MAR-10413062-1.v1 Telerik Vulnerability in U.S. Government IIS Server

Notification

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:CLEAR–Disclosure is not limited. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Summary

Description

CISA received 18 files for analysis from a forensic analysis engagement conducted at a Federal Civilian Executive Branch (FCEB) agency.

When 11 of the dynamic link library (DLL) files are loaded, the files can read, create, and delete files. If the DLL contains a hardcoded Internet Protocol (IP) address, status messages will be sent to the IP. One DLL file will attempt to collect the target system’s Transmission Control Protocol (TCP) connection table, and exfiltrate it to a remote Command and Control server (C2). Five of the files drop and decode a reverse shell utility that can send and receive data and commands. In addition, the files drop and decode an Active Server Pages (ASPX) webshell. Two DLL files are capable of loading and executing payloads.

CISA has provided Indicators of Compromise (IOCs) and YARA rules for detection within this Malware Analysis Report (MAR).

For more information about this compromise, see Joint Cybersecurity Advisory Threat Actors Exploit Progress Telerik Vulnerability in U.S. Government IIS Server.

Download the PDF version of this report:

For a downloadable copy of IOCs, see

Submitted Files (18)

11415ac829c17bd8a9c4cef12c3fbc23095cbb3113c89405e489ead5138384cd (1597974061[.]4531896[.]png)

144492284bcbc0110d34a2b9a44bef90ed0d6cda746df6058b49d3789b0f851d (1666006114[.]5570521[.]txt)

508dd87110cb5bf5d156a13c2430c215035db216f20f546e4acec476e8d55370 (xesmartshell[.]tmp)

707d22cacdbd94a3e6dc884242c0565bdf10a0be42990cd7a5497b124474889b (1665130178[.]9134793[.]dll)

72f7d4d3b9d2e406fa781176bd93e8deee0fb1598b67587e1928455b66b73911 (1594142927[.]995679[.]png)

74544d31cbbf003bc33e7099811f62a37110556b6c1a644393fddd0bac753730 (1665131078[.]6907752[.]dll)

78a926f899320ee6f05ab96f17622fb68e674296689e8649c95f95dade91e933 (1596686310[.]434117[.]png)

833e9cf75079ce796ef60fc7039a0b098be4ce8d259ffa53fe2855df110b2e5d (1665128935[.]8063045[.]dll)

853e8388c9a72a7a54129151884da46075d45a5bcd19c37a7857e268137935aa (1667466391[.]0658665[.]dll)

8a5fc2b8ecb7ac6c0db76049d7e09470dbc24f1a90026a431285244818866505 (1596923477[.]4946315[.]png)

a14e2209136dad4f824c6f5986ec5d73d9cc7c86006fd2ceabe34de801062f6b (1665909724[.]4648924[.]dll)

b4222cffcdb9fb0eda5aa1703a067021bedd8cf7180cdfc5454d0f07d7eaf18f (1665129315[.]9536858[.]dll)

d69ac887ecc2b714b7f5e59e95a4e8ed2466bed753c4ac328931212c46050b35 (1667465147[.]4282858[.]dll)

d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8c67a6baf46c4c19c2 (SortVistaCompat)

dedf082f523dfcb75dee0480a2d8a087e3231f89fa34fcd2b7f74866a7b6608f (1665214140[.]9324195[.]dll)

e044bce06ea49d1eed5e1ec59327316481b8339c3b6e1aecfbb516f56d66e913 (1667465048[.]8995082[.]dll)

e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea72cd23f1d5e331ff5a (1596835329[.]5015914[.]png)

f5cafe99bccb9d813909876fa536cc980c45687d0f411c5f4b5346dcf6b304e4 (1665132690[.]6040645[.]dll)

Additional Files (6)

08375e2d187ee53ed263ee6529645e03ead1a8e77afd723a3e0495201452d415 (small[.]aspx)

11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad (XEReverseShell[.]exe)

1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2 (xesvrs[.]exe)

5cbba90ba539d4eb6097169b0e9acf40b8c4740a01ddb70c67a8fb1fc3524570 (small[.]txt)

815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f (XEReverseShell[.]exe)

a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c (Multi-OS_ReverseShell[.]exe)

Domains (3)

hivnd[.]com

xegroups[.]com

xework[.]com

IPs (4)

137[.]184[.]130[.]162

144[.]96[.]103[.]245

184[.]168[.]104[.]171

45[.]77[.]212[.]12

Findings

144492284bcbc0110d34a2b9a44bef90ed0d6cda746df6058b49d3789b0f851d

Tags

wiper

Details

Antivirus

No matches found.

YARA Rules

• rule CISA_10413062_04 : wiper compromises_data_availability
  {
     meta:
         Author = “CISA Code & Media Analysis”
         Incident = “10413062”
         Date = “2022-11-21”
         Last_Modified = “20221123_2000”
         Actor = “n/a”
         Family = “n/a”
         Capabilities = “compromises-data-availability”
         Malware_Type = “wiper”
         Tool_Type = “n/a”
         Description = “Detect portable executable file that deletes .dll files”
         MD5 = “8e33e1e407fc9ff537b63be3ab78cb40”
         SHA256 = “144492284bcbc0110d34a2b9a44bef90ed0d6cda746df6058b49d3789b0f851d”
     strings:
         $s1 = { (43 | 63) 3a 5c (57 | 77) (49 | 69) (4e | 6e) (44 | 64) (4f | 6f) (57 | 77) (53 | 73) 5c (54 | 74) (65 | 45) (4d | 6d) (50 | 70) }
         $s2 = { 43 72 65 61 74 65 54 68 72 65 61 64 }
         $s3 = { 54 65 6c 65 72 69 69 6b 2e 64 6c 6c }
     condition:
         uint16(0) == 0x5a4d and all of ($s*)
  }
• rule CISA_10413062_07 : wiper compromises_data_availability
  {
     meta:
         Author = “CISA Code & Media Analysis”
         Incident = “10413062”
         Date = “2022-11-30”
         Last_Modified = “20221130_1700”
         Actor = “n/a”
         Family = “n/a”
         Capabilities = “compromises-data-availability”
         Malware_Type = “wiper”
         Tool_Type = “n/a”
         Description = “Detects managed malware code in C# DLL samples”
         MD5 = “8e33e1e407fc9ff537b63be3ab78cb40”
         SHA256 = “144492284bcbc0110d34a2b9a44bef90ed0d6cda746df6058b49d3789b0f851d”
     strings:
         $s0 = { 4D 61 69 6E 00 61 72 67 73 00 2E 63 74 6F 72 00 57 72 69 74 65 4C 69 6E 65 }
         $s1 = { 46 69 6E 64 46 69 72 73 74 46 69 6C 65 41 00 00 90 01 46 69 6E 64 }
         $s2 = { 43 3A 5C 77 69 6E 64 6F 77 73 5C 74 65 6D 70 }
         $s3 = { 54 65 6C 65 72 69 69 6B 2E 64 6C 6C }
         $s4 = { 76 34 2E 30 2E 33 30 33 31 39 }
     condition:
         all of them
  }

ssdeep Matches

No matches found.

Description

This file is a malicious .NET DLL, which contains malicious unmanaged 64-bit Intel code. This DLL deletes files that end in “.dll” from C:windowstemp.

e044bce06ea49d1eed5e1ec59327316481b8339c3b6e1aecfbb516f56d66e913

Tags

information-stealer

Details

Antivirus

No matches found.

YARA Rules

• rule CISA_10413062_01 : exfiltrates_data
  {
     meta:
         Author = “CISA Code & Media Analysis”
         Incident = “10413062”
         Date = “2022-11-21”
         Last_Modified = “20221123_2000”
         Actor = “n/a”
         Family = “n/a”
         Capabilities = “exfiltrates-data”
         Malware_Type = “n/a”
         Tool_Type = “n/a”
         Description = “Detect portable executable samples that exfiltrate .config data”
         MD5_1 = “f6f47911ac32afd786a765dcb1f26722”
         SHA256_1 = “e044bce06ea49d1eed5e1ec59327316481b8339c3b6e1aecfbb516f56d66e913”
         MD5_2 = “cd6c11f89b392988e0de3ffe048a561b”
         SHA256_2 = “d69ac887ecc2b714b7f5e59e95a4e8ed2466bed753c4ac328931212c46050b35”
     strings:
         $s1 = { (43 | 63) 3a 5c (49 | 69) (4e | 6e) (45 | 65) (54 | 74) (50 | 70) (55 | 75) (62 | 42) 5c (54 | 74) (45 | 65) (4d | 6d) (50 | 70) }
         $s2 = { (44 | 64) 3a 5c (49 | 69) (4e | 6e) (45 | 65) (54 | 74) (50 | 70) (55 | 75) (62 | 42) 5c (54 | 74) (45 | 65) (4d | 6d) (50 | 70) }
         $s3 = { (45 | 65) 3a 5c (49 | 69) (4e | 6e) (45 | 65) (54 | 74) (50 | 70) (55 | 75) (62 | 42) 5c (54 | 74) (45 | 65) (4d | 6d) (50 | 70) }
         $t4 = { 2e 43 4f (4e | 6e) (46 | 66) (69 | 49) (47 | 67) }
         $t5 = { 2e 43 6f (4e | 6e) (46 | 66) (69 | 49) (47 | 67) }
         $t6 = { 2e 63 4f (4e | 6e) (46 | 66) (69 | 49) (47 | 67) }
         $t7 = { 2e 63 6f (4e | 6e) (46 | 66) (69 | 49) (47 | 67) }                
         $s8 = { 70 68 79 73 69 63 61 6c 50 61 74 68 3d }
         $s9 = { 2f 3e }
         $s10 = { 34 35 2e 37 }
         $s11 = { 37 2e 32 31 }
         $s12 = { 32 2e 31 32 }
         $s13 = { 43 72 65 61 74 65 54 68 72 65 61 64 }
     condition:
         uint16(0) == 0x5a4d and 1 of ($t*) and all of ($s*)
  }
• rule CISA_10413062_06 : exfiltrates_data
  {
     meta:
         Author = “CISA Code & Media Analysis”
         Incident = “10413062”
         Date = “2022-11-30”
         Last_Modified = “20221130_1700”
         Actor = “n/a”
         Family = “n/a”
         Capabilities = “exfiltrates-data”
         Malware_Type = “n/a”
         Tool_Type = “n/a”
         Description = “Detects managed malware code in C# DLL samples”
         MD5 = “f6f47911ac32afd786a765dcb1f26722”
         SHA256 = “e044bce06ea49d1eed5e1ec59327316481b8339c3b6e1aecfbb516f56d66e913”
     strings:
         $s0 = { 4E 65 74 6B 65 6C 2E 64 6C 6C }
         $s1 = { 76 34 2E 30 2E 33 30 33 31 39 }
         $s2 = { 70 68 79 73 69 63 61 6C 50 61 74 68 3D }
         $s3 = { 2E 63 6F 6E 66 69 67 00 2B 5F 2B 5F 2B }
         $s4 = { 43 3A 5C 69 6E 65 74 70 75 62 5C 74 65 6D 70 }
     condition:
         all of them
  }

ssdeep Matches

No matches found.

