78 74 46 69 6c 65 57 }
$a3 = { 47 65 74 41 43 50 }
$a4 = { 47 65 74 4f 45 4d 43 50 }
$a5 = { 47 65 74 43 50 49 6e 66 6f }
$a6 = { 47 65 74 43 6f 6d 6d 61 6e 64 4c 69 6e 65 41 }
$a7 = { 47 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 74 72 69 6e 67 73
57 }
$a8 = { 44 65 6c 65 74 65 46 69 6c 65 41 }
$m1 = { 76 34 2e 30 2e 33 30 33 31 39 }
$m2 = { 61 6d 64 36 34 }
$m3 = { 2e 64 6c 6c }
$m4 = { 64 65 6c 65 74 65 }
$s1 = { 3c 4d 6f 64 75 6c 65 }
$s2 = { 25 73 5c 25 73 }
$s3 = { 25 73 5c 2a }
$s4 = { 63 3a 3e }
condition:
uint16(0) == 0x5a4d and all of them
}
SSDEEP MATCHES
No matches found.
RELATIONSHIPS
833e9cf750.... Connected_To 137[.]184[.]130[.]162
DESCRIPTION
This file is a .NET DLL, which contains malicious unmanaged 64-bit Intel code.
This DLL deletes .dll files ending with ".dll" extension in the
"C:\windows\temp" directory on the infected machine. This sample also has the
capability to enumerate the system, get network parameters including host name,
domain name, Domain Name System (DNS) servers, NetBIOS ID, adapter information,
IP address, subnet, gateway IP, and Dynamic Host Configuration Protocol (DHCP)
server. The sample then communicates the collected data to a C2 server located
at IP address 137[.]184[.]130[.]162.
137[.]184[.]130[.]162
TAGS
command-and-control
PORTS
* 443 TCP
WHOIS
NetRange: 137[.]184[.]0[.]0 - 137[.]184[.]255[.]255
CIDR: 137[.]184[.]0[.]0/16
NetName: DIGITALOCEAN-137-184-0-0
NetHandle: NET-137-184-0-0-1
Parent: NET137 (NET-137-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS14061
Organization: DigitalOcean, LLC (DO-13)
RegDate: 2019-11-13
Updated: 2020-04-03
Comment: Routing and Peering Policy can be found at
hxxps://www[.]as14061[.]net
Comment:
Comment: Please submit abuse reports at
hxxps://www[.]digitalocean[.]com/company/contact/#abuse
Ref: hxxps://rdap[.]arin[.]net/registry/ip/137[.]184[.]0[.]0
OrgName: DigitalOcean, LLC
OrgId: DO-13
Address: 101 Ave of the Americas
Address: FL2
City: New York
StateProv: NY
PostalCode: 10013
Country: US
RegDate: 2012-05-14
Updated: 2022-05-19
Ref: hxxps://rdap[.]arin[.]net/registry/entity/do-13
OrgAbuseHandle: ABUSE5232-ARIN
OrgAbuseName: Abuse, DigitalOcean
OrgAbusePhone: +1-347-875-6044
OrgAbuseEmail:
OrgAbuseRef: hxxps://rdap[.]arin[.]net/registry/entity/abuse5232-arin
OrgTechHandle: NOC32014-ARIN
OrgTechName: Network Operations Center
OrgTechPhone: +1-347-875-6044
OrgTechEmail:
OrgTechRef: hxxps://rdap[.]arin[.]net/registry/entity/noc32014-arin
OrgNOCHandle: NOC32014-ARIN
OrgNOCName: Network Operations Center
OrgNOCPhone: +1-347-875-6044
OrgNOCEmail:
OrgNOCRef: hxxps://rdap[.]arin[.]net/registry/entity/noc32014-arin
RELATIONSHIPS
137[.]184[.]130[.]162 Connected_From
833e9cf75079ce796ef60fc7039a0b098be4ce8d259ffa53fe2855df110b2e5d
137[.]184[.]130[.]162 Connected_From
b4222cffcdb9fb0eda5aa1703a067021bedd8cf7180cdfc5454d0f07d7eaf18f
137[.]184[.]130[.]162 Connected_From
707d22cacdbd94a3e6dc884242c0565bdf10a0be42990cd7a5497b124474889b
137[.]184[.]130[.]162 Connected_From
74544d31cbbf003bc33e7099811f62a37110556b6c1a644393fddd0bac753730
137[.]184[.]130[.]162 Connected_From
f5cafe99bccb9d813909876fa536cc980c45687d0f411c5f4b5346dcf6b304e4
137[.]184[.]130[.]162 Connected_From
dedf082f523dfcb75dee0480a2d8a087e3231f89fa34fcd2b7f74866a7b6608f
DESCRIPTION
This IP address is the C2 server that the samples connect to.
B4222CFFCDB9FB0EDA5AA1703A067021BEDD8CF7180CDFC5454D0F07D7EAF18F
TAGS
trojan
DETAILS
Name 1665129315.9536858.dll Size 92672 bytes Type PE32+ executable (DLL) (GUI)
x86-64 Mono/.Net assembly, for MS Windows MD5 fdef4ea27c8634c9aa94f1a16844d62c
SHA1 e12c91e1f30740ed95b9a005c8d7bd17c57d0665 SHA256
b4222cffcdb9fb0eda5aa1703a067021bedd8cf7180cdfc5454d0f07d7eaf18f SHA512
20898eaa33a893dde2bde5f58673ca9795019133150b3d5f201a20d0f28e0f4e9606f19ed2e96181a28e58ff4ba9f52609f0f6326b94570a29c1ed1af3e95f25
ssdeep
1536:26rED/9NI76mpDrAXUSH/jJKIRYgg7SIJQwKsW+bd09dlfXBm:brEb9NInpDUEa/joaYgguIewRxMVx
Entropy 5.853133
ANTIVIRUS
Avira HEUR/AGEN.1251118 Bitdefender Gen:Variant.Cerbu.106114 Emsisoft
Gen:Variant.Cerbu.106114 (B) ESET a variant of Win64/Agent.AQS trojan
YARA RULES
No matches found.
SSDEEP MATCHES
No matches found.
RELATIONSHIPS
b4222cffcd.... Connected_To 137[.]184[.]130[.]162
DESCRIPTION
This file is a .NET DLL, which contains malicious unmanaged 64-bit Intel code.
This sample has the capability to load additional libraries, enumerate the
system, processes, files, directories, and has the ability to write files, get
network parameters including host name, domain name, DNS servers, NetBIOS ID,
adapter information, IP address, subnet, gateway IP, and DHCP server. The sample
then communicates the collected data to a C2 server located at IP address
137[.]184[.]130[.]162.
707D22CACDBD94A3E6DC884242C0565BDF10A0BE42990CD7A5497B124474889B
TAGS
trojan
DETAILS
Name 1665130178.9134793.dll Size 94208 bytes Type PE32+ executable (DLL) (GUI)
x86-64 Mono/.Net assembly, for MS Windows MD5 98b513886879300679d634fa4e1cd27e
SHA1 e1bb93514f221e5c7ab14eb7793eebd4b10c9008 SHA256
707d22cacdbd94a3e6dc884242c0565bdf10a0be42990cd7a5497b124474889b SHA512
524d38ff7936f5c509b67099d1a2e04e0869a9e3431a1901cfe6720112e77ac01e3d94812a7ee7b82b09c31ee0b101ff2a7e68bc7504a7ab8cd9f84ba719e931
ssdeep
1536:3siPxIb5AVc+gmXSrCbKChSw9mgMNFl276Jw9UsWtBd09dl+7BnA2oHO:DpIN3+7XzbBh9xMbl2m2907MgVnAY
Entropy 5.868150
ANTIVIRUS
Avira HEUR/AGEN.1251118 ESET a variant of Win64/Agent.ASC trojan
YARA RULES
No matches found.
SSDEEP MATCHES
No matches found.
RELATIONSHIPS
707d22cacd.... Connected_To 137[.]184[.]130[.]162
DESCRIPTION
This file is a .NET DLL, which contains malicious unmanaged 64-bit Intel code.
This sample has capability to get network parameters including host name, domain
name, DNS servers, NetBIOS ID, adapter information, IP address, subnet, gateway
IP, DHCP server, and additional data and communicate it to a C2 server located
at IP address 137[.]184[.]130[.]162 over port 443.
74544D31CBBF003BC33E7099811F62A37110556B6C1A644393FDDD0BAC753730
TAGS
trojan
DETAILS
Name 1665131078.6907752.dll Size 117248 bytes Type PE32+ executable (DLL) (GUI)
x86-64 Mono/.Net assembly, for MS Windows MD5 c1127046e07137180c41cc1914e52ee7
SHA1 7b195c18042ab5c3ed9ebdc66800aec39e29f726 SHA256
74544d31cbbf003bc33e7099811f62a37110556b6c1a644393fddd0bac753730 SHA512
eab5832db04ad82eb07364e743d4506e5511937bd5f4c7b4d6383ec88df5a20b70f228382ccffd64b005e8b186cdef7d7cd138144a8f9a434594069c49c84434
ssdeep 3072:rPMMU3GQDizMxtgk3KeJwbUyS6zt1vaefUP:82QoeguKS/y/0 Entropy 6.082096
ANTIVIRUS
Avira HEUR/AGEN.1229794 ESET a variant of Win64/Agent.AQS trojan McAfee
GenericRXLC-WC!C1127046E071
YARA RULES
* rule CISA_10413062_13 : wiper information_gathering
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10413062"
Date = "2022-12-21"
Last_Modified = "20230106_1400"
Actor = "n/a"
Family = "n/a"
Capabilities = "information-gathering"
Malware_Type = "wiper"
Tool_Type = "n/a"
Description = "Detects PE information gathering samples"
SHA256_1 =
"dedf082f523dfcb75dee0480a2d8a087e3231f89fa34fcd2b7f74866a7b6608f"
SHA256_2 =
"f5cafe99bccb9d813909876fa536cc980c45687d0f411c5f4b5346dcf6b304e4"
SHA256_3 =
"74544d31cbbf003bc33e7099811f62a37110556b6c1a644393fddd0bac753730"
SHA256_4 =
"833e9cf75079ce796ef60fc7039a0b098be4ce8d259ffa53fe2855df110b2e5d"
strings:
$a1 = { 46 69 6e 64 46 69 72 73 74 46 69 6c 65 45 78 57 }
$a2 = { 46 69 6e 64 4e 65 78 74 46 69 6c 65 57 }
$a3 = { 47 65 74 41 43 50 }
$a4 = { 47 65 74 4f 45 4d 43 50 }
$a5 = { 47 65 74 43 50 49 6e 66 6f }
$a6 = { 47 65 74 43 6f 6d 6d 61 6e 64 4c 69 6e 65 41 }
$a7 = { 47 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 74 72 69 6e 67 73
57 }
$a8 = { 44 65 6c 65 74 65 46 69 6c 65 41 }
$m1 = { 76 34 2e 30 2e 33 30 33 31 39 }
$m2 = { 61 6d 64 36 34 }
$m3 = { 2e 64 6c 6c }
$m4 = { 64 65 6c 65 74 65 }
$s1 = { 3c 4d 6f 64 75 6c 65 }
$s2 = { 25 73 5c 25 73 }
$s3 = { 25 73 5c 2a }
$s4 = { 63 3a 3e }
condition:
uint16(0) == 0x5a4d and all of them
}
SSDEEP MATCHES
No matches found.
RELATIONSHIPS
74544d31cb.... Connected_To 137[.]184[.]130[.]162
DESCRIPTION
This file is a .NET DLL, which contains malicious unmanaged 64-bit Intel code.
This file has the same functionality as the file "1665128935[.]8063045[.]dll"
(833e9cf750...).
F5CAFE99BCCB9D813909876FA536CC980C45687D0F411C5F4B5346DCF6B304E4
TAGS
trojan
DETAILS
Name 1665132690.6040645.dll Size 117248 bytes Type PE32+ executable (DLL) (GUI)
x86-64 Mono/.Net assembly, for MS Windows MD5 75221233a7dd7c5084a7d57084fd8d43
SHA1 5ca0fcea7c0a4e12081cc5848ea74fd7933c599c SHA256
f5cafe99bccb9d813909876fa536cc980c45687d0f411c5f4b5346dcf6b304e4 SHA512
2e35304a354cf3737b6ff21a78f71005cb7143a8284fc0155cdd793edd206c48bbe89f02f035cd960d49cd6e9877077a90b0bacda6cafd880be0a95042223577
ssdeep 3072:ruNzEKGfQiGhdpWrb0k9b5i9qzt1vB+FUe:3XfspYbdiY+ Entropy 6.083139
ANTIVIRUS
Avira HEUR/AGEN.1229794 ESET a variant of Win64/Agent.AQS trojan McAfee
GenericRXLC-WC!75221233A7DD
YARA RULES
* rule CISA_10413062_13 : wiper information_gathering
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10413062"
Date = "2022-12-21"
Last_Modified = "20230106_1400"
Actor = "n/a"
Family = "n/a"
Capabilities = "information-gathering"
Malware_Type = "wiper"
Tool_Type = "n/a"
Description = "Detects PE information gathering samples"
SHA256_1 =
"dedf082f523dfcb75dee0480a2d8a087e3231f89fa34fcd2b7f74866a7b6608f"
SHA256_2 =
"f5cafe99bccb9d813909876fa536cc980c45687d0f411c5f4b5346dcf6b304e4"
SHA256_3 =
"74544d31cbbf003bc33e7099811f62a37110556b6c1a644393fddd0bac753730"
SHA256_4 =
"833e9cf75079ce796ef60fc7039a0b098be4ce8d259ffa53fe2855df110b2e5d"
strings:
$a1 = { 46 69 6e 64 46 69 72 73 74 46 69 6c 65 45 78 57 }
$a2 = { 46 69 6e 64 4e 65 78 74 46 69 6c 65 57 }
$a3 = { 47 65 74 41 43 50 }
$a4 = { 47 65 74 4f 45 4d 43 50 }
$a5 = { 47 65 74 43 50 49 6e 66 6f }
$a6 = { 47 65 74 43 6f 6d 6d 61 6e 64 4c 69 6e 65 41 }
$a7 = { 47 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 74 72 69 6e 67 73
57 }
$a8 = { 44 65 6c 65 74 65 46 69 6c 65 41 }
$m1 = { 76 34 2e 30 2e 33 30 33 31 39 }
$m2 = { 61 6d 64 36 34 }
$m3 = { 2e 64 6c 6c }
$m4 = { 64 65 6c 65 74 65 }
$s1 = { 3c 4d 6f 64 75 6c 65 }
$s2 = { 25 73 5c 25 73 }
$s3 = { 25 73 5c 2a }
$s4 = { 63 3a 3e }
condition:
uint16(0) == 0x5a4d and all of them
}
SSDEEP MATCHES
No matches found.
RELATIONSHIPS
f5cafe99bc.... Connected_To 137[.]184[.]130[.]162
DESCRIPTION
This file is a .NET DLL, which contains malicious unmanaged 64-bit Intel code.
This file has the same functionality as the file "1665128935[.]8063045[.]dll"
(833e9cf750...).
DEDF082F523DFCB75DEE0480A2D8A087E3231F89FA34FCD2B7F74866A7B6608F
TAGS
trojan
DETAILS
Name 1665214140.9324195.dll Size 115200 bytes Type PE32+ executable (DLL) (GUI)
x86-64 Mono/.Net assembly, for MS Windows MD5 ded299dfdd68608084b8183c6d48b7a5
SHA1 7d165f6029eae067785fdb9af53385170d790e52 SHA256
dedf082f523dfcb75dee0480a2d8a087e3231f89fa34fcd2b7f74866a7b6608f SHA512
29a1aef7393f2bdea60cbc69b50506ec1ee23f862b3856e4469385dfa7fd47e38d6ad7fb746fde8e6f1f9a74d309552b1dab3896d5c60fc14ba87d6ee32331ac
ssdeep
1536:rEFL/kVxbrRMgcfPJR8ba2kV9AuSv/W7eNoFhJlDsW9dP9dlDw0Ve:gF8zr/KJR8D09He/W7eN8hVvNw1
Entropy 6.080040
ANTIVIRUS
Avira HEUR/AGEN.1229794 ESET a variant of Win64/Agent.ASC trojan McAfee
GenericRXLC-WC!DED299DFDD68
YARA RULES
* rule CISA_10413062_13 : wiper information_gathering
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10413062"
Date = "2022-12-21"
Last_Modified = "20230106_1400"
Actor = "n/a"
Family = "n/a"
Capabilities = "information-gathering"
Malware_Type = "wiper"
Tool_Type = "n/a"
Description = "Detects PE information gathering samples"
SHA256_1 =
"dedf082f523dfcb75dee0480a2d8a087e3231f89fa34fcd2b7f74866a7b6608f"
SHA256_2 =
"f5cafe99bccb9d813909876fa536cc980c45687d0f411c5f4b5346dcf6b304e4"
SHA256_3 =
"74544d31cbbf003bc33e7099811f62a37110556b6c1a644393fddd0bac753730"
SHA256_4 =
"833e9cf75079ce796ef60fc7039a0b098be4ce8d259ffa53fe2855df110b2e5d"
strings:
$a1 = { 46 69 6e 64 46 69 72 73 74 46 69 6c 65 45 78 57 }
$a2 = { 46 69 6e 64 4e 65 78 74 46 69 6c 65 57 }
$a3 = { 47 65 74 41 43 50 }
$a4 = { 47 65 74 4f 45 4d 43 50 }
$a5 = { 47 65 74 43 50 49 6e 66 6f }
$a6 = { 47 65 74 43 6f 6d 6d 61 6e 64 4c 69 6e 65 41 }
$a7 = { 47 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 74 72 69 6e 67 73
57 }
$a8 = { 44 65 6c 65 74 65 46 69 6c 65 41 }
$m1 = { 76 34 2e 30 2e 33 30 33 31 39 }
$m2 = { 61 6d 64 36 34 }
$m3 = { 2e 64 6c 6c }
$m4 = { 64 65 6c 65 74 65 }
$s1 = { 3c 4d 6f 64 75 6c 65 }
$s2 = { 25 73 5c 25 73 }
$s3 = { 25 73 5c 2a }
$s4 = { 63 3a 3e }
condition:
uint16(0) == 0x5a4d and all of them
}
SSDEEP MATCHES
No matches found.
RELATIONSHIPS
dedf082f52.... Connected_To 137[.]184[.]130[.]162
DESCRIPTION
This file is a .NET DLL, which contains malicious unmanaged 64-bit Intel code.
This file has the same functionality as the file "1665128935[.]8063045[.]dll"
(833e9cf750...), except it does not have the capability for network
communication. However, the IP address 137[.]184[.]130[.]164 is hard-coded
within the sample like the other files.
RELATIONSHIP SUMMARY
e044bce06e.... Connected_To 45[.]77[.]212[.]12 45[.]77[.]212[.]12 Connected_From
e044bce06ea49d1eed5e1ec59327316481b8339c3b6e1aecfbb516f56d66e913
45[.]77[.]212[.]12 Connected_From
d69ac887ecc2b714b7f5e59e95a4e8ed2466bed753c4ac328931212c46050b35
45[.]77[.]212[.]12 Connected_From
853e8388c9a72a7a54129151884da46075d45a5bcd19c37a7857e268137935aa
45[.]77[.]212[.]12 Connected_From
a14e2209136dad4f824c6f5986ec5d73d9cc7c86006fd2ceabe34de801062f6b d69ac887ec....
Connected_To 45[.]77[.]212[.]12 853e8388c9.... Connected_To 45[.]77[.]212[.]12
a14e220913.... Connected_To 45[.]77[.]212[.]12 8a5fc2b8ec.... Dropped
11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad 11d8b9be14....
Dropped_By 8a5fc2b8ecb7ac6c0db76049d7e09470dbc24f1a90026a431285244818866505
11d8b9be14.... Downloaded
5cbba90ba539d4eb6097169b0e9acf40b8c4740a01ddb70c67a8fb1fc3524570 11d8b9be14....
Connected_To xework[.]com xework[.]com Connected_From
11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad xework[.]com
Connected_From a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c
xework[.]com Resolved_To 184[.]168[.]104[.]171 xework[.]com Resolved_To
144[.]96[.]103[.]245 184[.]168[.]104[.]171 Resolved_To xegroups[.]com
184[.]168[.]104[.]171 Resolved_To hivnd[.]com 184[.]168[.]104[.]171 Resolved_To
xework[.]com 144[.]96[.]103[.]245 Resolved_To xework[.]com 5cbba90ba5....
Related_To 08375e2d187ee53ed263ee6529645e03ead1a8e77afd723a3e0495201452d415
5cbba90ba5.... Downloaded_By
11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad 08375e2d18....
Related_To 5cbba90ba539d4eb6097169b0e9acf40b8c4740a01ddb70c67a8fb1fc3524570
08375e2d18.... Dropped_By
815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f 08375e2d18....
Dropped_By 1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2
08375e2d18.... Dropped_By
a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c 78a926f899....
Dropped 815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f
815d262d38.... Dropped
08375e2d187ee53ed263ee6529645e03ead1a8e77afd723a3e0495201452d415 815d262d38....
Dropped_By 78a926f899320ee6f05ab96f17622fb68e674296689e8649c95f95dade91e933
815d262d38.... Connected_To xegroups[.]com xegroups[.]com Resolved_To
184[.]168[.]104[.]171 xegroups[.]com Connected_From
815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f xegroups[.]com
Connected_From 1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2
508dd87110.... Related_To
1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2 1fed0766f5....
Dropped 08375e2d187ee53ed263ee6529645e03ead1a8e77afd723a3e0495201452d415
1fed0766f5.... Related_To
508dd87110cb5bf5d156a13c2430c215035db216f20f546e4acec476e8d55370 1fed0766f5....
Related_To d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8c67a6baf46c4c19c2
1fed0766f5.... Connected_To xegroups[.]com e45ad91f12.... Related_To
d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8c67a6baf46c4c19c2 e45ad91f12....
Dropped a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c
d9273a16f9.... Related_To
1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2 d9273a16f9....
Related_To e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea72cd23f1d5e331ff5a
a0ab222673.... Dropped
08375e2d187ee53ed263ee6529645e03ead1a8e77afd723a3e0495201452d415 a0ab222673....
Dropped_By e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea72cd23f1d5e331ff5a
a0ab222673.... Connected_To xework[.]com 11415ac829.... Connected_To hivnd[.]com
hivnd[.]com Connected_From
11415ac829c17bd8a9c4cef12c3fbc23095cbb3113c89405e489ead5138384cd hivnd[.]com
Resolved_To 184[.]168[.]104[.]171 833e9cf750.... Connected_To
137[.]184[.]130[.]162 137[.]184[.]130[.]162 Connected_From
833e9cf75079ce796ef60fc7039a0b098be4ce8d259ffa53fe2855df110b2e5d
137[.]184[.]130[.]162 Connected_From
b4222cffcdb9fb0eda5aa1703a067021bedd8cf7180cdfc5454d0f07d7eaf18f
137[.]184[.]130[.]162 Connected_From
707d22cacdbd94a3e6dc884242c0565bdf10a0be42990cd7a5497b124474889b
137[.]184[.]130[.]162 Connected_From
74544d31cbbf003bc33e7099811f62a37110556b6c1a644393fddd0bac753730
137[.]184[.]130[.]162 Connected_From
f5cafe99bccb9d813909876fa536cc980c45687d0f411c5f4b5346dcf6b304e4
137[.]184[.]130[.]162 Connected_From
dedf082f523dfcb75dee0480a2d8a087e3231f89fa34fcd2b7f74866a7b6608f b4222cffcd....
Connected_To 137[.]184[.]130[.]162 707d22cacd.... Connected_To
137[.]184[.]130[.]162 74544d31cb.... Connected_To 137[.]184[.]130[.]162
f5cafe99bc.... Connected_To 137[.]184[.]130[.]162 dedf082f52.... Connected_To
137[.]184[.]130[.]162
RECOMMENDATIONS
CISA recommends that users and administrators consider using the following best
practices to strengthen the security posture of their organization's systems.
Any configuration changes should be reviewed by system owners and administrators
prior to implementation to avoid unwanted impacts.
