General
-
Target
e74314027ef437d3f93f9ad1f625f21ab5bef35aa46e0a70f655bebb3284346f
-
Size
2.4MB
-
Sample
240829-f4t5faxfpl
-
MD5
454043c715b083d392075508e9341add
-
SHA1
b9f0541a05a17a82c9ed2ce522ee16b04bb93e3a
-
SHA256
e74314027ef437d3f93f9ad1f625f21ab5bef35aa46e0a70f655bebb3284346f
-
SHA512
e0cbe17605858a2b83ecf9f812e1837ecf1d4d7f09647445091b2a3260ac26141c57c1aa5bd99566861c110b6a50de370d4acfbb7c98b6bbd322507d6da442ce
-
SSDEEP
49152:slMlZ9f0lhxcWnFdfMzWbUepCaAuxNwMiHyAD8LGKPQ0FzdWsmT0x/H7v:sK0l3cWnZGluHJ4gLGKFu0R
Static task
static1
Behavioral task
behavioral1
Sample
6cd031908922840ee684d3c05294e7e071b500915b760c474f22c1def0df14bc.exe
Resource
win7-20240729-en
Malware Config
Extracted
rhadamanthys
https://154.216.19.149:2047/888260cc6af8f/07djb4gj.jifud
https://154.216.19.149:2047/888260cc6af8f/pnmx326i.m7ats
Extracted
xworm
5.0
TN3sSNYI1fDMFOs2
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/jxfGm9Pc
Targets
-
-
Target
6cd031908922840ee684d3c05294e7e071b500915b760c474f22c1def0df14bc.exe
-
Size
2.5MB
-
MD5
61d31fb13c1dd46fcb03caf7f648508c
-
SHA1
ecd46d1e09bdfa50c1587690e70262bc14ba751c
-
SHA256
6cd031908922840ee684d3c05294e7e071b500915b760c474f22c1def0df14bc
-
SHA512
c0a20fd176c812f47902da3da6b1bbde8924218666752be985245a5bb804c943a9312550d110f3a95096042991ef8cec9b1931377e4a8d09781c406b9da31127
-
SSDEEP
49152:+pz3Y5ANfs2/w8JUgyUBx8pQIVf/OV9UdOV8ZUhJgnVlz2sTyNy:+pk5Am2/w8J9L8pQIVf/OMO277z9TWy
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-