Relationships

Description

This file is a malicious .NET DLL, which contains malicious unmanaged 64-bit Intel code. Loading this DLL will send “+_+_+” to 45[.]77[.]212[.]12 over port 443. Then, C:inetpubtemp, D:inetpubtemp, and E:inetpubtemp are scanned recursively for files that end in .config.

When a .config file is found, the DLL will look for the strings “physicalPath=” and “/>” within the file. If there is data between those two strings, it will be sent to the IP.

If there was an error calling CreateFileA, “Errorcode: {Error_Code}” will be sent to the IP. If there was an error calling VirtualAlloc, “VirtualAlloc failed” will be sent to the IP. If there was an error while calling ReadFile, “read file failed” will be sent to the IP.

45[.]77[.]212[.]12

Tags

command-and-control

Ports

• 443 TCP

Whois

NetRange:     45[.]76[.]0[.]0 – 45[.]77[.]255[.]255
CIDR:         45[.]76[.]0[.]0/15
NetName:        CONSTANT
NetHandle:     NET-45-76-0-0-1
Parent:         NET45 (NET-45-0-0-0-0)
NetType:        Direct Allocation
OriginAS:     AS20473
Organization: The Constant Company, LLC (CHOOP-1)
RegDate:        2015-04-24
Updated:        2022-09-20
Comment:        Geofeed hxxps://geofeed[.]constant[.]com/
Ref:            hxxps://rdap[.]arin[.]net/registry/ip/45[.]76[.]0[.]0

OrgName:        The Constant Company, LLC
OrgId:         CHOOP-1
Address:        319 Clematis St. Suite 900
City:         West Palm Beach
StateProv:     FL
PostalCode:     33401
Country:        US
RegDate:        2006-10-03
Updated:        2021-03-30
Comment:        hxxp://www[.]constant[.]com/
Ref:            hxxps://rdap[.]arin[.]net/registry/entity/choop-1

OrgNOCHandle: NETWO1159-ARIN
OrgNOCName: Network Operations
OrgNOCPhone: +1-973-849-0500
OrgNOCEmail: network[@]constant[.]com
OrgNOCRef:    hxxps://rdap[.]arin[.]net/registry/entity/netwo1159-arin

OrgAbuseHandle: ABUSE1143-ARIN
OrgAbuseName: Abuse Department
OrgAbusePhone: +1-973-849-0500
OrgAbuseEmail: abuse[@]constant[.]com
OrgAbuseRef:    hxxps://rdap[.]arin[.]net/registry/entity/abuse1143-arin

OrgTechHandle: NETWO1159-ARIN
OrgTechName: Network Operations
OrgTechPhone: +1-973-849-0500
OrgTechEmail: network[@]constant[.]com
OrgTechRef:    hxxps://rdap[.]arin[.]net/registry/entity/netwo1159-arin

NetRange:     45[.]77[.]212[.]0 – 45[.]77[.]213[.]255
CIDR:         45[.]77[.]212[.]0/23
NetName:        NET-45-77-212-0-23
NetHandle:     NET-45-77-212-0-1
Parent:         CONSTANT (NET-45-76-0-0-1)
NetType:        Reassigned
OriginAS:    
Organization: Vultr Holdings, LLC (VHL-59)
RegDate:        2017-11-21
Updated:        2017-11-21
Ref:            hxxps://rdap[.]arin[.]net/registry/ip/45[.]77[.]212[.]0

OrgName:        Vultr Holdings, LLC
OrgId:         VHL-59
Address:        2001 6th Avenue, Suite 300
Address:        2001 Sixth LLC
City:         Seattle
StateProv:     WA
PostalCode:     98121
Country:        US
RegDate:        2015-03-05
Updated:        2015-03-05
Ref:            hxxps://rdap[.]arin[.]net/registry/entity/vhl-59

OrgAbuseHandle: VULTR-ARIN
OrgAbuseName: Vultr Abuse
OrgAbusePhone: +1-973-849-0500
OrgAbuseEmail: abuse[@]vultr[.]com
OrgAbuseRef:    hxxps://rdap[.]arin[.]net/registry/entity/vultr-arin

OrgTechHandle: VULTR-ARIN
OrgTechName: Vultr Abuse
OrgTechPhone: +1-973-849-0500
OrgTechEmail: abuse[@]vultr[.]com
OrgTechRef:    hxxps://rdap[.]arin[.]net/registry/entity/vultr-arin

Relationships

Description

This IP was utilized by multiple malicious applications in this report as a C2 server. It is utilized by the malware to send status information from commands executed on system, as well as a location to exfiltrate sensitive system and network information.

d69ac887ecc2b714b7f5e59e95a4e8ed2466bed753c4ac328931212c46050b35

Tags

information-stealer

Details

Antivirus

No matches found.

YARA Rules

• rule CISA_10413062_01 : exfiltrates_data
  {
     meta:
         Author = “CISA Code & Media Analysis”
         Incident = “10413062”
         Date = “2022-11-21”
         Last_Modified = “20221123_2000”
         Actor = “n/a”
         Family = “n/a”
         Capabilities = “exfiltrates-data”
         Malware_Type = “n/a”
         Tool_Type = “n/a”
         Description = “Detect portable executable samples that exfiltrate .config data”
         MD5_1 = “f6f47911ac32afd786a765dcb1f26722”
         SHA256_1 = “e044bce06ea49d1eed5e1ec59327316481b8339c3b6e1aecfbb516f56d66e913”
         MD5_2 = “cd6c11f89b392988e0de3ffe048a561b”
         SHA256_2 = “d69ac887ecc2b714b7f5e59e95a4e8ed2466bed753c4ac328931212c46050b35”
     strings:
         $s1 = { (43 | 63) 3a 5c (49 | 69) (4e | 6e) (45 | 65) (54 | 74) (50 | 70) (55 | 75) (62 | 42) 5c (54 | 74) (45 | 65) (4d | 6d) (50 | 70) }
         $s2 = { (44 | 64) 3a 5c (49 | 69) (4e | 6e) (45 | 65) (54 | 74) (50 | 70) (55 | 75) (62 | 42) 5c (54 | 74) (45 | 65) (4d | 6d) (50 | 70) }
         $s3 = { (45 | 65) 3a 5c (49 | 69) (4e | 6e) (45 | 65) (54 | 74) (50 | 70) (55 | 75) (62 | 42) 5c (54 | 74) (45 | 65) (4d | 6d) (50 | 70) }
         $t4 = { 2e 43 4f (4e | 6e) (46 | 66) (69 | 49) (47 | 67) }
         $t5 = { 2e 43 6f (4e | 6e) (46 | 66) (69 | 49) (47 | 67) }
         $t6 = { 2e 63 4f (4e | 6e) (46 | 66) (69 | 49) (47 | 67) }
         $t7 = { 2e 63 6f (4e | 6e) (46 | 66) (69 | 49) (47 | 67) }                
         $s8 = { 70 68 79 73 69 63 61 6c 50 61 74 68 3d }
         $s9 = { 2f 3e }
         $s10 = { 34 35 2e 37 }
         $s11 = { 37 2e 32 31 }
         $s12 = { 32 2e 31 32 }
         $s13 = { 43 72 65 61 74 65 54 68 72 65 61 64 }
     condition:
         uint16(0) == 0x5a4d and 1 of ($t*) and all of ($s*)
  }

ssdeep Matches

No matches found.

Relationships

Description

This file is a malicious .NET DLL, which contains malicious unmanaged 64-bit Intel code. The file has the same functionality as “1667465048[.]8995082[.]dll” (e044bce06e…).

853e8388c9a72a7a54129151884da46075d45a5bcd19c37a7857e268137935aa

Tags

information-stealer

Details

Antivirus

No matches found.

YARA Rules

• rule CISA_10413062_02 : information_stealer information_gathering
  {
     meta:
         Author = “CISA Code & Media Analysis”
         Incident = “10413062”
         Date = “2022-11-21”
         Last_Modified = “20221123_2000”
         Actor = “n/a”
         Family = “n/a”
         Capabilities = “n/a”
         Malware_Type = “n/a”
         Tool_Type = “information-gathering”
         Description = “Detect portable executable file that creates and deletes a file”
         MD5 = “cece36ea4e328f093517ff68d0ed085c”
         SHA256 = “853e8388c9a72a7a54129151884da46075d45a5bcd19c37a7857e268137935aa”
     strings:
         $s1 = { 34 35 2e 37 }
         $s2 = { 37 2e 32 31 }
         $s3 = { 32 2e 31 32 }
         $s4 = { (45 | 65) 3a 5c (57 | 77) (45 | 65) (42 | 62) (53 | 73) (49 | 69) (54 | 74) (45 | 65) (53 | 73) 5c (4d | 6d) (45 | 65) (49 | 69) (53 | 73) 5c }
         $s5 = { 43 72 65 61 74 65 46 69 6c 65 }
         $s6 = { 57 72 69 74 65 46 69 6c 65 }
         $s7 = { 44 65 6c 65 74 65 46 69 6c 65 }
         $s8 = { 43 72 65 61 74 65 54 68 72 65 61 64 }
     condition:
         uint16(0) == 0x5a4d and all of ($s*)
  }
• rule CISA_10413062_08 : information_stealer information_gathering
  {
     meta:
         Author = “CISA Code & Media Analysis”
         Incident = “10413062”
         Date = “2022-11-30”
         Last_Modified = “20221130_1700”
         Actor = “n/a”
         Family = “n/a”
         Capabilities = “n/a”
         Malware_Type = “n/a”
         Tool_Type = “information-gathering”
         Description = “Detects managed malware code in C# DLL samples”
         MD5 = “cece36ea4e328f093517ff68d0ed085c”
         SHA256 = “853e8388c9a72a7a54129151884da46075d45a5bcd19c37a7857e268137935aa”
     strings:
         $s0 = { 43 72 65 61 74 65 46 69 6C 65 20 45 72 72 6F 72 }
         $s1 = { 57 72 69 74 65 46 69 6C 65 20 45 72 72 6F 72 }
         $s2 = { 44 65 6C 65 74 65 46 69 6C 65 41 20 66 61 69 6C }
         $s3 = { 45 3A 5C 77 65 62 73 69 74 65 73 5C 4D 45 49 53 }
         $s4 = { 76 34 2E 30 2E 33 30 33 31 39 }
     condition:
         all of them
  }

ssdeep Matches

No matches found.