* Maintain up-to-date antivirus signatures and engines.
* Keep operating system patches up-to-date.
* Disable File and Printer sharing services. If these services are required,
use strong passwords or Active Directory authentication.
* Restrict users' ability (permissions) to install and run unwanted software
applications. Do not add users to the local administrators group unless
required.
* Enforce a strong password policy and implement regular password changes.
* Exercise caution when opening e-mail attachments even if the attachment is
expected and the sender appears to be known.
* Enable a personal firewall on agency workstations, configured to deny
unsolicited connection requests.
* Disable unnecessary services on agency workstations and servers.
* Scan for and remove suspicious e-mail attachments; ensure the scanned
attachment is its "true file type" (i.e., the extension matches the file
header).
* Monitor users' web browsing habits; restrict access to sites with unfavorable
content.
* Exercise caution when using removable media (e.g., USB thumb drives, external
drives, CDs, etc.).
* Scan all software downloaded from the Internet prior to executing.
* Maintain situational awareness of the latest threats and implement
appropriate Access Control Lists (ACLs).
Additional information on malware incident prevention and handling can be found
in National Institute of Standards and Technology (NIST) Special Publication
800-83, "Guide to Malware Incident Prevention & Handling for Desktops and
Laptops".
CONTACT INFORMATION
* 1-888-282-0870
* CISA Service Desk(link sends email) (UNCLASS)
* CISA SIPR(link sends email) (SIPRNET)
* CISA IC(link sends email) (JWICS)
CISA continuously strives to improve its products and services. You can help by
answering a very short series of questions about this product at the following
URL: https://us-cert.cisa.gov/forms/feedback/
DOCUMENT FAQ
What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide
organizations with malware analysis in a timely manner. In most instances this
report will provide initial indicators for computer and network defense. To
request additional analysis, please contact CISA and provide information
regarding the level of desired analysis.
What is a MAR? A Malware Analysis Report (MAR) is intended to provide
organizations with more detailed malware analysis acquired via manual reverse
engineering. To request additional analysis, please contact CISA and provide
information regarding the level of desired analysis.
Can I edit this document? This document is not to be edited in any way by
recipients. All comments or questions related to this document should be
directed to the CISA at 1-888-282-0870 or CISA Service Desk(link sends email).
Can I submit malware to CISA? Malware samples can be submitted via three
methods:
* Web: https://malware.us-cert.gov
* E-Mail: submit@malware.us-cert.gov(link sends email)
* FTP: ftp.malware.us-cert.gov (anonymous)
CISA encourages you to report any suspicious activity, including cybersecurity
incidents, possible malicious code, software vulnerabilities, and
phishing-related scams. Reporting forms can be found on CISA's homepage at
www.cisa.gov(link is external).
Please share your thoughts. We recently updated our anonymous Product
Feedback(link is external) Survey and we'd welcome your feedback.
This product is provided subject to this Notification and this Privacy &
Use policy.
PLEASE SHARE YOUR THOUGHTS
We recently updated our anonymous product survey; we’d welcome your feedback.
RELATED ADVISORIES
Jun 15, 2023
Analysis Report | AR23-166A
MAR-10443863-1.V1 CVE-2017-9248 EXPLOITATION IN U.S. GOVERNMENT IIS SERVER
Apr 20, 2023
Analysis Report | AR23-110A
MAR-10435108-1.V1 ICONICSTEALER
Oct 05, 2022
Analysis Report | AR22-277C
MAR-10365227-3.V1 - IMPACKET 3
Oct 05, 2022
Analysis Report | AR22-277A
MAR-10365227-1.V1 - IMPACKET
Return to top
* Topics
* Spotlight
* Resources & Tools
* News & Events
* Careers
* About
Cybersecurity & Infrastructure Security Agency
* Facebook
* Twitter
* LinkedIn
* YouTube
* Instagram
* RSS
CISA Central 888-282-0870 Central@cisa.dhs.gov(link sends email)
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
* About CISA
* Accessibility
* Budget and Performance
* DHS.gov
* FOIA Requests
* No FEAR Act
* Office of Inspector General
* Privacy Policy
* Subscribe
* The White House
* USA.gov
* Website Feedback