SYMBOLCOMMON_NAMEaka. SYNONYMS
win.xagent (Back to overview)

X-Agent

aka: splm, chopstick

Actor(s): APT28

VTCollection    

There is no description at this point.

References
2020-07-29Kaspersky LabsGReAT
APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-02-13QianxinQi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-01-01SecureworksSecureWorks
IRON TWILIGHT
X-Agent X-Agent X-Agent Computrace HideDRV Sedreco Seduploader X-Agent XTunnel Zebrocy Zebrocy (AutoIT)
2018-10-04NCSC UKNCSC UK
Indicators of Compromise for Malware used by APT28
X-Agent
2018-10-04SymantecCritical Attack Discovery and Intelligence Team
APT28: New Espionage Operations Target Military and Government Organizations
LoJax Seduploader X-Agent XTunnel Zebrocy APT28
2017-12-21ESET ResearchESET Research
Sednit update: How Fancy Bear Spent the Year
Seduploader X-Agent
2017-02-20Contagio DumpMila Parkour
Part I. Russian APT - APT28 collection of samples including OSX XAgent
X-Agent Komplex Coreshell Downdelph HideDRV SEADADDY Sedreco Seduploader X-Agent XTunnel
2017-01-10FireEyeFireEye iSIGHT Intelligence
APT28: At The Center Of The Storm
Coreshell OLDBAIT Sedreco Seduploader X-Agent
2016-10-20ESET ResearchESET Research
En Route with Sednit Part 2: Observing the Comings and Goings
X-Agent Sedreco X-Agent XTunnel
2016-06-15CrowdStrikeDmitri Alperovitch
Bears in the Midst: Intrusion into the Democratic National Committee
X-Agent ATI-Agent SEADADDY Seduploader X-Agent XTunnel APT28
2015-12-04Kaspersky LabsGReAT
Sofacy APT hits high profile targets with updated toolset
Coreshell Sedreco Seduploader X-Agent APT28
2014-09-05GoogleBilly Leonard, Neel Mehta, Shane Huntiey
Peering Into the Aquarium: Analysis of a Sophisticated Multi-Stage Malware Family
X-Agent
2014-01-01FireEyeFireEye
APT28
Coreshell Sedreco X-Agent
Yara Rules
[TLP:WHITE] win_xagent_auto (20230808 | Detects win.xagent.)
rule win_xagent_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.xagent."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xagent"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c1ea02 6bd20d b801000000 2bc2 }
            // n = 4, score = 3100
            //   c1ea02               | shr                 edx, 2
            //   6bd20d               | imul                edx, edx, 0xd
            //   b801000000           | mov                 eax, 1
            //   2bc2                 | sub                 eax, edx

        $sequence_1 = { ff15???????? 8bd8 e8???????? 03d8 }
            // n = 4, score = 3100
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   e8????????           |                     
            //   03d8                 | add                 ebx, eax

        $sequence_2 = { 5b 8be5 5d c20400 8d4de4 e8???????? b8???????? }
            // n = 7, score = 2600
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4
            //   8d4de4               | lea                 ecx, [ebp - 0x1c]
            //   e8????????           |                     
            //   b8????????           |                     

        $sequence_3 = { 8b4604 85c0 7407 8b4d08 8b11 }
            // n = 5, score = 2600
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b11                 | mov                 edx, dword ptr [ecx]

        $sequence_4 = { 2bc7 8b5204 8b0482 8b0488 8b4e10 }
            // n = 5, score = 2600
            //   2bc7                 | sub                 eax, edi
            //   8b5204               | mov                 edx, dword ptr [edx + 4]
            //   8b0482               | mov                 eax, dword ptr [edx + eax*4]
            //   8b0488               | mov                 eax, dword ptr [eax + ecx*4]
            //   8b4e10               | mov                 ecx, dword ptr [esi + 0x10]

        $sequence_5 = { 85c9 7423 8b7e08 ff460c 03ff }
            // n = 5, score = 2600
            //   85c9                 | test                ecx, ecx
            //   7423                 | je                  0x25
            //   8b7e08               | mov                 edi, dword ptr [esi + 8]
            //   ff460c               | inc                 dword ptr [esi + 0xc]
            //   03ff                 | add                 edi, edi