Relationships

Description

This file is a malicious .NET DLL, which contains malicious unmanaged 64-bit Intel code. Loading this DLL will send “+_+_+” to 45[.]77[.]212[.]12 over port 443. The DLL will then create E:websitesico[.]txt and write “111” to that file. If there was an error creating the file, “CreateFile Error code: {Error_Code}” will be sent to the IP and execution ends. If there was an error writing to the file, “WriteFile Error code: {Error_Code}” will be sent to the IP and execution ends. If there are no errors, “CreateFileA OK” will be sent. The DLL will then delete E:websitesico[.]txt. If successful, “DeleteFileA OK” will be sent to the IP. If there was an error “DeleteFileA failed” will be sent to the IP.

Analysis indicates the purpose of this application is to provide a remote operator the ability to determine whether or not they can write files to the system’s web server directory. This capability will likely allow the operator to determine whether or not they can remotely install a webshell to allow convenient and persistent remote access to the compromised system.

Screenshots

Figure 1 – This code illustrates the malware attempting to create a file on the targeted system within the E:\websites directory. This appears to be a test to ensure the remote operator can remotely install web application code onto the target.

a14e2209136dad4f824c6f5986ec5d73d9cc7c86006fd2ceabe34de801062f6b

Tags

trojan

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This file is a malicious .NET DLL, which contains malicious unmanaged 64-bit Intel code. Static analysis indicates that the primary purpose of this code is to obtain a copy of the targeted system’s TCP connection table via the GetTcpTable API, and export it to the malware’s remote C2 server 45[.]77[.]212[.]12.

The purpose of this application is to allow a remote operator to determine what systems the targeted system currently has an established TCP session with. This capability will allow the operator to more efficiently profile the targeted network.

Screenshots

Figure 2 – The malicious binary loading its C2 IP 45[.]77[.]212[.]12 onto the stack.

Figure 3 – The malware obtaining a copy of the targeted system’s TCP connection table. Analysis indicates the TCP table will be exfiltrated to the remote C2 server.

8a5fc2b8ecb7ac6c0db76049d7e09470dbc24f1a90026a431285244818866505

Tags

droppertrojan

Details

Antivirus

YARA Rules

• rule CISA_10413062_10 : XEReverseShell trojan backdoor downloader dropper webshell remote_access communicates_with_C2 exfiltrates_data installs_other_components
  {
     meta:
         Author = “CISA Code & Media Analysis”
         Incident = “10413062”
         Date = “2022-11-23”
         Last_Modified = “20221215_1930”
         Actor = “n/a”
         Family = “XEReverseShell”
         Capabilities = “remote-access communicates-with-C2 exfiltrates-data installs-other-components”
         Malware_Type = “trojan backdoor downloader dropper webshell”
         Tool_Type = “remote-access”
         Description = “Detects XEReverseShell samples”
         MD5_1 = “37e173b932596af62fefc4dc10c8551d”
         SHA256_1 = “815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f”
         MD5_2 = “0bcceb4fdfb12db21fdfc3a42b9c4693”
         SHA256_2 = “508dd87110cb5bf5d156a13c2430c215035db216f20f546e4acec476e8d55370”
         MD5_3 = “42d7b2e1bcf75f9c469afa340f078c86”
         SHA256_3 = “d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8c67a6baf46c4c19c2”
         MD5_4 = “d85880ad1e87c4266f899eca02207dd4”
         SHA256_4 = “1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2”
         MD5_5 = “eaa579d911b8a47eaaea744d59d14708”
         SHA256_5 = “11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad”
         MD5_6 = “f968639a4840535a6ecda1cbe3065260”
         SHA256_6 = “a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c”
         MD5_7 = “137423d7b7f5a5684a9b1457f46fdfb2”
         SHA256_7 = “e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea72cd23f1d5e331ff5a”
         MD5_8 = “7947ce86923d732e6963c79aea757036”
         SHA256_8 = “8a5fc2b8ecb7ac6c0db76049d7e09470dbc24f1a90026a431285244818866505”
         MD5_9 = “d3cf1d590b2a63ae6070dd0011390f03”
         SHA256_9 = “78a926f899320ee6f05ab96f17622fb68e674296689e8649c95f95dade91e933”        
     strings:
         $s1 = { 50 67 42 59 52 56 4a 6c 64 6d 56 79 63 32 56 54 61 47 56 73 }
         $s2 = { 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 }
         $s3 = { 78 65 73 76 72 73 2e 65 78 65 }
         $s4 = { 58 45 52 65 76 65 72 73 65 53 68 65 6c 6c }
         $s5 = { 57 45 56 53 5a 58 5a 6c 63 6e 4e 6c 55 32 }
         $s6 = { 59 00 32 00 31 00 6b 00 4c 00 6d 00 56 00 34 00 5a 00 51 00 3d 00 3d }
     condition:
         2 of them
  }

ssdeep Matches

No matches found.

Relationships

Description

This artifact is a DLL that drops and executes a reverse shell utility. When the DLL is loaded, it will drop an embedded and base64 encoded payload named ‘sortcombat’ into the path C:WindowsTemp. The program will then invoke the Windows command-line utility certutil[.]exe with the –decode option and write the new file as sortcombat[.]exe into C:WindowsTemp. Cmd[.]exe is then invoked to execute sortcombat[.]exe.

11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad

Tags

backdoordecryptordroppertrojan

Details

Antivirus

YARA Rules

• rule CISA_10413062_10 : XEReverseShell trojan backdoor downloader dropper webshell remote_access communicates_with_C2 exfiltrates_data installs_other_components
  {
     meta:
         Author = “CISA Code & Media Analysis”
         Incident = “10413062”
         Date = “2022-11-23”
         Last_Modified = “20221215_1930”
         Actor = “n/a”
         Family = “XEReverseShell”
         Capabilities = “remote-access communicates-with-C2 exfiltrates-data installs-other-components”
         Malware_Type = “trojan backdoor downloader dropper webshell”
         Tool_Type = “remote-access”
         Description = “Detects XEReverseShell samples”
         MD5_1 = “37e173b932596af62fefc4dc10c8551d”
         SHA256_1 = “815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f”
         MD5_2 = “0bcceb4fdfb12db21fdfc3a42b9c4693”
         SHA256_2 = “508dd87110cb5bf5d156a13c2430c215035db216f20f546e4acec476e8d55370”
         MD5_3 = “42d7b2e1bcf75f9c469afa340f078c86”
         SHA256_3 = “d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8c67a6baf46c4c19c2”
         MD5_4 = “d85880ad1e87c4266f899eca02207dd4”
         SHA256_4 = “1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2”
         MD5_5 = “eaa579d911b8a47eaaea744d59d14708”
         SHA256_5 = “11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad”
         MD5_6 = “f968639a4840535a6ecda1cbe3065260”
         SHA256_6 = “a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c”
         MD5_7 = “137423d7b7f5a5684a9b1457f46fdfb2”
         SHA256_7 = “e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea72cd23f1d5e331ff5a”
         MD5_8 = “7947ce86923d732e6963c79aea757036”
         SHA256_8 = “8a5fc2b8ecb7ac6c0db76049d7e09470dbc24f1a90026a431285244818866505”
         MD5_9 = “d3cf1d590b2a63ae6070dd0011390f03”
         SHA256_9 = “78a926f899320ee6f05ab96f17622fb68e674296689e8649c95f95dade91e933”        
     strings:
         $s1 = { 50 67 42 59 52 56 4a 6c 64 6d 56 79 63 32 56 54 61 47 56 73 }
         $s2 = { 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 }
         $s3 = { 78 65 73 76 72 73 2e 65 78 65 }
         $s4 = { 58 45 52 65 76 65 72 73 65 53 68 65 6c 6c }
         $s5 = { 57 45 56 53 5a 58 5a 6c 63 6e 4e 6c 55 32 }
         $s6 = { 59 00 32 00 31 00 6b 00 4c 00 6d 00 56 00 34 00 5a 00 51 00 3d 00 3d }
     condition:
         2 of them
  }

ssdeep Matches

No matches found.

Relationships

Description

This artifact is a reverse shell utility with the internal name of ‘XEReverseShell[.]exe’ that is dropped by “1596923477[.]4946315[.]png” (8a5fc2b8ec…) into C:WindowsTemp as sortcombat[.]exe. When this utility is executed it will attempt to connect to the domain xework[.]com to obtain the IP address of the C2 and port number to listen on. If no IP address or port number is obtained the program will terminate.

—Begin HTTP Sessions—
GET /masterip HTTP/1[.]1
Host: xework[.]com
Connection: Keep-Alive

GET /masterport HTTP/1[.]1
Host: xework[.]com
—End HTTP Sessions—

Upon receipt of the port number, XEReverseShell[.]exe will establish a listener on the port to accept streamed data. The utility is able to read or write streamed data and pass incoming commands to a command shell.
The program will check the OS Version of the system to determine what type of command shell is required. For Windows systems it will invoke Y21kLmV4ZQ== (cmd[.]exe), and for Linux it will invoke L2Jpbi9iYXNo (/bin/bash).

XEReverseShell collects the path to the web server system files, current username, APP_POOL (IIS Application Pool configuration), ComputerName, OSVersion, Internet IP, Local IP and Reverse Domain. If it cannot identify the Internet IP address or Reverse Domain the utility attempts to connect to api[.]hackertarget[.]com/reverselookup/?q= to identify the IP address or retrieve answer records for the domain. Api[.]hackertarget[.]com is a legitimate website hosted for blue teams and penetration testers.

XEReverseShell will send the system data to the C2 in the following format:

—Begin—
WEBSITE PATH

————————[ XE ReverseShell ]———————–
CURRENT USERNAME
APP POOL
COMPUTER NAME
SYSTEM
INTERNET IP        LOCAL IP
REVERSE DOMAIN
—End—

The utility will expect the command ‘xesetshell’ from the C2. If the command is received it will connect to the C2 and download a file called small[.]txt (5cbba90ba5…). Small[.]txt is a base64 encoded webshell that the program decodes as small[.]aspx and places in the path C:WindowsTemp.
If the utility receives the command ‘xequit’ it will sleep for a period of time determined by the adversary.

xework[.]com

Tags

command-and-control

Ports

• 80 TCP

HTTP Sessions

• GET /masterip HTTP/1[.]1
  Host: xework[.]com
  Connection: Keep-Alive
• GET /masterport HTTP/1[.]1
  Host: xework[.]com

Whois

Domain Name: XEWORK[.]COM
Registry Domain ID: 1568779295_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois[.]godaddy[.]com
Registrar URL: hxxp://www[.]godaddy[.]com
Updated Date: 2022-09-06T10:32:23Z
Creation Date: 2009-09-11T22:17:25Z
Registry Expiry Date: 2026-09-11T22:17:25Z
Registrar: GoDaddy[.]com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse[@]godaddy[.]com
Registrar Abuse Contact Phone: 480-624-2505
Domain Status: ok hxxps://icann[.]org/epp#ok
Name Server: NS05[.]DOMAINCONTROL[.]COM
Name Server: NS06[.]DOMAINCONTROL[.]COM
DNSSEC: unsigned

Domain Name: XEWORK[.]COM
Registry Domain ID: 1568779295_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois[.]godaddy[.]com
Registrar URL: hxxps://www[.]godaddy[.]com
Updated Date: 2018-03-05T23:44:55Z
Creation Date: 2009-09-11T17:17:25Z
Registrar Registration Expiration Date: 2026-09-11T17:17:25Z
Registrar: GoDaddy[.]com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse[@]godaddy[.]com
Registrar Abuse Contact Phone: +1[.]4806242505
Domain Status: ok hxxps://icann[.]org/epp#ok
Registry Registrant ID: Not Available From Registry
Registrant Name: Registration Private
Registrant Organization: Domains By Proxy, LLC
Registrant Street: DomainsByProxy[.]com
Registrant Street: 2155 E Warner Rd
Registrant City: Tempe
Registrant State/Province: Arizona
Registrant Postal Code: 85284
Registrant Country: US
Registrant Phone: +1[.]4806242599
Registrant Phone Ext:
Registrant Fax: +1[.]4806242598
Registrant Fax Ext:
Registrant Email: Select Contact Domain Holder link at hxxps://www[.]godaddy[.]com/whois/results.aspx?domain=xework.com
Registry Admin ID: Not Available From Registry
Admin Name: Registration Private
Admin Organization: Domains By Proxy, LLC
Admin Street: DomainsByProxy[.]com
Admin Street: 2155 E Warner Rd
Admin City: Tempe
Admin State/Province: Arizona
Admin Postal Code: 85284
Admin Country: US
Admin Phone: +1[.]4806242599
Admin Phone Ext:
Admin Fax: +1[.]4806242598
Admin Fax Ext:
Admin Email: Select Contact Domain Holder link at hxxps://www[.]godaddy[.]com/whois/results.aspx?domain=xework.com
Registry Tech ID: Not Available From Registry
Tech Name: Registration Private
Tech Organization: Domains By Proxy, LLC
Tech Street: DomainsByProxy[.]com
Tech Street: 2155 E Warner Rd
Tech City: Tempe
Tech State/Province: Arizona
Tech Postal Code: 85284
Tech Country: US
Tech Phone: +1[.]4806242599
Tech Phone Ext:
Tech Fax: +1[.]4806242598
Tech Fax Ext:
Tech Email: Select Contact Domain Holder link at hxxps://www[.]godaddy[.]com/whois/results.aspx?domain=xework.com
Name Server: NS05[.]DOMAINCONTROL[.]COM
Name Server: NS06[.]DOMAINCONTROL[.]COM
DNSSEC: unsigned

Relationships

Description

At the time of analysis, the files “XEReverseShell[.]exe” (11d8b9be14…) and “Multi-OS_ReverseShell[.]exe” (a0ab222673…) attempted to connect to this domain.

184[.]168[.]104[.]171

Relationships

Description

At the time of analysis, the domains xework[.]com, xegroups[.]com, and hivnd[.]com resolved to this IP address.

144[.]96[.]103[.]245

Relationships

Description

The domain xework[.]com returned this IP address as the masterip for the reverse shell.

5cbba90ba539d4eb6097169b0e9acf40b8c4740a01ddb70c67a8fb1fc3524570

Tags

downloaderuploaderwebshell

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This artifact is a base64 encoded text file that is downloaded by “XEReverseShell[.]exe” (11d8b9be14…) and decoded as small[.]aspx. Then it is placed in the path C:WindowsTemp.

08375e2d187ee53ed263ee6529645e03ead1a8e77afd723a3e0495201452d415

Tags

downloadertrojanuploaderwebshell

Details

Antivirus

YARA Rules

• rule CISA_10413062_09 : trojan webshell
  {
     meta:
         Author = “CISA Code & Media Analysis”
         Incident = “10413062”
         Date = “2022-12-05”
         Last_Modified = “20221215_1930”
         Actor = “n/a”
         Family = “n/a”
         Capabilities = “n/a”
         Malware_Type = “trojan downloader webshell”
         Tool_Type = “n/a”
         Description = “Detects ASPX Webshell samples”
         MD5_1 = “ce8481189008d7f4a685615508110d88”
         SHA256_1 = “08375e2d187ee53ed263ee6529645e03ead1a8e77afd723a3e0495201452d415”
     strings:
         $s1 = { 50 61 67 65 20 4c 61 6e 67 75 61 67 65 3d 22 43 23 22 }
         $s2 = { 72 75 6e 61 74 3d 22 73 65 72 76 65 72 22 }
         $s3 = { 44 72 69 76 65 49 6e 66 6f }
         $s4 = { 74 78 74 43 6d 64 49 6e }
         $s5 = { 63 6d 64 55 70 6c 6f 61 64 }
         $s6 = { 50 61 73 73 54 68 72 6f 75 67 68 }
     condition:
         all of them
  }

ssdeep Matches

No matches found.

Relationships

Description

This artifact is an ASPX webshell. The webshell is able to enumerate drives on the system, send, receive and delete files, and also execute incoming commands. The webshell contains an interface for easily browsing for files, directories, or drives on the system. It can sort files by size or MAC time, and allows the user to upload or download files to any directory.

78a926f899320ee6f05ab96f17622fb68e674296689e8649c95f95dade91e933

Tags

decryptordroppertrojan

Details

Antivirus

YARA Rules

• rule CISA_10413062_10 : XEReverseShell trojan backdoor downloader dropper webshell remote_access communicates_with_C2 exfiltrates_data installs_other_components
  {
     meta:
         Author = “CISA Code & Media Analysis”
         Incident = “10413062”
         Date = “2022-11-23”
         Last_Modified = “20221215_1930”
         Actor = “n/a”
         Family = “XEReverseShell”
         Capabilities = “remote-access communicates-with-C2 exfiltrates-data installs-other-components”
         Malware_Type = “trojan backdoor downloader dropper webshell”
         Tool_Type = “remote-access”
         Description = “Detects XEReverseShell samples”
         MD5_1 = “37e173b932596af62fefc4dc10c8551d”
         SHA256_1 = “815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f”
         MD5_2 = “0bcceb4fdfb12db21fdfc3a42b9c4693”
         SHA256_2 = “508dd87110cb5bf5d156a13c2430c215035db216f20f546e4acec476e8d55370”
         MD5_3 = “42d7b2e1bcf75f9c469afa340f078c86”
         SHA256_3 = “d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8c67a6baf46c4c19c2”
         MD5_4 = “d85880ad1e87c4266f899eca02207dd4”
         SHA256_4 = “1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2”
         MD5_5 = “eaa579d911b8a47eaaea744d59d14708”
         SHA256_5 = “11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad”
         MD5_6 = “f968639a4840535a6ecda1cbe3065260”
         SHA256_6 = “a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c”
         MD5_7 = “137423d7b7f5a5684a9b1457f46fdfb2”
         SHA256_7 = “e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea72cd23f1d5e331ff5a”
         MD5_8 = “7947ce86923d732e6963c79aea757036”
         SHA256_8 = “8a5fc2b8ecb7ac6c0db76049d7e09470dbc24f1a90026a431285244818866505”
         MD5_9 = “d3cf1d590b2a63ae6070dd0011390f03”
         SHA256_9 = “78a926f899320ee6f05ab96f17622fb68e674296689e8649c95f95dade91e933”        
     strings:
         $s1 = { 50 67 42 59 52 56 4a 6c 64 6d 56 79 63 32 56 54 61 47 56 73 }
         $s2 = { 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 }
         $s3 = { 78 65 73 76 72 73 2e 65 78 65 }
         $s4 = { 58 45 52 65 76 65 72 73 65 53 68 65 6c 6c }
         $s5 = { 57 45 56 53 5a 58 5a 6c 63 6e 4e 6c 55 32 }
      &nbsnbsp;  $s6 = { 59 00 32 00 31 00 6b 00 4c 00 6d 00 56 00 34 00 5a 00 51 00 3d 00 3d }
     condition:
         2 of them
  }

ssdeep Matches

No matches found.

Relationships

Description

This artifact is a DLL that drops and executes a reverse shell utility. When the DLL is loaded it will drop an embedded and base64 encoded payload named ‘xesmartshell’ (508dd87110…) into the path C:WindowsTemp. The program will then invoke certutil[.]exe with the –decode option and write the new file as xesvrs[.]exe (1fed0766f5…) into C:WindowsTemp. Cmd[.]exe is then invoked to execute the reverse shell.

815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f

Tags

backdoordecryptordroppertrojan

Details

Antivirus

YARA Rules

• rule CISA_10413062_10 : XEReverseShell trojan backdoor downloader dropper webshell remote_access communicates_with_C2 exfiltrates_data installs_other_components
  {
     meta:
         Author = “CISA Code & Media Analysis”
         Incident = “10413062”
         Date = “2022-11-23”
         Last_Modified = “20221215_1930”
         Actor = “n/a”
         Family = “XEReverseShell”
         Capabilities = “remote-access communicates-with-C2 exfiltrates-data installs-other-components”
         Malware_Type = “trojan backdoor downloader dropper webshell”
         Tool_Type = “remote-access”
         Description = “Detects XEReverseShell samples”
         MD5_1 = “37e173b932596af62fefc4dc10c8551d”
         SHA256_1 = “815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f”
         MD5_2 = “0bcceb4fdfb12db21fdfc3a42b9c4693”
         SHA256_2 = “508dd87110cb5bf5d156a13c2430c215035db216f20f546e4acec476e8d55370”
         MD5_3 = “42d7b2e1bcf75f9c469afa340f078c86”
         SHA256_3 = “d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8c67a6baf46c4c19c2”
         MD5_4 = “d85880ad1e87c4266f899eca02207dd4”
         SHA256_4 = “1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2”
         MD5_5 = “eaa579d911b8a47eaaea744d59d14708”
         SHA256_5 = “11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad”
         MD5_6 = “f968639a4840535a6ecda1cbe3065260”
         SHA256_6 = “a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c”
         MD5_7 = “137423d7b7f5a5684a9b1457f46fdfb2”
         SHA256_7 = “e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea72cd23f1d5e331ff5a”
         MD5_8 = “7947ce86923d732e6963c79aea757036”
         SHA256_8 = “8a5fc2b8ecb7ac6c0db76049d7e09470dbc24f1a90026a431285244818866505”
         MD5_9 = “d3cf1d590b2a63ae6070dd0011390f03”
         SHA256_9 = “78a926f899320ee6f05ab96f17622fb68e674296689e8649c95f95dade91e933”        
     strings:
         $s1 = { 50 67 42 59 52 56 4a 6c 64 6d 56 79 63 32 56 54 61 47 56 73 }
         $s2 = { 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 }
         $s3 = { 78 65 73 76 72 73 2e 65 78 65 }
         $s4 = { 58 45 52 65 76 65 72 73 65 53 68 65 6c 6c }
         $s5 = { 57 45 56 53 5a 58 5a 6c 63 6e 4e 6c 55 32 }
         $s6 = { 59 00 32 00 31 00 6b 00 4c 00 6d 00 56 00 34 00 5a 00 51 00 3d 00 3d }
     condition:
         2 of them
  }

ssdeep Matches

No matches found.

Relationships

Description

This artifact is a reverse shell utility named ‘XE ReverseShell[.]exe’ that is dropped and decoded by “1596686310[.]434117[.]png” (78a926f899…). When the utility is executed it will attempt to connect to the domain xegroups[.]com to obtain the IP address of the C2 and port number to listen on. If no IP address or port number is obtained the program will terminate.

—Begin HTTP Session—
GET /masterip HTTP/1[.]1
Host: xegroups[.]com
Connection: Keep-Alive

GET /masterport HTTP/1[.]1
Host: xegroups[.]com
—End HTTP Session—

Upon receipt of the port number, XE ReverseShell will establish a listener on the port to accept streamed data. The utility is able to read or write streamed data and pass incoming commands to a command shell.
The program will check the OS Version of the system to determine what type of command shell is required. For Windows systems it will invoke Y21kLmV4ZQ== (cmd[.]exe), and for Linux it will invoke L2Jpbi9iYXNo (/bin/bash).

XE ReverseShell collects the path to the web server system files, current username, APP_POOL (IIS Application Pool configuration), ComputerName, OSVersion, Internet IP, Local IP and Reverse Domain
XEReverseShell will send the system data to the C2 in the following format:

—Begin—
—————[ XE ReverseShell ]—————
CURRENT USERNAME
APP POOL            APP_POOL_CONFIG
COMPUTER NAME
SYSTEM                LOCAL IP
—————————————————–
—End—

After the listener is set, the utility will execute the ‘setshell’ command that drops an embedded ASPX webshell (08375e2d18…). If the utility receives the command ‘xequit’ it will sleep for a period of time determined by the adversary.

xegroups[.]com

Tags

command-and-control

Ports

• 443 TCP

HTTP Sessions

• GET /masterip HTTP/1[.]1
  Host: xegroups[.]com
  Connection: Keep-Alive
• GET /masterport HTTP/1[.]1
  Host: xegroups[.]com
  Connection: Keep-Alive

Whois

Domain Name: XEGROUPS[.]COM
Registry Domain ID: 1688868944_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois[.]godaddy[.]com
Registrar URL: hxxp://www[.]godaddy[.]com
Updated Date: 2022-09-10T12:19:48Z
Creation Date: 2011-11-25T06:06:37Z
Registry Expiry Date: 2026-11-25T06:06:37Z
Registrar: GoDaddy[.]com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse[@]godaddy[.]com
Registrar Abuse Contact Phone: 480-624-2505
Domain Status: ok hxxps://icann[.]org/epp#ok
Name Server: NS15[.]DOMAINCONTROL[.]COM
Name Server: NS16[.]DOMAINCONTROL[.]COM
Name Server: PDNS05[.]DOMAINCONTROL[.]COM
Name Server: PDNS06[.]DOMAINCONTROL[.]COM
DNSSEC: unsigned

Domain Name: XEGROUPS[.]COM
Registry Domain ID: 1688868944_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois[.]godaddy[.]com
Registrar URL: hxxps://www[.]godaddy[.]com
Updated Date: 2022-03-31T11:16:55Z
Creation Date: 2011-11-25T01:06:37Z
Registrar Registration Expiration Date: 2026-11-25T01:06:37Z
Registrar: GoDaddy[.]com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse[@]godaddy[.]com
Registrar Abuse Contact Phone: +1[.]4806242505
Domain Status: ok hxxps://icann[.]org/epp#ok
Registry Registrant ID: Not Available From Registry
Registrant Name: Registration Private
Registrant Organization: Domains By Proxy, LLC
Registrant Street: DomainsByProxy[.]com
Registrant Street: 2155 E Warner Rd
Registrant City: Tempe
Registrant State/Province: Arizona
Registrant Postal Code: 85284
Registrant Country: US
Registrant Phone: +1[.]4806242599
Registrant Phone Ext:
Registrant Fax: +1[.]4806242598
Registrant Fax Ext:
Registrant Email: Select Contact Domain Holder link at hxxps://www[.]godaddy[.]com/whois/results.aspx?domain=xegroups.com
Registry Admin ID: Not Available From Registry
Admin Name: Registration Private
Admin Organization: Domains By Proxy, LLC
Admin Street: DomainsByProxy[.]com
Admin Street: 2155 E Warner Rd
Admin City: Tempe
Admin State/Province: Arizona
Admin Postal Code: 85284
Admin Country: US
Admin Phone: +1[.]4806242599
Admin Phone Ext:
Admin Fax: +1[.]4806242598
Admin Fax Ext:
Admin Email: Select Contact Domain Holder link at hxxps://www[.]godaddy[.]com/whois/results.aspx?domain=xegroups.com
Registry Tech ID: Not Available From Registry
Tech Name: Registration Private
Tech Organization: Domains By Proxy, LLC
Tech Street: DomainsByProxy[.]com
Tech Street: 2155 E Warner Rd
Tech City: Tempe
Tech State/Province: Arizona
Tech Postal Code: 85284
Tech Country: US
Tech Phone: +1[.]4806242599
Tech Phone Ext:
Tech Fax: +1[.]4806242598
Tech Fax Ext:
Tech Email: Select Contact Domain Holder link at hxxps://www[.]godaddy[.]com/whois/results.aspx?domain=xegroups.com
Name Server: NS15[.]DOMAINCONTROL[.]COM
Name Server: NS16[.]DOMAINCONTROL[.]COM
Name Server: PDNS05[.]DOMAINCONTROL[.]COM
Name Server: PDNS06[.]DOMAINCONTROL[.]COM
DNSSEC: unsigned

Relationships

Description

At the time of analysis, the files “XEReverseShell[.]exe” (815d262d38…) and “Multi-OS_ReverseShell[.]exe” (1fed0766f56…) attempted to connect to this domain.

508dd87110cb5bf5d156a13c2430c215035db216f20f546e4acec476e8d55370

Tags

backdoordecryptordownloaderdropperloadertrojan

Details

Antivirus

YARA Rules

• rule CISA_10413062_10 : XEReverseShell trojan backdoor downloader dropper webshell remote_access communicates_with_C2 exfiltrates_data installs_other_components
  {
     meta:
         Author = “CISA Code & Media Analysis”
         Incident = “10413062”
         Date = “2022-11-23”
         Last_Modified = “20221215_1930”
         Actor = “n/a”
         Family = “XEReverseShell”
         Capabilities = “remote-access communicates-with-C2 exfiltrates-data installs-other-components”
         Malware_Type = “trojan backdoor downloader dropper webshell”
         Tool_Type = “remote-access”
         Description = “Detects XEReverseShell samples”
         MD5_1 = “37e173b932596af62fefc4dc10c8551d”
         SHA256_1 = “815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f”
         MD5_2 = “0bcceb4fdfb12db21fdfc3a42b9c4693”
         SHA256_2 = “508dd87110cb5bf5d156a13c2430c215035db216f20f546e4acec476e8d55370”
         MD5_3 = “42d7b2e1bcf75f9c469afa340f078c86”
         SHA256_3 = “d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8c67a6baf46c4c19c2”
         MD5_4 = “d85880ad1e87c4266f899eca02207dd4”
         SHA256_4 = “1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2”
         MD5_5 = “eaa579d911b8a47eaaea744d59d14708”
         SHA256_5 = “11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad”
         MD5_6 = “f968639a4840535a6ecda1cbe3065260”
         SHA256_6 = “a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c”
         MD5_7 = “137423d7b7f5a5684a9b1457f46fdfb2”
         SHA256_7 = “e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea72cd23f1d5e331ff5a”
         MD5_8 = “7947ce86923d732e6963c79aea757036”
         SHA256_8 = “8a5fc2b8ecb7ac6c0db76049d7e09470dbc24f1a90026a431285244818866505”
         MD5_9 = “d3cf1d590b2a63ae6070dd0011390f03”
         SHA256_9 = “78a926f899320ee6f05ab96f17622fb68e674296689e8649c95f95dade91e933”        
     strings:
         $s1 = { 50 67 42 59 52 56 4a 6c 64 6d 56 79 63 32 56 54 61 47 56 73 }
         $s2 = { 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 }
         $s3 = { 78 65 73 76 72 73 2e 65 78 65 }
         $s4 = { 58 45 52 65 76 65 72 73 65 53 68 65 6c 6c }
         $s5 = { 57 45 56 53 5a 58 5a 6c 63 6e 4e 6c 55 32 }
         $s6 = { 59 00 32 00 31 00 6b 00 4c 00 6d 00 56 00 34 00 5a 00 51 00 3d 00 3d }
     condition:
         2 of them
  }

ssdeep Matches

No matches found.

Relationships

Description

This artifact is a base64 encoded file. The file will be decoded using the command-line utility certutil[.]exe and executed as xesvrs[.]exe (1fed0766f5…).

1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2

Tags

backdoordecryptordroppertrojan

Details

Antivirus

YARA Rules

• rule CISA_10413062_10 : XEReverseShell trojan backdoor downloader dropper webshell remote_access communicates_with_C2 exfiltrates_data installs_other_components
  {
     meta:
         Author = “CISA Code & Media Analysis”
         Incident = “10413062”
         Date = “2022-11-23”
         Last_Modified = “20221215_1930”
         Actor = “n/a”
         Family = “XEReverseShell”
         Capabilities = “remote-access communicates-with-C2 exfiltrates-data installs-other-components”
         Malware_Type = “trojan backdoor downloader dropper webshell”
         Tool_Type = “remote-access”
         Description = “Detects XEReverseShell samples”
         MD5_1 = “37e173b932596af62fefc4dc10c8551d”
         SHA256_1 = “815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f”
         MD5_2 = “0bcceb4fdfb12db21fdfc3a42b9c4693”
         SHA256_2 = “508dd87110cb5bf5d156a13c2430c215035db216f20f546e4acec476e8d55370”
         MD5_3 = “42d7b2e1bcf75f9c469afa340f078c86”
         SHA256_3 = “d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8c67a6baf46c4c19c2”
         MD5_4 = “d85880ad1e87c4266f899eca02207dd4”
         SHA256_4 = “1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2”
         MD5_5 = “eaa579d911b8a47eaaea744d59d14708”
         SHA256_5 = “11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad”
         MD5_6 = “f968639a4840535a6ecda1cbe3065260”
         SHA256_6 = “a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c”
         MD5_7 = “137423d7b7f5a5684a9b1457f46fdfb2”
         SHA256_7 = “e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea72cd23f1d5e331ff5a”
         MD5_8 = “7947ce86923d732e6963c79aea757036”
         SHA256_8 = “8a5fc2b8ecb7ac6c0db76049d7e09470dbc24f1a90026a431285244818866505”
         MD5_9 = “d3cf1d590b2a63ae6070dd0011390f03”
         SHA256_9 = “78a926f899320ee6f05ab96f17622fb68e674296689e8649c95f95dade91e933”        
     strings:
         $s1 = { 50 67 42 59 52 56 4a 6c 64 6d 56 79 63 32 56 54 61 47 56 73 }
         $s2 = { 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 }
         $s3 = { 78 65 73 76 72 73 2e 65 78 65 }
         $s4 = { 58 45 52 65 76 65 72 73 65 53 68 65 6c 6c }
         $s5 = { 57 45 56 53 5a 58 5a 6c 63 6e 4e 6c 55 32 }
         $s6 = { 59 00 32 00 31 00 6b 00 4c 00 6d 00 56 00 34 00 5a 00 51 00 3d 00 3d }
     condition:
         2 of them
  }

ssdeep Matches

No matches found.

Relationships

Description

This artifact is a reverse shell utility named ‘Multi-OS ReverseShell[.]exe’ that is decoded from xesmartshell[.]tmp (508dd87110…). When the utility is executed it will attempt to connect to the domain xegroups[.]com using Secure Sockets Layer (SSL) to obtain the IP address of the C2 and port number to listen on. If no IP address or port number is obtained the program will terminate.

Upon receipt of the port number, Multi-OS ReverseShell will establish a listener on the port to accept streamed data. If a port number is not returned, the program will listen on TCP 3979 by default.
The utility is able to read or write streamed data and pass incoming commands to a command shell.
The program will check the OS Version of the system to determine what type of command shell is required. For Windows systems it will invoke Y21kLmV4ZQ== (cmd[.]exe), and for Linux it will invoke L2Jpbi9iYXNo (/bin/bash).

Multi-OS ReverseShell collects the path to the web server system files, current username, APP_POOL (IIS Application Pool configuration), ComputerName, OSVersion, Internet IP, Local IP and Reverse Domain
XEReverseShell will send the system data to the C2 in the following format:

—Begin—
—[ X ReverseShell ]—
CURRENT USERNAME
APP POOL            APP_POOL_CONFIG
COMPUTER NAME
SYSTEM                LOCAL IP
—————————–
—End—

After the listener is set, the utility will execute the ‘setshell’ command that drops an embedded ASPX webshell (08375e2d18…). If the utility receives the command ‘xequit’ it will sleep for a period of time determined by the adversary.

e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea72cd23f1d5e331ff5a

Tags

decryptordroppertrojan

Details

Antivirus

YARA Rules

• rule CISA_10413062_10 : XEReverseShell trojan backdoor downloader dropper webshell remote_access communicates_with_C2 exfiltrates_data installs_other_components
  {
     meta:
         Author = “CISA Code & Media Analysis”
         Incident = “10413062”
         Date = “2022-11-23”
         Last_Modified = “20221215_1930”
         Actor = “n/a”
         Family = “XEReverseShell”
         Capabilities = “remote-access communicates-with-C2 exfiltrates-data installs-other-components”
         Malware_Type = “trojan backdoor downloader dropper webshell”
         Tool_Type = “remote-access”
         Description = “Detects XEReverseShell samples”
         MD5_1 = “37e173b932596af62fefc4dc10c8551d”
         SHA256_1 = “815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f”
         MD5_2 = “0bcceb4fdfb12db21fdfc3a42b9c4693”
         SHA256_2 = “508dd87110cb5bf5d156a13c2430c215035db216f20f546e4acec476e8d55370”
         MD5_3 = “42d7b2e1bcf75f9c469afa340f078c86”
         SHA256_3 = “d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8c67a6baf46c4c19c2”
         MD5_4 = “d85880ad1e87c4266f899eca02207dd4”
         SHA256_4 = “1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2”
         MD5_5 = “eaa579d911b8a47eaaea744d59d14708”
         SHA256_5 = “11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad”
         MD5_6 = “f968639a4840535a6ecda1cbe3065260”
         SHA256_6 = “a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c”
         MD5_7 = “137423d7b7f5a5684a9b1457f46fdfb2”
         SHA256_7 = “e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea72cd23f1d5e331ff5a”
         MD5_8 = “7947ce86923d732e6963c79aea757036”
         SHA256_8 = “8a5fc2b8ecb7ac6c0db76049d7e09470dbc24f1a90026a431285244818866505”
         MD5_9 = “d3cf1d590b2a63ae6070dd0011390f03”
         SHA256_9 = “78a926f899320ee6f05ab96f17622fb68e674296689e8649c95f95dade91e933”        
     strings:
         $s1 = { 50 67 42 59 52 56 4a 6c 64 6d 56 79 63 32 56 54 61 47 56 73 }
         $s2 = { 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 }
         $s3 = { 78 65 73 76 72 73 2e 65 78 65 }
         $s4 = { 58 45 52 65 76 65 72 73 65 53 68 65 6c 6c }
         $s5 = { 57 45 56 53 5a 58 5a 6c 63 6e 4e 6c 55 32 }
         $s6 = { 59 00 32 00 31 00 6b 00 4c 00 6d 00 56 00 34 00 5a 00 51 00 3d 00 3d }
     condition:
         2 of them
  }

ssdeep Matches

No matches found.

Relationships

Description

This artifact is a DLL that drops and executes a reverse shell utility. When the DLL is loaded it will drop an embedded and base64 encoded payload named ‘SortVistaCompat’ (d9273a16f9…) into the path C:WindowsTemp. The program will then invoke the command-line utility certutil[.]exe with the –decode option and write the new file as xesvrs[.]exe (1fed0766f5…) into C:WindowsTemp. Cmd[.]exe is then invoked to execute the dropped file.

d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8c67a6baf46c4c19c2

Tags

backdoordroppertrojan

Details

Antivirus

YARA Rules

• rule CISA_10413062_10 : XEReverseShell trojan backdoor downloader dropper webshell remote_access communicates_with_C2 exfiltrates_data installs_other_components
  {
     meta:
         Author = “CISA Code & Media Analysis”
         Incident = “10413062”
         Date = “2022-11-23”
         Last_Modified = “20221215_1930”
         Actor = “n/a”
         Family = “XEReverseShell”
         Capabilities = “remote-access communicates-with-C2 exfiltrates-data installs-other-components”
         Malware_Type = “trojan backdoor downloader dropper webshell”
         Tool_Type = “remote-access”
         Description = “Detects XEReverseShell samples”
         MD5_1 = “37e173b932596af62fefc4dc10c8551d”
         SHA256_1 = “815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f”
         MD5_2 = “0bcceb4fdfb12db21fdfc3a42b9c4693”
         SHA256_2 = “508dd87110cb5bf5d156a13c2430c215035db216f20f546e4acec476e8d55370”
         MD5_3 = “42d7b2e1bcf75f9c469afa340f078c86”
         SHA256_3 = “d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8c67a6baf46c4c19c2”
         MD5_4 = “d85880ad1e87c4266f899eca02207dd4”
         SHA256_4 = “1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2”
         MD5_5 = “eaa579d911b8a47eaaea744d59d14708”
         SHA256_5 = “11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad”
         MD5_6 = “f968639a4840535a6ecda1cbe3065260”
         SHA256_6 = “a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c”
         MD5_7 = “137423d7b7f5a5684a9b1457f46fdfb2”
         SHA256_7 = “e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea72cd23f1d5e331ff5a”
         MD5_8 = “7947ce86923d732e6963c79aea757036”
         SHA256_8 = “8a5fc2b8ecb7ac6c0db76049d7e09470dbc24f1a90026a431285244818866505”
         MD5_9 = “d3cf1d590b2a63ae6070dd0011390f03”
         SHA256_9 = “78a926f899320ee6f05ab96f17622fb68e674296689e8649c95f95dade91e933”        
     strings:
         $s1 = { 50 67 42 59 52 56 4a 6c 64 6d 56 79 63 32 56 54 61 47 56 73 }
         $s2 = { 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 }
         $s3 = { 78 65 73 76 72 73 2e 65 78 65 }
         $s4 = { 58 45 52 65 76 65 72 73 65 53 68 65 6c 6c }
         $s5 = { 57 45 56 53 5a 58 5a 6c 63 6e 4e 6c 55 32 }
         $s6 = { 59 00 32 00 31 00 6b 00 4c 00 6d 00 56 00 34 00 5a 00 51 00 3d 00 3d }
     condition:
         2 of them
  }

ssdeep Matches

No matches found.

Relationships

Description

This artifact is a base64 encoded file. The file will be decoded using the command-line utility certutil[.]exe and executed as xesvrs[.]exe (1fed0766f5…).

a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c

Tags

backdoordecryptordroppertrojan

Details

Antivirus

YARA Rules

• rule CISA_10413062_10 : XEReverseShell trojan backdoor downloader dropper webshell remote_access communicates_with_C2 exfiltrates_data installs_other_components
  {
     meta:
         Author = “CISA Code & Media Analysis”
         Incident = “10413062”
         Date = “2022-11-23”
         Last_Modified = “20221215_1930”
         Actor = “n/a”
         Family = “XEReverseShell”
         Capabilities = “remote-access communicates-with-C2 exfiltrates-data installs-other-components”
         Malware_Type = “trojan backdoor downloader dropper webshell”
         Tool_Type = “remote-access”
         Description = “Detects XEReverseShell samples”
         MD5_1 = “37e173b932596af62fefc4dc10c8551d”
         SHA256_1 = “815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f”
         MD5_2 = “0bcceb4fdfb12db21fdfc3a42b9c4693”
         SHA256_2 = “508dd87110cb5bf5d156a13c2430c215035db216f20f546e4acec476e8d55370”
         MD5_3 = “42d7b2e1bcf75f9c469afa340f078c86”
         SHA256_3 = “d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8c67a6baf46c4c19c2”
         MD5_4 = “d85880ad1e87c4266f899eca02207dd4”
         SHA256_4 = “1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2”
         MD5_5 = “eaa579d911b8a47eaaea744d59d14708”
         SHA256_5 = “11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad”
         MD5_6 = “f968639a4840535a6ecda1cbe3065260”
         SHA256_6 = “a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c”
         MD5_7 = “137423d7b7f5a5684a9b1457f46fdfb2”
         SHA256_7 = “e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea72cd23f1d5e331ff5a”
         MD5_8 = “7947ce86923d732e6963c79aea757036”
         SHA256_8 = “8a5fc2b8ecb7ac6c0db76049d7e09470dbc24f1a90026a431285244818866505”
         MD5_9 = “d3cf1d590b2a63ae6070dd0011390f03”
         SHA256_9 = “78a926f899320ee6f05ab96f17622fb68e674296689e8649c95f95dade91e933”        
     strings:
         $s1 = { 50 67 42 59 52 56 4a 6c 64 6d 56 79 63 32 56 54 61 47 56 73 }
         $s2 = { 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 }
         $s3 = { 78 65 73 76 72 73 2e 65 78 65 }
         $s4 = { 58 45 52 65 76 65 72 73 65 53 68 65 6c 6c }
         $s5 = { 57 45 56 53 5a 58 5a 6c 63 6e 4e 6c 55 32 }
         $s6 = { 59 00 32 00 31 00 6b 00 4c 00 6d 00 56 00 34 00 5a 00 51 00 3d 00 3d }
     condition:
         2 of them
  }

ssdeep Matches

No matches found.

Relationships

Description

This artifact is a reverse shell utility named ‘XEReverseShell[.]exe’ that is dropped by “1596835329[.]5015914[.]png” (e45ad91f12…) into C:WindowsTemp as xesvrs[.]exe. When the utility is executed it will attempt to connect to the domain xework[.]com to obtain the IP address of the C2 and port number to listen on. If no IP address or port number is obtained the program will terminate.

—Begin HTTP Sessions—
GET /masterip HTTP/1[.]1
Host: xework[.]com
Connection: Keep-Alive

GET /masterport HTTP/1[.]1
Host: xework[.]com
—End HTTP Sessions—

Upon receipt of the port number, XEReverseShell will establish a listener on the port to accept streamed data. The utility is able to read or write streamed data and pass incoming commands to a command shell.
The program will check the OS Version of the system to determine what type of command shell is required. For Windows systems it will invoke Y21kLmV4ZQ== (cmd[.]exe), and for Linux it will invoke L2Jpbi9iYXNo (/bin/bash).

XEReverseShell collects the path to the web server system files, current username, APP_POOL (IIS Application Pool configuration), ComputerName, OSVersion, Internet IP, Local IP and Reverse Domain. If it cannot identify the Internet IP address or Reverse Domain the utility attempts to connect to api[.]hackertarget[.]com/reverselookup/?q= to identify the IP address or retrieve answer records for the domain. Api[.]hackertarget[.]com is a legitimate website hosted for blue teams and penetration testers.

XEReverseShell will send the system data to the C2 in the following format:
—Begin—
|

————————[ XE ReverseShell ]———————–
CURRENT USERNAME
APP POOL        APP_POOL_CONFIG
COMPUTER NAME
SYSTEM
INTERNET IP        LOCAL IP
REVERSE DOMAIN

————————————————————————-
—End—

After the listener is set, the program will drop and decode an embedded base64 encoded webshell named small[.]aspx (08375e2d18…) into the path C:WindowsTemp. If the utility receives the command ‘xequit’ it will sleep for a period of time determined by the adversary.

11415ac829c17bd8a9c4cef12c3fbc23095cbb3113c89405e489ead5138384cd

Tags

downloadertrojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This artifact is a DLL that is designed to invoke PowerShell to download and execute a file on the system. When the DLL is executed it will attempt to connect to the Uniform Resource Locator (URL) hivnd[.]com/thumpxcache and download a file to the path C:WindowsTemp. The downloaded file is named thumcache[.]exe and is invoked using cmd[.]exe[.]

The file thumcache[.]exe was not available for analysis.

hivnd[.]com

Tags

command-and-control

URLs

• hxxps://hivnd[.]com/thumpxcache

Ports

• 443 TCP

Whois

Domain Name: HIVND[.]COM
Registry Domain ID: 1688870027_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois[.]godaddy[.]com
Registrar URL: hxxp://www[.]godaddy[.]com
Updated Date: 2022-09-10T12:20:07Z
Creation Date: 2011-11-25T06:18:30Z
Registry Expiry Date: 2026-11-25T06:18:30Z
Registrar: GoDaddy[.]com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse[@]godaddy[.]com
Registrar Abuse Contact Phone: 480-624-2505
Domain Status: ok hxxps://icann[.]org/epp#ok
Name Server: NS31[.]DOMAINCONTROL[.]COM
Name Server: NS32[.]DOMAINCONTROL[.]COM
Name Server: NS63[.]DOMAINCONTROL[.]COM
Name Server: NS64[.]DOMAINCONTROL[.]COM
Name Server: NS77[.]DOMAINCONTROL[.]COM
Name Server: NS78[.]DOMAINCONTROL[.]COM
Name Server: PDNS05[.]DOMAINCONTROL[.]COM
Name Server: PDNS06[.]DOMAINCONTROL[.]COM
DNSSEC: unsigned

Domain Name: HIVND[.]COM
Registry Domain ID: 1688870027_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois[.]godaddy[.]com
Registrar URL: hxxps://www[.]godaddy[.]com
Updated Date: 2018-03-05T23:44:55Z
Creation Date: 2011-11-25T01:18:30Z
Registrar Registration Expiration Date: 2026-11-25T01:18:30Z
Registrar: GoDaddy[.]com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse[@]godaddy[.]com
Registrar Abuse Contact Phone: +1[.]4806242505
Domain Status: ok hxxps://icann[.]org/epp#ok
Registry Registrant ID: Not Available From Registry
Registrant Name: Registration Private
Registrant Organization: Domains By Proxy, LLC
Registrant Street: DomainsByProxy[.]com
Registrant Street: 2155 E Warner Rd
Registrant City: Tempe
Registrant State/Province: Arizona
Registrant Postal Code: 85284
Registrant Country: US
Registrant Phone: +1[.]4806242599
Registrant Phone Ext:
Registrant Fax: +1[.]4806242598
Registrant Fax Ext:
Registrant Email: Select Contact Domain Holder link at hxxps://www[.]godaddy[.]com/whois/results.aspx?domain=hivnd.com
Registry Admin ID: Not Available From Registry
Admin Name: Registration Private
Admin Organization: Domains By Proxy, LLC
Admin Street: DomainsByProxy[.]com
Admin Street: 2155 E Warner Rd
Admin City: Tempe
Admin State/Province: Arizona
Admin Postal Code: 85284
Admin Country: US
Admin Phone: +1[.]4806242599
Admin Phone Ext:
Admin Fax: +1[.]4806242598
Admin Fax Ext:
Admin Email: Select Contact Domain Holder link at hxxps://www[.]godaddy[.]com/whois/results.aspx?domain=hivnd.com
Registry Tech ID: Not Available From Registry
Tech Name: Registration Private
Tech Organization: Domains By Proxy, LLC
Tech Street: DomainsByProxy[.]com
Tech Street: 2155 E Warner Rd
Tech City: Tempe
Tech State/Province: Arizona
Tech Postal Code: 85284
Tech Country: US
Tech Phone: +1[.]4806242599
Tech Phone Ext:
Tech Fax: +1[.]4806242598
Tech Fax Ext:
Tech Email: Select Contact Domain Holder link at hxxps://www[.]godaddy[.]com/whois/results.aspx?domain=hivnd.com
Name Server: NS31[.]DOMAINCONTROL[.]COM
Name Server: NS32[.]DOMAINCONTROL[.]COM
Name Server: NS63[.]DOMAINCONTROL[.]COM
Name Server: NS64[.]DOMAINCONTROL[.]COM
Name Server: NS77[.]DOMAINCONTROL[.]COM
Name Server: NS78[.]DOMAINCONTROL[.]COM
Name Server: PDNS05[.]DOMAINCONTROL[.]COM
Name Server: PDNS06[.]DOMAINCONTROL[.]COM
DNSSEC: unsigned

Relationships

Description

At the time of analysis, the file “1594142927[.]995679[.]png” (11415ac829…) attempted to connect to this domain.

72f7d4d3b9d2e406fa781176bd93e8deee0fb1598b67587e1928455b66b73911

Tags

trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This artifact is a DLL that is designed to download and execute a payload. The file does not contain a URL to check for downloads. If the program determines that it is running in a virtual environment, it will trigger an exception and terminate.

833e9cf75079ce796ef60fc7039a0b098be4ce8d259ffa53fe2855df110b2e5d

Tags

trojan

Details

Antivirus

YARA Rules

• rule CISA_10413062_13 : wiper information_gathering
  {
     meta:
         Author = “CISA Code & Media Analysis”
         Incident = “10413062”
         Date = “2022-12-21”
         Last_Modified = “20230106_1400”
         Actor = “n/a”
         Family = “n/a”
         Capabilities = “information-gathering”
         Malware_Type = “wiper”
         Tool_Type = “n/a”
         Description = “Detects PE information gathering samples”
         SHA256_1 = “dedf082f523dfcb75dee0480a2d8a087e3231f89fa34fcd2b7f74866a7b6608f”
         SHA256_2 = “f5cafe99bccb9d813909876fa536cc980c45687d0f411c5f4b5346dcf6b304e4”
         SHA256_3 = “74544d31cbbf003bc33e7099811f62a37110556b6c1a644393fddd0bac753730”
         SHA256_4 = “833e9cf75079ce796ef60fc7039a0b098be4ce8d259ffa53fe2855df110b2e5d”
     strings:
         $a1 = { 46 69 6e 64 46 69 72 73 74 46 69 6c 65 45 78 57 }
         $a2 = { 46 69 6e 64 4e 65 78 74 46 69 6c 65 57 }
         $a3 = { 47 65 74 41 43 50 }
         $a4 = { 47 65 74 4f 45 4d 43 50 }
         $a5 = { 47 65 74 43 50 49 6e 66 6f }
         $a6 = { 47 65 74 43 6f 6d 6d 61 6e 64 4c 69 6e 65 41 }
         $a7 = { 47 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 74 72 69 6e 67 73 57 }
         $a8 = { 44 65 6c 65 74 65 46 69 6c 65 41 }
         $m1 = { 76 34 2e 30 2e 33 30 33 31 39 }
         $m2 = { 61 6d 64 36 34 }
         $m3 = { 2e 64 6c 6c }
         $m4 = { 64 65 6c 65 74 65 }
         $s1 = { 3c 4d 6f 64 75 6c 65 }
         $s2 = { 25 73 5c 25 73 }
         $s3 = { 25 73 5c 2a }
         $s4 = { 63 3a 3e }
     condition:
         uint16(0) == 0x5a4d and all of them
  }

ssdeep Matches

No matches found.

Relationships

Description

This file is a .NET DLL, which contains malicious unmanaged 64-bit Intel code. This DLL deletes .dll files ending with “.dll” extension in the “C:windowstemp” directory on the infected machine. This sample also has the capability to enumerate the system, get network parameters including host name, domain name, Domain Name System (DNS) servers, NetBIOS ID, adapter information, IP address, subnet, gateway IP, and Dynamic Host Configuration Protocol (DHCP) server. The sample then communicates the collected data to a C2 server located at IP address 137[.]184[.]130[.]162.

137[.]184[.]130[.]162

Tags

command-and-control

Ports

• 443 TCP

Whois

NetRange:     137[.]184[.]0[.]0 – 137[.]184[.]255[.]255
CIDR:         137[.]184[.]0[.]0/16
NetName:        DIGITALOCEAN-137-184-0-0
NetHandle:     NET-137-184-0-0-1
Parent:         NET137 (NET-137-0-0-0-0)
NetType:        Direct Allocation
OriginAS:     AS14061
Organization: DigitalOcean, LLC (DO-13)
RegDate:        2019-11-13
Updated:        2020-04-03
Comment:        Routing and Peering Policy can be found at hxxps://www[.]as14061[.]net
Comment:        
Comment:        Please submit abuse reports at
hxxps://www[.]digitalocean[.]com/company/contact/#abuse
Ref:            hxxps://rdap[.]arin[.]net/registry/ip/137[.]184[.]0[.]0

OrgName:        DigitalOcean, LLC
OrgId:         DO-13
Address:        101 Ave of the Americas
Address:        FL2
City:         New York
StateProv:     NY
PostalCode:     10013
Country:        US
RegDate:        2012-05-14
Updated:        2022-05-19
Ref:            hxxps://rdap[.]arin[.]net/registry/entity/do-13

OrgAbuseHandle: ABUSE5232-ARIN
OrgAbuseName: Abuse, DigitalOcean
OrgAbusePhone: +1-347-875-6044
OrgAbuseEmail:
OrgAbuseRef:    hxxps://rdap[.]arin[.]net/registry/entity/abuse5232-arin

OrgTechHandle: NOC32014-ARIN
OrgTechName: Network Operations Center
OrgTechPhone: +1-347-875-6044
OrgTechEmail:
OrgTechRef:    hxxps://rdap[.]arin[.]net/registry/entity/noc32014-arin

OrgNOCHandle: NOC32014-ARIN
OrgNOCName: Network Operations Center
OrgNOCPhone: +1-347-875-6044
OrgNOCEmail:
OrgNOCRef:    hxxps://rdap[.]arin[.]net/registry/entity/noc32014-arin

Relationships

Description

This IP address is the C2 server that the samples connect to.

b4222cffcdb9fb0eda5aa1703a067021bedd8cf7180cdfc5454d0f07d7eaf18f

Tags

trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This file is a .NET DLL, which contains malicious unmanaged 64-bit Intel code. This sample has the capability to load additional libraries, enumerate the system, processes, files, directories, and has the ability to write files, get network parameters including host name, domain name, DNS servers, NetBIOS ID, adapter information, IP address, subnet, gateway IP, and DHCP server. The sample then communicates the collected data to a C2 server located at IP address 137[.]184[.]130[.]162.

707d22cacdbd94a3e6dc884242c0565bdf10a0be42990cd7a5497b124474889b

Tags

trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This file is a .NET DLL, which contains malicious unmanaged 64-bit Intel code. This sample has capability to get network parameters including host name, domain name, DNS servers, NetBIOS ID, adapter information, IP address, subnet, gateway IP, DHCP server, and additional data and communicate it to a C2 server located at IP address 137[.]184[.]130[.]162 over port 443.

74544d31cbbf003bc33e7099811f62a37110556b6c1a644393fddd0bac753730

Tags

trojan

Details

Antivirus

YARA Rules

• rule CISA_10413062_13 : wiper information_gathering
  {
     meta:
         Author = “CISA Code & Media Analysis”
         Incident = “10413062”
         Date = “2022-12-21”
         Last_Modified = “20230106_1400”
         Actor = “n/a”
         Family = “n/a”
         Capabilities = “information-gathering”
         Malware_Type = “wiper”
         Tool_Type = “n/a”
         Description = “Detects PE information gathering samples”
         SHA256_1 = “dedf082f523dfcb75dee0480a2d8a087e3231f89fa34fcd2b7f74866a7b6608f”
         SHA256_2 = “f5cafe99bccb9d813909876fa536cc980c45687d0f411c5f4b5346dcf6b304e4”
         SHA256_3 = “74544d31cbbf003bc33e7099811f62a37110556b6c1a644393fddd0bac753730”
         SHA256_4 = “833e9cf75079ce796ef60fc7039a0b098be4ce8d259ffa53fe2855df110b2e5d”
     strings:
         $a1 = { 46 69 6e 64 46 69 72 73 74 46 69 6c 65 45 78 57 }
         $a2 = { 46 69 6e 64 4e 65 78 74 46 69 6c 65 57 }
         $a3 = { 47 65 74 41 43 50 }
         $a4 = { 47 65 74 4f 45 4d 43 50 }
         $a5 = { 47 65 74 43 50 49 6e 66 6f }
         $a6 = { 47 65 74 43 6f 6d 6d 61 6e 64 4c 69 6e 65 41 }
         $a7 = { 47 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 74 72 69 6e 67 73 57 }
         $a8 = { 44 65 6c 65 74 65 46 69 6c 65 41 }
         $m1 = { 76 34 2e 30 2e 33 30 33 31 39 }
         $m2 = { 61 6d 64 36 34 }
         $m3 = { 2e 64 6c 6c }
         $m4 = { 64 65 6c 65 74 65 }
         $s1 = { 3c 4d 6f 64 75 6c 65 }
         $s2 = { 25 73 5c 25 73 }
         $s3 = { 25 73 5c 2a }
         $s4 = { 63 3a 3e }
     condition:
         uint16(0) == 0x5a4d and all of them
  }

ssdeep Matches

No matches found.

Relationships

Description

This file is a .NET DLL, which contains malicious unmanaged 64-bit Intel code. This file has the same functionality as the file “1665128935[.]8063045[.]dll” (833e9cf750…).

f5cafe99bccb9d813909876fa536cc980c45687d0f411c5f4b5346dcf6b304e4

Tags

trojan

Details

Antivirus

YARA Rules

• rule CISA_10413062_13 : wiper information_gathering
  {
     meta:
         Author = “CISA Code & Media Analysis”
         Incident = “10413062”
         Date = “2022-12-21”
         Last_Modified = “20230106_1400”
         Actor = “n/a”
         Family = “n/a”
         Capabilities = “information-gathering”
         Malware_Type = “wiper”
         Tool_Type = “n/a”
         Description = “Detects PE information gathering samples”
         SHA256_1 = “dedf082f523dfcb75dee0480a2d8a087e3231f89fa34fcd2b7f74866a7b6608f”
         SHA256_2 = “f5cafe99bccb9d813909876fa536cc980c45687d0f411c5f4b5346dcf6b304e4”
         SHA256_3 = “74544d31cbbf003bc33e7099811f62a37110556b6c1a644393fddd0bac753730”
         SHA256_4 = “833e9cf75079ce796ef60fc7039a0b098be4ce8d259ffa53fe2855df110b2e5d”
     strings:
         $a1 = { 46 69 6e 64 46 69 72 73 74 46 69 6c 65 45 78 57 }
         $a2 = { 46 69 6e 64 4e 65 78 74 46 69 6c 65 57 }
         $a3 = { 47 65 74 41 43 50 }
         $a4 = { 47 65 74 4f 45 4d 43 50 }
         $a5 = { 47 65 74 43 50 49 6e 66 6f }
         $a6 = { 47 65 74 43 6f 6d 6d 61 6e 64 4c 69 6e 65 41 }
         $a7 = { 47 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 74 72 69 6e 67 73 57 }
         $a8 = { 44 65 6c 65 74 65 46 69 6c 65 41 }
         $m1 = { 76 34 2e 30 2e 33 30 33 31 39 }
         $m2 = { 61 6d 64 36 34 }
         $m3 = { 2e 64 6c 6c }
         $m4 = { 64 65 6c 65 74 65 }
         $s1 = { 3c 4d 6f 64 75 6c 65 }
         $s2 = { 25 73 5c 25 73 }
         $s3 = { 25 73 5c 2a }
         $s4 = { 63 3a 3e }
     condition:
         uint16(0) == 0x5a4d and all of them
  }

ssdeep Matches

No matches found.

Relationships

Description

This file is a .NET DLL, which contains malicious unmanaged 64-bit Intel code. This file has the same functionality as the file “1665128935[.]8063045[.]dll” (833e9cf750…).

dedf082f523dfcb75dee0480a2d8a087e3231f89fa34fcd2b7f74866a7b6608f

Tags

trojan

Details

Antivirus

YARA Rules

• rule CISA_10413062_13 : wiper information_gathering
  {
     meta:
         Author = “CISA Code & Media Analysis”
         Incident = “10413062”
         Date = “2022-12-21”
         Last_Modified = “20230106_1400”
         Actor = “n/a”
         Family = “n/a”
         Capabilities = “information-gathering”
         Malware_Type = “wiper”
         Tool_Type = “n/a”
         Description = “Detects PE information gathering samples”
         SHA256_1 = “dedf082f523dfcb75dee0480a2d8a087e3231f89fa34fcd2b7f74866a7b6608f”
         SHA256_2 = “f5cafe99bccb9d813909876fa536cc980c45687d0f411c5f4b5346dcf6b304e4”
         SHA256_3 = “74544d31cbbf003bc33e7099811f62a37110556b6c1a644393fddd0bac753730”
         SHA256_4 = “833e9cf75079ce796ef60fc7039a0b098be4ce8d259ffa53fe2855df110b2e5d”
     strings:
         $a1 = { 46 69 6e 64 46 69 72 73 74 46 69 6c 65 45 78 57 }
         $a2 = { 46 69 6e 64 4e 65 78 74 46 69 6c 65 57 }
         $a3 = { 47 65 74 41 43 50 }
         $a4 = { 47 65 74 4f 45 4d 43 50 }
         $a5 = { 47 65 74 43 50 49 6e 66 6f }
         $a6 = { 47 65 74 43 6f 6d 6d 61 6e 64 4c 69 6e 65 41 }
         $a7 = { 47 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 74 72 69 6e 67 73 57 }
         $a8 = { 44 65 6c 65 74 65 46 69 6c 65 41 }
         $m1 = { 76 34 2e 30 2e 33 30 33 31 39 }
         $m2 = { 61 6d 64 36 34 }
         $m3 = { 2e 64 6c 6c }
         $m4 = { 64 65 6c 65 74 65 }
         $s1 = { 3c 4d 6f 64 75 6c 65 }
         $s2 = { 25 73 5c 25 73 }
         $s3 = { 25 73 5c 2a }
         $s4 = { 63 3a 3e }
     condition:
         uint16(0) == 0x5a4d and all of them
  }

ssdeep Matches

No matches found.

Relationships

Description

This file is a .NET DLL, which contains malicious unmanaged 64-bit Intel code. This file has the same functionality as the file “1665128935[.]8063045[.]dll” (833e9cf750…), except it does not have the capability for network communication. However, the IP address 137[.]184[.]130[.]164 is hard-coded within the sample like the other files.

Relationship Summary

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

• Maintain up-to-date antivirus signatures and engines.
• Keep operating system patches up-to-date.
• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
• Enforce a strong password policy and implement regular password changes.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
• Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
• Scan all software downloaded from the Internet prior to executing.
• Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”.

Contact Information

• 1-888-282-0870
• CISA Service Desk (UNCLASS)
• CISA SIPR (SIPRNET)
• CISA IC (JWICS)

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

• Web: https://malware.us-cert.gov
• E-Mail: [email protected]
• FTP: ftp.malware.us-cert.gov (anonymous)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.cisa.gov.

Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we’d welcome your feedback.