rhadamanthys

General

Target

b241dfcd5988edb1286f4e45c0fbdbbd159d2f350b17deb9fce80b9236142be7
Size

2.2MB
Sample

240829-2mbgnaxakp
MD5

3618e31c4bbb164b9ba20250d25628a3
SHA1

0c9e23abf8a883b9b0792aa40d7edf2f8e9d37ca
SHA256

b241dfcd5988edb1286f4e45c0fbdbbd159d2f350b17deb9fce80b9236142be7
SHA512

10a393be4c527f8865159e73137ea9974654985b68e72089d3722d8d239fd88689234a77da47ea802c3978bbecb64527b4467e63005f5adc6a17dbfb07f7f27a
SSDEEP

49152:+pz3Pkl9C5YsSCtqMW5W3s9cMqh+QdncgdUgYT1Vlz2sTyNX:+pjklcSLMx3s9PqJJcKOz9TWX

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

TN3sSNYI1fDMFOs2

Attributes

install_file
USB.exe
pastebin_url
https://pastebin.com/raw/jxfGm9Pc

aes.plain

Extracted

Family

rhadamanthys

C2

https://154.216.19.149:2047/888260cc6af8f/pnmx326i.m7ats

Targets

- Target
  
  b241dfcd5988edb1286f4e45c0fbdbbd159d2f350b17deb9fce80b9236142be7
- Size
  
  2.2MB
- MD5
  
  3618e31c4bbb164b9ba20250d25628a3
- SHA1
  
  0c9e23abf8a883b9b0792aa40d7edf2f8e9d37ca
- SHA256
  
  b241dfcd5988edb1286f4e45c0fbdbbd159d2f350b17deb9fce80b9236142be7
- SHA512
  
  10a393be4c527f8865159e73137ea9974654985b68e72089d3722d8d239fd88689234a77da47ea802c3978bbecb64527b4467e63005f5adc6a17dbfb07f7f27a
- SSDEEP
  
  49152:+pz3Pkl9C5YsSCtqMW5W3s9cMqh+QdncgdUgYT1Vlz2sTyNX:+pjklcSLMx3s9PqJJcKOz9TWX
Score

10^/10

rhadamanthys xworm discovery rat stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Xworm Payload
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Contains code to disable Windows Defender

Detect Xworm Payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Xworm

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2