General

  • Target

    PENDXGKW.exe

  • Size

    2.2MB

  • Sample

    240829-hvhfdsyekf

  • MD5

    3618e31c4bbb164b9ba20250d25628a3

  • SHA1

    0c9e23abf8a883b9b0792aa40d7edf2f8e9d37ca

  • SHA256

    b241dfcd5988edb1286f4e45c0fbdbbd159d2f350b17deb9fce80b9236142be7

  • SHA512

    10a393be4c527f8865159e73137ea9974654985b68e72089d3722d8d239fd88689234a77da47ea802c3978bbecb64527b4467e63005f5adc6a17dbfb07f7f27a

  • SSDEEP

    49152:+pz3Pkl9C5YsSCtqMW5W3s9cMqh+QdncgdUgYT1Vlz2sTyNX:+pjklcSLMx3s9PqJJcKOz9TWX

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

TN3sSNYI1fDMFOs2

Attributes
  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/jxfGm9Pc

aes.plain

Extracted

Family

rhadamanthys

C2

https://154.216.19.149:2047/888260cc6af8f/pnmx326i.m7ats

Targets

    • Target

      PENDXGKW.exe

    • Size

      2.2MB

    • MD5

      3618e31c4bbb164b9ba20250d25628a3

    • SHA1

      0c9e23abf8a883b9b0792aa40d7edf2f8e9d37ca

    • SHA256

      b241dfcd5988edb1286f4e45c0fbdbbd159d2f350b17deb9fce80b9236142be7

    • SHA512

      10a393be4c527f8865159e73137ea9974654985b68e72089d3722d8d239fd88689234a77da47ea802c3978bbecb64527b4467e63005f5adc6a17dbfb07f7f27a

    • SSDEEP

      49152:+pz3Pkl9C5YsSCtqMW5W3s9cMqh+QdncgdUgYT1Vlz2sTyNX:+pjklcSLMx3s9PqJJcKOz9TWX

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks