General

  • Target

    e74314027ef437d3f93f9ad1f625f21ab5bef35aa46e0a70f655bebb3284346f

  • Size

    2.4MB

  • Sample

    240829-f4t5faxfpl

  • MD5

    454043c715b083d392075508e9341add

  • SHA1

    b9f0541a05a17a82c9ed2ce522ee16b04bb93e3a

  • SHA256

    e74314027ef437d3f93f9ad1f625f21ab5bef35aa46e0a70f655bebb3284346f

  • SHA512

    e0cbe17605858a2b83ecf9f812e1837ecf1d4d7f09647445091b2a3260ac26141c57c1aa5bd99566861c110b6a50de370d4acfbb7c98b6bbd322507d6da442ce

  • SSDEEP

    49152:slMlZ9f0lhxcWnFdfMzWbUepCaAuxNwMiHyAD8LGKPQ0FzdWsmT0x/H7v:sK0l3cWnZGluHJ4gLGKFu0R

Malware Config

Extracted

Family

rhadamanthys

C2

https://154.216.19.149:2047/888260cc6af8f/07djb4gj.jifud

https://154.216.19.149:2047/888260cc6af8f/pnmx326i.m7ats

Extracted

Family

xworm

Version

5.0

Mutex

TN3sSNYI1fDMFOs2

Attributes
  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/jxfGm9Pc

aes.plain

Targets

    • Target

      6cd031908922840ee684d3c05294e7e071b500915b760c474f22c1def0df14bc.exe

    • Size

      2.5MB

    • MD5

      61d31fb13c1dd46fcb03caf7f648508c

    • SHA1

      ecd46d1e09bdfa50c1587690e70262bc14ba751c

    • SHA256

      6cd031908922840ee684d3c05294e7e071b500915b760c474f22c1def0df14bc

    • SHA512

      c0a20fd176c812f47902da3da6b1bbde8924218666752be985245a5bb804c943a9312550d110f3a95096042991ef8cec9b1931377e4a8d09781c406b9da31127

    • SSDEEP

      49152:+pz3Y5ANfs2/w8JUgyUBx8pQIVf/OV9UdOV8ZUhJgnVlz2sTyNy:+pk5Am2/w8J9L8pQIVf/OMO277z9TWy

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks