General
-
Target
file.exe
-
Size
2.5MB
-
Sample
240830-cm66wstfkp
-
MD5
61d31fb13c1dd46fcb03caf7f648508c
-
SHA1
ecd46d1e09bdfa50c1587690e70262bc14ba751c
-
SHA256
6cd031908922840ee684d3c05294e7e071b500915b760c474f22c1def0df14bc
-
SHA512
c0a20fd176c812f47902da3da6b1bbde8924218666752be985245a5bb804c943a9312550d110f3a95096042991ef8cec9b1931377e4a8d09781c406b9da31127
-
SSDEEP
49152:+pz3Y5ANfs2/w8JUgyUBx8pQIVf/OV9UdOV8ZUhJgnVlz2sTyNy:+pk5Am2/w8J9L8pQIVf/OMO277z9TWy
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240705-en
Malware Config
Extracted
rhadamanthys
https://154.216.19.149:2047/888260cc6af8f/07djb4gj.jifud
Extracted
xworm
5.0
TN3sSNYI1fDMFOs2
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/jxfGm9Pc
Targets
-
-
Target
file.exe
-
Size
2.5MB
-
MD5
61d31fb13c1dd46fcb03caf7f648508c
-
SHA1
ecd46d1e09bdfa50c1587690e70262bc14ba751c
-
SHA256
6cd031908922840ee684d3c05294e7e071b500915b760c474f22c1def0df14bc
-
SHA512
c0a20fd176c812f47902da3da6b1bbde8924218666752be985245a5bb804c943a9312550d110f3a95096042991ef8cec9b1931377e4a8d09781c406b9da31127
-
SSDEEP
49152:+pz3Y5ANfs2/w8JUgyUBx8pQIVf/OV9UdOV8ZUhJgnVlz2sTyNy:+pk5Am2/w8J9L8pQIVf/OMO277z9TWy
-
Detect Xworm Payload
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-