Overview

overview

10

Static

static

10

Exodus.exe

windows7-x64

10

Exodus.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/03/2025, 05:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Exodus.exe

  • Size

    8.1MB

  • MD5

    59d942cbc8b50860ec417338dbefd059

  • SHA1

    246ee7c696df1ecb6f6f060e47ab5db784002a29

  • SHA256

    19d23e202165d3cddf2f85b0e9e435564939a39d29c0234add29fd50f4161671

  • SHA512

    1347aee2f355c35cbd2f8369024abd16342c5907b78c813ba89050daa0c5cc173b5c00822a6fa8679f09cd327fb32d4596f6a6104a6c3e1fa2d60ed590298faa

  • SSDEEP

    196608:JLPt5MgmB240p+ZhjHdPqulrSC5lIihg0xRNRA0HwSCT+Ome:JTK0DYznp7BP8IfNON

Score
10/10
asyncratstormkittyxreddefaultbackdoordiscoverypersistenceprivilege_escalationratspywarestealerupx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 4 IoCs
  • Stormkitty family
    stormkitty
  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 15 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 8 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Exodus.exe
    "C:\Users\Admin\AppData\Local\Temp\Exodus.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2708
    • C:\Users\Admin\AppData\Local\Temp\._cache_Exodus.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Exodus.exe"
      2⤵
      • Executes dropped EXE
      PID:2684
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2184
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\Users\Admin\AppData\Local\Temp\Exodus.exe
          "C:\Users\Admin\AppData\Local\Temp\Exodus.exe"
          4⤵
          • Executes dropped EXE
          PID:1980
        • C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe
          "C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2044
          • C:\Users\Admin\AppData\Local\Temp\Dll-protected.exe
            "C:\Users\Admin\AppData\Local\Temp\Dll-protected.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:376
            • C:\Users\Admin\AppData\Local\Temp\._cache_Dll-protected.exe
              "C:\Users\Admin\AppData\Local\Temp\._cache_Dll-protected.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:1004
              • C:\Users\Admin\AppData\Local\Temp\Built.exe
                "C:\Users\Admin\AppData\Local\Temp\Built.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:676
                • C:\Users\Admin\AppData\Local\Temp\Built.exe
                  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:940
          • C:\Users\Admin\AppData\Local\Temp\Svch-protected.exe
            "C:\Users\Admin\AppData\Local\Temp\Svch-protected.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1512
            • C:\Users\Admin\AppData\Local\Temp\Server.exe
              "C:\Users\Admin\AppData\Local\Temp\Server.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1672
              • C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe
                "C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe"
                7⤵
                • Executes dropped EXE
                • Drops desktop.ini file(s)
                • System Location Discovery: System Language Discovery
                • Checks processor information in registry
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1860
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • System Network Configuration Discovery: Wi-Fi Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:2320
                  • C:\Windows\SysWOW64\chcp.com
                    chcp 65001
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1660
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh wlan show profile
                    9⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    • System Network Configuration Discovery: Wi-Fi Discovery
                    PID:2468
                  • C:\Windows\SysWOW64\findstr.exe
                    findstr All
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2844
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:2608
                  • C:\Windows\SysWOW64\chcp.com
                    chcp 65001
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2868
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh wlan show networks mode=bssid
                    9⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:2988
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    8.1MB

    MD5

    59d942cbc8b50860ec417338dbefd059

    SHA1

    246ee7c696df1ecb6f6f060e47ab5db784002a29

    SHA256

    19d23e202165d3cddf2f85b0e9e435564939a39d29c0234add29fd50f4161671

    SHA512

    1347aee2f355c35cbd2f8369024abd16342c5907b78c813ba89050daa0c5cc173b5c00822a6fa8679f09cd327fb32d4596f6a6104a6c3e1fa2d60ed590298faa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1xAgO66m.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Dll-protected.exe
    Filesize

    6.7MB

    MD5

    c6f21aae2f45d9d89869392a640943e4

    SHA1

    8d5709838660159233d4d126e7b59608cb90c3a7

    SHA256

    f6f2dd59d66d219d592da7acb8a8e5b7f1d9a8aea52dbf6965f94a3f0afd1ad9

    SHA512

    d916002b1b11ad69d707102800c8ff237beafe2103c608afd5155cdd9bca02e137ea6c665ddfa351e51aea3b8a14572d1c37fd640feb2505c32850f70380d1e5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    Filesize

    928KB

    MD5

    20a67f98defc188c0015b511e749e546

    SHA1

    b7650940e5705991f03d3ff4a785569eb1908ce0

    SHA256

    5df321a00776fa2fb8b215278ef76c2aed6b9e2fedf2ea7508c80c2e869a3fbb

    SHA512

    66d944c4202f60f8318d54d3e81f9da8eb1c7e0fbcb425f78582ee4f987b8b45c340c3061a77822d8b36dd65c464567f1d3ec61e7d9b23f38872bb2c335d0dc6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Svch-protected.exe
    Filesize

    520KB

    MD5

    db1182f0ffcf788b8221fe986a21e042

    SHA1

    b7652ca21d7605b0a0bfbeb037bf68c3cc3ba2c8

    SHA256

    f6839da3485b5822fc53b09f7526af57d5710eca8b3f1b5bf698b674518d996e

    SHA512

    d91ed3b64438b82af4798317ab5428be749577acdb1b12dcc27012df69ad5e33df67c9d89e074a2574dae4b17ccaf579c627d08533abd785815ad94bc6cc491d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe
    Filesize

    6.8MB

    MD5

    d65c3bc9d278d07c0d0d54cb0c792117

    SHA1

    eb6526b6a8cbd8d350b5d1ec45332e8cd5e4ad14

    SHA256

    51cb79663b3cd3a54cfaa9b8a1a27788d4cc23e6a9c5a81f9de33c8c429c35a4

    SHA512

    8cbbc7d59fb1dfbe6f8a0f7c6defb0f3f55853ae9ebfa0f7973b26403cee208a8228fd97d1aed575f35c099fb1294b3ff30aa400b42c9069549198785eab32f2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI6762\python310.dll
    Filesize

    1.4MB

    MD5

    4a6afa2200b1918c413d511c5a3c041c

    SHA1

    39ca3c2b669adac07d4a5eb1b3b79256cfe0c3b3

    SHA256

    bec187f608507b57cf0475971ba646b8ab42288af8fdcf78bce25f1d8c84b1da

    SHA512

    dbffb06ffff0542200344ea9863a44a6f1e1b783379e53df18580e697e8204d3911e091deb32a9c94b5599cdd54301b705b74e1f51104151cf13b89d57280a20

    Download Submit

  • C:\Users\Admin\AppData\Local\bfb35758038878f50f1ac0fd9b9ebccc\Admin@ZQABOPWE_en-US\Browsers\Firefox\Bookmarks.txt
    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

    Download Submit

  • C:\Users\Admin\AppData\Local\fa18f64c0a5bd68d32cf0020ffdc310d\msgid.dat
    Filesize

    1B

    MD5

    cfcd208495d565ef66e7dff9f98764da

    SHA1

    b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

    SHA256

    5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

    SHA512

    31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

    Download Submit

  • \Users\Admin\AppData\Local\Temp\._cache_Dll-protected.exe
    Filesize

    5.9MB

    MD5

    d33c3743ec4d1333ef0d114202354cc6

    SHA1

    cd5aca8acd1a396da8080ee31925b3d9698fb508

    SHA256

    dac24e0549fdadb26c47e1e4138bed79fcc8865e257f0ae149a3422db4a9f2ce

    SHA512

    04f7c3a15379669444f1e3636e8a4e092cf428e67de10b1766468b241f8fa5fb24cd1bbd129ec5eab1449eb2304eff96e355291a9685fe5d437529acf5c0d215

    Download Submit

  • \Users\Admin\AppData\Local\Temp\._cache_Exodus.exe
    Filesize

    7.3MB

    MD5

    6b6facceec5839fb2892574f3d712dff

    SHA1

    18d0970ba1e1b56dfdd397184a2fce71591bf67e

    SHA256

    ce614d2a55ae0d259510273cdc62ef4e0f29bcc3046850065196a7dc577ccbd5

    SHA512

    aec08fcb6be796f908512de2fa053e96e5988a976eece73bfae502f8308aee3b91645d8746e7094aedaaf6d2077f6c3eb9f3245b02ed5279767e425fe239845d

    Download Submit

  • \Users\Admin\AppData\Local\Temp\._cache_Server.exe
    Filesize

    175KB

    MD5

    8d934cc01dcc17160d25acd2282210a9

    SHA1

    f97a7b02edab514526495af6f8246abf68a4dd62

    SHA256

    db62f46202f39d7ef4599dadf8cf8255bd164bbbe69176208586e94899e71fd8

    SHA512

    c234579629623344e3b47c9804b73759d9de3691c0049b9da7da2fc3d0728e8d8f6a06ea4d5cc3afe44a1230d29f4a948a77787707a25e825bddfacb330cb4e4

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Built.exe
    Filesize

    6.0MB

    MD5

    b15a700a538a3b109a84d1dc650911e8

    SHA1

    45df3fa8b1d4ad49b5cd6e47a094c1c90419feef

    SHA256

    5e6b2a8aa7112b7d588c95e0e3e217e770cdbbc7f52573b58c074739db37b3ff

    SHA512

    f1c612fefd601f13ecbe0810cfba5131e935df1fe54bfd456d945f45ac76c0393a0693322d06dda36a45b60a186ab8ca5533befb41d55e716bbcd30b7a6460fe

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Exodus.exe
    Filesize

    507KB

    MD5

    470ccdab5d7da8aafc11490e4c71e612

    SHA1

    bc540c0ba7dcb0405a7b6c775f0a1b585d51c4b3

    SHA256

    849c0420722c1dabb927ff0ab70375bc1197ba73a7f04885460b609392bd319c

    SHA512

    6b3a09b785c02a57f6330cd6610f8a78b1f6a1689c14a190a9af4ad4ab4666f8a77d75c4c85a3af04693effdc970440ce8d62a4132f66471aaa250f9d90f2f7b

    Download Submit

  • memory/376-94-0x0000000000400000-0x0000000000AB5000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/940-146-0x000007FEF2440000-0x000007FEF28A6000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1004-95-0x0000000000FB0000-0x00000000015AC000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1492-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1512-83-0x0000000000FF0000-0x000000000107C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/1672-112-0x0000000000400000-0x00000000004EE000-memory.dmp

    Filesize

    952KB

    Download

  • memory/1860-114-0x0000000000F50000-0x0000000000F82000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2044-70-0x00000000010A0000-0x000000000177A000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2184-147-0x0000000000400000-0x0000000000C1B000-memory.dmp

    Filesize

    8.1MB

    Download

  • memory/2184-287-0x0000000000400000-0x0000000000C1B000-memory.dmp

    Filesize

    8.1MB

    Download

  • memory/2620-36-0x0000000000D80000-0x00000000014E2000-memory.dmp

    Filesize

    7.4MB

    Download

  • memory/2684-31-0x0000000000CF0000-0x0000000001452000-memory.dmp

    Filesize

    7.4MB

    Download

  • memory/2708-25-0x0000000000400000-0x0000000000C1B000-memory.dmp

    Filesize

    8.1MB

    Download

  • memory/2708-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download