SYMBOLCOMMON_NAMEaka. SYNONYMS
win.xagent (Back to overview)

X-Agent

aka: splm, chopstick

Actor(s): Sofacy


There is no description at this point.

References
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:iron:48c68a0, author = {SecureWorks}, title = {{IRON TWILIGHT}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-twilight}, language = {English}, urldate = {2020-05-23} } IRON TWILIGHT
X-Agent X-Agent X-Agent Computrace HideDRV Sedreco Seduploader X-Agent XTunnel Zebrocy Zebrocy (AutoIT)
2018-10-04SymantecCritical Attack Discovery and Intelligence Team
@online{team:20181004:apt28:97a1356, author = {Critical Attack Discovery and Intelligence Team}, title = {{APT28: New Espionage Operations Target Military and Government Organizations}}, date = {2018-10-04}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government}, language = {English}, urldate = {2020-04-21} } APT28: New Espionage Operations Target Military and Government Organizations
LoJax Seduploader X-Agent XTunnel Zebrocy Sofacy
2018-10-04NCSC UKNCSC UK
@techreport{uk:20181004:indicators:af0d14a, author = {NCSC UK}, title = {{Indicators of Compromise for Malware used by APT28}}, date = {2018-10-04}, institution = {NCSC UK}, url = {https://www.thecssc.com/wp-content/uploads/2018/10/4OctoberIOC-APT28-malware-advisory.pdf}, language = {English}, urldate = {2019-11-29} } Indicators of Compromise for Malware used by APT28
X-Agent
2017-12-21ESET ResearchESET Research
@online{research:20171221:sednit:630ff7c, author = {ESET Research}, title = {{Sednit update: How Fancy Bear Spent the Year}}, date = {2017-12-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/}, language = {English}, urldate = {2019-11-14} } Sednit update: How Fancy Bear Spent the Year
Seduploader X-Agent
2017-02-20Contagio DumpMila Parkour
@online{parkour:20170220:part:c54b5de, author = {Mila Parkour}, title = {{Part I. Russian APT - APT28 collection of samples including OSX XAgent}}, date = {2017-02-20}, organization = {Contagio Dump}, url = {https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html}, language = {English}, urldate = {2019-11-26} } Part I. Russian APT - APT28 collection of samples including OSX XAgent
X-Agent Komplex Coreshell Downdelph HideDRV SEADADDY Sedreco Seduploader X-Agent XTunnel
2016-10-20ESET ResearchESET Research
@techreport{research:20161020:en:e2e6603, author = {ESET Research}, title = {{En Route with Sednit Part 2: Observing the Comings and Goings}}, date = {2016-10-20}, institution = {ESET Research}, url = {http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf}, language = {English}, urldate = {2019-10-25} } En Route with Sednit Part 2: Observing the Comings and Goings
X-Agent Sedreco X-Agent XTunnel
2016-06-15CrowdStrikeDmitri Alperovitch
@online{alperovitch:20160615:bears:604c1d9, author = {Dmitri Alperovitch}, title = {{Bears in the Midst: Intrusion into the Democratic National Committee}}, date = {2016-06-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/}, language = {English}, urldate = {2019-12-20} } Bears in the Midst: Intrusion into the Democratic National Committee
X-Agent ATI-Agent Downrage SEADADDY X-Agent XTunnel Sofacy
2015-12-04Kaspersky LabsGReAT
@online{great:20151204:sofacy:b437b35, author = {GReAT}, title = {{Sofacy APT hits high profile targets with updated toolset}}, date = {2015-12-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/}, language = {English}, urldate = {2020-08-30} } Sofacy APT hits high profile targets with updated toolset
Coreshell Sedreco Seduploader X-Agent Sofacy
2014-09-05GoogleNeel Mehta, Billy Leonard, Shane Huntiey
@techreport{mehta:20140905:peering:8ce5720, author = {Neel Mehta and Billy Leonard and Shane Huntiey}, title = {{Peering Into the Aquarium: Analysis of a Sophisticated Multi-Stage Malware Family}}, date = {2014-09-05}, institution = {Google}, url = {https://assets.documentcloud.org/documents/3461560/Google-Aquarium-Clean.pdf}, language = {English}, urldate = {2020-07-30} } Peering Into the Aquarium: Analysis of a Sophisticated Multi-Stage Malware Family
X-Agent
2014FireEyeFireEye
@techreport{fireeye:2014:operation:2160679, author = {FireEye}, title = {{Operation Quantum Entanglement}}, date = {2014}, institution = {FireEye}, url = {http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf}, language = {English}, urldate = {2020-01-12} } Operation Quantum Entanglement
X-Agent
2014FireEyeFireEye
@techreport{fireeye:2014:apt28:27799d1, author = {FireEye}, title = {{APT28}}, date = {2014}, institution = {FireEye}, url = {http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf}, language = {English}, urldate = {2020-01-08} } APT28
Coreshell Sedreco X-Agent
Yara Rules
[TLP:WHITE] win_xagent_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_xagent_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xagent"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7504 b001 eb02 32c0 3c01 }
            // n = 5, score = 3300
            //   7504                 | jne                 6
            //   b001                 | mov                 al, 1
            //   eb02                 | jmp                 4
            //   32c0                 | xor                 al, al
            //   3c01                 | cmp                 al, 1

        $sequence_1 = { c1ea02 6bd20d b801000000 2bc2 }
            // n = 4, score = 3100
            //   c1ea02               | shr                 edx, 2
            //   6bd20d               | imul                edx, edx, 0xd
            //   b801000000           | mov                 eax, 1
            //   2bc2                 | sub                 eax, edx

        $sequence_2 = { ff15???????? 8bd8 e8???????? 03d8 }
            // n = 4, score = 3100
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   e8????????           |                     
            //   03d8                 | add                 ebx, eax

        $sequence_3 = { 7407 8b4d08 8b11 8910 83460404 }
            // n = 5, score = 2600
            //   7407                 | mov                 esp, eax
            //   8b4d08               | jmp                 8
            //   8b11                 | dec                 esp
            //   8910                 | mov                 esp, ebx
            //   83460404             | mov                 edx, 0x1f4

        $sequence_4 = { 03ff 03ff 3b7e0c 7707 c7460c00000000 }
            // n = 5, score = 2600
            //   03ff                 | mov                 ecx, ebx
            //   03ff                 | test                eax, eax
            //   3b7e0c               | mov                 edx, 0x1f4
            //   7707                 | dec                 eax
            //   c7460c00000000       | mov                 ecx, ebx

        $sequence_5 = { 85c9 7423 8b7e08 ff460c 03ff 03ff }
            // n = 6, score = 2600
            //   85c9                 | dec                 esp
            //   7423                 | mov                 dword ptr [esp + 0x98], edi
            //   8b7e08               | jne                 0x24f
            //   ff460c               | inc                 esi
            //   03ff                 | dec                 eax
            //   03ff                 | add                 ebx, 8

        $sequence_6 = { e8???????? b8???????? c3 83c8ff 8b4df4 64890d00000000 59 }
            // n = 7, score = 2600
            //   e8????????           |                     
            //   b8????????           |                     
            //   c3                   | dec                 eax
            //   83c8ff               | mov                 ecx, eax
            //   8b4df4               | dec                 esp
            //   64890d00000000       | mov                 esp, eax
            //   59                   | jmp                 0xd

        $sequence_7 = { eb02 8b11 8b4808 8bc1 57 8b7a08 c1e802 }
            // n = 7, score = 2600
            //   eb02                 | je                  0xf
            //   8b11                 | dec                 eax
            //   8b4808               | mov                 ecx, eax
            //   8bc1                 | dec                 esp
            //   57                   | mov                 esp, eax
            //   8b7a08               | jmp                 0xb
            //   c1e802               | dec                 esp

        $sequence_8 = { 894e10 7507 c7460c00000000 5f }
            // n = 4, score = 2600
            //   894e10               | mov                 esp, ebx
            //   7507                 | dec                 eax
            //   c7460c00000000       | test                eax, eax
            //   5f                   | je                  0xf

        $sequence_9 = { 2bc7 8b5204 8b0482 8b0488 8b4e10 85c9 }
            // n = 6, score = 2600
            //   2bc7                 | shr                 edx, 7
            //   8b5204               | imul                edx, edx, 0x95
            //   8b0482               | sub                 ecx, edx
            //   8b0488               | mov                 edx, ecx
            //   8b4e10               | mov                 edx, 0x1f4
            //   85c9                 | dec                 eax

        $sequence_10 = { 8b00 6a00 50 68???????? 6a00 6a00 ff15???????? }
            // n = 7, score = 2600
            //   8b00                 | dec                 esp
            //   6a00                 | mov                 esp, eax
            //   50                   | jmp                 5
            //   68????????           |                     
            //   6a00                 | dec                 esp
            //   6a00                 | mov                 esp, ebx
            //   ff15????????         |                     

        $sequence_11 = { 740e 83ff0b 7409 83ff0d }
            // n = 4, score = 2200
            //   740e                 | je                  0x10
            //   83ff0b               | cmp                 edi, 0xb
            //   7409                 | je                  0xb
            //   83ff0d               | cmp                 edi, 0xd

        $sequence_12 = { 4883792800 498bf9 498bf0 488bea 488bd9 }
            // n = 5, score = 1500
            //   4883792800           | jne                 6
            //   498bf9               | mov                 al, 1
            //   498bf0               | jmp                 4
            //   488bea               | xor                 al, al
            //   488bd9               | cmp                 al, 1

        $sequence_13 = { 48896c2410 4889742418 57 4883ec30 4883792800 }
            // n = 5, score = 1500
            //   48896c2410           | mov                 ecx, dword ptr [ebx]
            //   4889742418           | dec                 eax
            //   57                   | mov                 dword ptr [ebx], eax
            //   4883ec30             | dec                 eax
            //   4883792800           | mov                 dword ptr [edi], ecx

        $sequence_14 = { 740c 488b07 488b0b 488903 }
            // n = 4, score = 1500
            //   740c                 | mov                 dword ptr [edi], edx
            //   488b07               | dec                 eax
            //   488b0b               | mov                 edx, dword ptr [ebx]
            //   488903               | dec                 eax

        $sequence_15 = { 488903 48890f 488b5c2430 488b6c2438 488b742440 }
            // n = 5, score = 1500
            //   488903               | dec                 eax
            //   48890f               | mov                 dword ptr [ebx], eax
            //   488b5c2430           | dec                 eax
            //   488b6c2438           | mov                 dword ptr [edi], ecx
            //   488b742440           | dec                 eax

        $sequence_16 = { 488b07 4c8b13 488903 4c8917 488b13 }
            // n = 5, score = 1500
            //   488b07               | mov                 eax, dword ptr [edi]
            //   4c8b13               | dec                 eax
            //   488903               | mov                 ecx, dword ptr [ebx]
            //   4c8917               | dec                 eax
            //   488b13               | mov                 dword ptr [ebx], eax

        $sequence_17 = { 84c0 740c 488b07 4c8b13 }
            // n = 4, score = 1500
            //   84c0                 | mov                 ecx, dword ptr [esi]
            //   740c                 | dec                 eax
            //   488b07               | mov                 dword ptr [esi], eax
            //   4c8b13               | dec                 eax

        $sequence_18 = { e8???????? 4c8be0 eb03 4c8be3 }
            // n = 4, score = 1000
            //   e8????????           |                     
            //   4c8be0               | dec                 eax
            //   eb03                 | mov                 ecx, dword ptr [ebx]
            //   4c8be3               | dec                 eax

        $sequence_19 = { ff15???????? baf4010000 488bcb ff15???????? }
            // n = 4, score = 600
            //   ff15????????         |                     
            //   baf4010000           | mov                 dword ptr [ebx], eax
            //   488bcb               | dec                 eax
            //   ff15????????         |                     

        $sequence_20 = { b803b57ea5 f7e6 c1ea06 6bd263 }
            // n = 4, score = 500
            //   b803b57ea5           | mov                 dword ptr [edi], ecx
            //   f7e6                 | dec                 eax
            //   c1ea06               | mov                 ebx, dword ptr [esp + 0x30]
            //   6bd263               | dec                 eax

        $sequence_21 = { c1ea07 69d295000000 2bca 8bd1 }
            // n = 4, score = 400
            //   c1ea07               | mov                 dword ptr [esp + 0x10], ebp
            //   69d295000000         | dec                 eax
            //   2bca                 | mov                 dword ptr [esp + 0x18], esi
            //   8bd1                 | push                edi

        $sequence_22 = { 33d2 488bc8 ff15???????? 488b5c2440 }
            // n = 4, score = 400
            //   33d2                 | dec                 eax
            //   488bc8               | mov                 dword ptr [esp + 0x10], ebp
            //   ff15????????         |                     
            //   488b5c2440           | dec                 eax

        $sequence_23 = { 4885db 7504 8bdd eb14 }
            // n = 4, score = 200
            //   4885db               | mov                 dword ptr [esp + 0x18], esi
            //   7504                 | push                edi
            //   8bdd                 | dec                 eax
            //   eb14                 | sub                 esp, 0x30

        $sequence_24 = { 0f8549020000 ffc6 4883c308 3b37 7cbe }
            // n = 5, score = 200
            //   0f8549020000         | dec                 eax
            //   ffc6                 | mov                 ecx, dword ptr [esi]
            //   4883c308             | dec                 eax
            //   3b37                 | mov                 dword ptr [esi], eax
            //   7cbe                 | dec                 eax

        $sequence_25 = { 3b2b 7cbb 488b1d???????? 4c8d3d3c640100 4c89bc2498000000 }
            // n = 5, score = 200
            //   3b2b                 | dec                 eax
            //   7cbb                 | cmp                 dword ptr [ecx + 0x28], 0
            //   488b1d????????       |                     
            //   4c8d3d3c640100       | dec                 ecx
            //   4c89bc2498000000     | mov                 edi, ecx

    condition:
        7 of them and filesize < 729088
}
[TLP:WHITE] win_xagent_w0   (20170517 | Sofacy Group Malware Sample 3)
rule win_xagent_w0 {
    meta:
        description = "Sofacy Group Malware Sample 3"
        author = "Florian Roth"
        reference = "http://dokumente.linksfraktion.de/inhalt/report-orig.pdf"
        date = "2015-06-19"
        hash = "5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/sofacy_xtunnel_bundestag.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xagent"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "shell\\open\\command=\"System Volume Information\\USBGuard.exe\" install" fullword ascii 
        $s2 = ".?AVAgentModuleRemoteKeyLogger@@" fullword ascii 
        $s3 = "<font size=4 color=red>process isn't exist</font>" fullword ascii 
        $s4 = "<font size=4 color=red>process is exist</font>" fullword ascii 
        $s5 = ".winnt.check-fix.com" fullword ascii 
        $s6 = ".update.adobeincorp.com" fullword ascii 
        $s7 = ".microsoft.checkwinframe.com" fullword ascii
        $s8 = "adobeincorp.com" fullword wide 
        $s9 = "# EXC: HttpSender - Cannot create Get Channel!" fullword ascii 

        $x1 = "User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/" wide 
        $x2 = "User-Agent: Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2" wide 
        $x3 = "C:\\Windows\\System32\\cmd.exe" fullword wide 
    condition:
        uint16(0) == 0x5a4d and filesize < 300KB and (
            2 of ($s*) or 
            ( 1 of ($s*) and all of ($x*) )
        ) 
}
Download all Yara Rules