        $sequence_6 = { 33d2 eb02 8b11 8b4808 8bc1 57 }
            // n = 6, score = 2600
            //   33d2                 | xor                 edx, edx
            //   eb02                 | jmp                 4
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   8b4808               | mov                 ecx, dword ptr [eax + 8]
            //   8bc1                 | mov                 eax, ecx
            //   57                   | push                edi

        $sequence_7 = { 3b7e0c 7707 c7460c00000000 49 }
            // n = 4, score = 2600
            //   3b7e0c               | cmp                 edi, dword ptr [esi + 0xc]
            //   7707                 | ja                  9
            //   c7460c00000000       | mov                 dword ptr [esi + 0xc], 0
            //   49                   | dec                 ecx

        $sequence_8 = { 894e10 7507 c7460c00000000 5f }
            // n = 4, score = 2600
            //   894e10               | mov                 dword ptr [esi + 0x10], ecx
            //   7507                 | jne                 9
            //   c7460c00000000       | mov                 dword ptr [esi + 0xc], 0
            //   5f                   | pop                 edi

        $sequence_9 = { 55 8bec 33c0 83ec0c 39412c }
            // n = 5, score = 2600
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   33c0                 | xor                 eax, eax
            //   83ec0c               | sub                 esp, 0xc
            //   39412c               | cmp                 dword ptr [ecx + 0x2c], eax

        $sequence_10 = { 384b02 0f92c3 488d4c2430 e8???????? 90 }
            // n = 5, score = 1500
            //   384b02               | xor                 al, al
            //   0f92c3               | cmp                 al, 1
            //   488d4c2430           | jne                 6
            //   e8????????           |                     
            //   90                   | mov                 al, 1

        $sequence_11 = { e8???????? 90 0fb705???????? 6689442420 }
            // n = 4, score = 1500
            //   e8????????           |                     
            //   90                   | mov                 dword ptr [edi], edx
            //   0fb705????????       |                     
            //   6689442420           | je                  0xe

        $sequence_12 = { e8???????? 488b4328 4c8bcf 4c8bc6 }
            // n = 4, score = 1500
            //   e8????????           |                     
            //   488b4328             | dec                 eax
            //   4c8bcf               | mov                 eax, dword ptr [edi]
            //   4c8bc6               | dec                 esp

        $sequence_13 = { 84c0 740c 488b07 488b0b }
            // n = 4, score = 1500
            //   84c0                 | dec                 eax
            //   740c                 | mov                 eax, dword ptr [ebx + 0x28]
            //   488b07               | dec                 esp
            //   488b0b               | mov                 ecx, edi

        $sequence_14 = { 8bd8 e8???????? 8d0c18 e8???????? }
            // n = 4, score = 1500
            //   8bd8                 | mov                 dword ptr [edi], ecx
            //   e8????????           |                     
            //   8d0c18               | test                al, al
            //   e8????????           |                     

        $sequence_15 = { 48896c2410 4889742418 57 4883ec30 4883792800 }
            // n = 5, score = 1500
            //   48896c2410           | jmp                 6
            //   4889742418           | xor                 al, al
            //   57                   | cmp                 al, 1
            //   4883ec30             | mov                 eax, 0xa57eb503
            //   4883792800           | mul                 esi

        $sequence_16 = { e8???????? 498bce 4e8d0437 482bcf }
            // n = 4, score = 1500
            //   e8????????           |                     
            //   498bce               | mov                 eax, dword ptr [edi]
            //   4e8d0437             | dec                 eax
            //   482bcf               | mov                 ecx, dword ptr [ebx]

        $sequence_17 = { 740c 488b07 4c8b13 488903 }
            // n = 4, score = 1500
            //   740c                 | je                  0xe
            //   488b07               | dec                 eax
            //   4c8b13               | mov                 eax, dword ptr [edi]
            //   488903               | dec                 esp

        $sequence_18 = { b803b57ea5 f7e6 c1ea06 6bd263 }
            // n = 4, score = 500
            //   b803b57ea5           | mov                 al, 1
            //   f7e6                 | jmp                 6
            //   c1ea06               | xor                 al, al
            //   6bd263               | cmp                 al, 1

        $sequence_19 = { ff15???????? baf4010000 488bcb ff15???????? 85c0 }
            // n = 5, score = 400
            //   ff15????????         |                     
            //   baf4010000           | mov                 al, 1
            //   488bcb               | jmp                 4
            //   ff15????????         |                     
            //   85c0                 | xor                 al, al

        $sequence_20 = { c1ea07 69d295000000 2bca 8bd1 }
            // n = 4, score = 400
            //   c1ea07               | cmp                 al, 1
            //   69d295000000         | jne                 6
            //   2bca                 | mov                 al, 1
            //   8bd1                 | jmp                 6

        $sequence_21 = { 75f8 482bc3 4d8bc6 498bd7 }
            // n = 4, score = 200
            //   75f8                 | dec                 eax
            //   482bc3               | sub                 eax, ebx
            //   4d8bc6               | dec                 ecx
            //   498bd7               | mov                 edx, edi

        $sequence_22 = { 75f8 482bc3 4c8bc6 488bd7 }
            // n = 4, score = 200
            //   75f8                 | lea                 ecx, [eax + ebx]
            //   482bc3               | dec                 eax
            //   4c8bc6               | mov                 edx, edi
            //   488bd7               | dec                 eax

        $sequence_23 = { 75f8 482bc3 498bd7 488d0c18 }
            // n = 4, score = 200
            //   75f8                 | xor                 al, al
            //   482bc3               | cmp                 al, 1
            //   498bd7               | mov                 al, 1
            //   488d0c18             | jmp                 4

        $sequence_24 = { 75f8 482bc5 4533e4 488bbc2480000000 }
            // n = 4, score = 200
            //   75f8                 | sub                 eax, ebx
            //   482bc5               | dec                 ecx
            //   4533e4               | mov                 edx, edi
            //   488bbc2480000000     | dec                 eax

        $sequence_25 = { 75f8 482bc3 498bd6 488d0c18 e8???????? 488bd7 4885ff }
            // n = 7, score = 200
            //   75f8                 | jmp                 4
            //   482bc3               | xor                 al, al
            //   498bd6               | cmp                 al, 1
            //   488d0c18             | jne                 6
            //   e8????????           |                     
            //   488bd7               | mov                 al, 1
            //   4885ff               | jmp                 6

    condition:
        7 of them and filesize < 729088
}
[TLP:WHITE] win_xagent_w0   (20170517 | Sofacy Group Malware Sample 3)
rule win_xagent_w0 {
    meta:
        description = "Sofacy Group Malware Sample 3"
        author = "Florian Roth"
        reference = "http://dokumente.linksfraktion.de/inhalt/report-orig.pdf"
        date = "2015-06-19"
        hash = "5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/sofacy_xtunnel_bundestag.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xagent"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "shell\\open\\command=\"System Volume Information\\USBGuard.exe\" install" fullword ascii 
        $s2 = ".?AVAgentModuleRemoteKeyLogger@@" fullword ascii 
        $s3 = "<font size=4 color=red>process isn't exist</font>" fullword ascii 
        $s4 = "<font size=4 color=red>process is exist</font>" fullword ascii 
        $s5 = ".winnt.check-fix.com" fullword ascii 
        $s6 = ".update.adobeincorp.com" fullword ascii 
        $s7 = ".microsoft.checkwinframe.com" fullword ascii
        $s8 = "adobeincorp.com" fullword wide 
        $s9 = "# EXC: HttpSender - Cannot create Get Channel!" fullword ascii 

        $x1 = "User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/" wide 
        $x2 = "User-Agent: Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2" wide 
        $x3 = "C:\\Windows\\System32\\cmd.exe" fullword wide 
    condition:
        uint16(0) == 0x5a4d and filesize < 300KB and (
            2 of ($s*) or 
            ( 1 of ($s*) and all of ($x*) )
        ) 
}
Download all Yara Rules