Resubmissions

30-08-2024 02:19

240830-cr7yzssdrf 10

29-08-2024 22:37

240829-2jyg1swgrk 10

General

  • Target

    6cd031908922840ee684d3c05294e7e071b500915b760c474f22c1def0df14bc

  • Size

    2.5MB

  • Sample

    240829-2jyg1swgrk

  • MD5

    61d31fb13c1dd46fcb03caf7f648508c

  • SHA1

    ecd46d1e09bdfa50c1587690e70262bc14ba751c

  • SHA256

    6cd031908922840ee684d3c05294e7e071b500915b760c474f22c1def0df14bc

  • SHA512

    c0a20fd176c812f47902da3da6b1bbde8924218666752be985245a5bb804c943a9312550d110f3a95096042991ef8cec9b1931377e4a8d09781c406b9da31127

  • SSDEEP

    49152:+pz3Y5ANfs2/w8JUgyUBx8pQIVf/OV9UdOV8ZUhJgnVlz2sTyNy:+pk5Am2/w8J9L8pQIVf/OMO277z9TWy

Malware Config

Extracted

Family

rhadamanthys

C2

https://154.216.19.149:2047/888260cc6af8f/07djb4gj.jifud

https://154.216.19.149:2047/888260cc6af8f/pnmx326i.m7ats

Extracted

Family

xworm

Version

5.0

Mutex

TN3sSNYI1fDMFOs2

Attributes
  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/jxfGm9Pc

aes.plain

Targets

    • Target

      6cd031908922840ee684d3c05294e7e071b500915b760c474f22c1def0df14bc

    • Size

      2.5MB

    • MD5

      61d31fb13c1dd46fcb03caf7f648508c

    • SHA1

      ecd46d1e09bdfa50c1587690e70262bc14ba751c

    • SHA256

      6cd031908922840ee684d3c05294e7e071b500915b760c474f22c1def0df14bc

    • SHA512

      c0a20fd176c812f47902da3da6b1bbde8924218666752be985245a5bb804c943a9312550d110f3a95096042991ef8cec9b1931377e4a8d09781c406b9da31127

    • SSDEEP

      49152:+pz3Y5ANfs2/w8JUgyUBx8pQIVf/OV9UdOV8ZUhJgnVlz2sTyNy:+pk5Am2/w8J9L8pQIVf/OMO277z9TWy

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks