Overview

overview

10

Static

static

3

XWorm.exe

windows7-x64

10

XWorm.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XWorm.exe

  • Size

    456KB

  • Sample

    240420-zx85kaae3w

  • MD5

    515a0c8be21a5ba836e5687fc2d73333

  • SHA1

    c52be9d0d37ac1b8d6bc09860e68e9e0615255ab

  • SHA256

    9950788284df125c7359aeb91435ed24d59359fac6a74ed73774ca31561cc7ae

  • SHA512

    4e2bd7ce844bba25aff12e2607c4281b59f7579b9407139ef6136ef09282c7afac1c702adebc42f8bd7703fac047fd8b5add34df334bfc04d3518ea483225522

  • SSDEEP

    6144:2uWP/BtSnurUylcrGYlnIttxv8HbcLgsd1Gus5psdrvV44dixP+MHDkBYdxtG9+V:2uWP/BZUyoLu8Agsmxwrvejkd2

Score
10/10
rhadamanthysevasionstealer

Malware Config

Targets

    • Target

      XWorm.exe

    • Size

      456KB

    • MD5

      515a0c8be21a5ba836e5687fc2d73333

    • SHA1

      c52be9d0d37ac1b8d6bc09860e68e9e0615255ab

    • SHA256

      9950788284df125c7359aeb91435ed24d59359fac6a74ed73774ca31561cc7ae

    • SHA512

      4e2bd7ce844bba25aff12e2607c4281b59f7579b9407139ef6136ef09282c7afac1c702adebc42f8bd7703fac047fd8b5add34df334bfc04d3518ea483225522

    • SSDEEP

      6144:2uWP/BtSnurUylcrGYlnIttxv8HbcLgsd1Gus5psdrvV44dixP+MHDkBYdxtG9+V:2uWP/BZUyoLu8Agsmxwrvejkd2

    Score
    10/10
    rhadamanthysevasionstealer

    • Detect rhadamanthys stealer shellcode

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Legitimate hosting services abused for malware hosting/C2

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

4
T1497

Credential Access

Discovery

Query Registry

8
T1012

Virtualization/Sandbox Evasion

4
T1497

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks