General

  • Target

    XWorm.rar

  • Size

    3.8MB

  • Sample

    241103-dr2bwasqcv

  • MD5

    72ed99d6168329b94021eaf282af0552

  • SHA1

    0be0ad479efa7b5d3021b06ab5f6b71f858ba08f

  • SHA256

    463eb31b863993ffc7ebd1e67a593c0fc01bfcef367a988191926facfb93d93a

  • SHA512

    b11c5657389e8e6f5af5bdbef2b22daef62e26484117c9a30de184a63980e6108cd804e43db7494f24057eaeec32ced7ab5ebd6f7aedb6467a207a209a2bd2a7

  • SSDEEP

    98304:AdRaDzmLW/nQDItjvhd8cMOBmYS1svAJFFa6XmeuwSqUjGMtokcqh:AAearjJd8vNYNQFzEvBVtoFqh

Malware Config

Extracted

Family

rhadamanthys

C2

https://195.3.223.126:4287/9d0dc091285eb9fbf2e/o8f3c8oj.8rdif

Targets

    • Target

      ComponentFactory.Krypton.Toolkit.dll

    • Size

      2.8MB

    • MD5

      129884de0e136521fd650c59b2633e82

    • SHA1

      43fea10a62670568c00a2910c3ee6fc1ceaa1bdc

    • SHA256

      8c69f5df110bc1a61bdc3d8754ebfd3f49d9d995b9dd129accaf88371ce71e30

    • SHA512

      fbd40a8dd172449de46cecc08cdc2078409e5d893426364630c974903499c617f8cca2f4fd52cf030a835a376e140daf113a6d385027a9e2ede289ba32c8da43

    • SSDEEP

      24576:9aA+gKf9mE6kWF2IaltkdgZUfoOJtMl6X1ZTJxf9VqY7djlb1IqdGsUfSYqsyb:UIaltkdgqHJtMl6XD7h7Nh1ImYqsy

    Score
    1/10
    • Target

      D3DX9_43.dll

    • Size

      2.3MB

    • MD5

      7160fc226391c0b50c85571fa1a546e5

    • SHA1

      2bf450850a522a09e8d1ce0f1e443d86d934f4ad

    • SHA256

      84b900dbd7fa978d6e0caee26fc54f2f61d92c9c75d10b35f00e3e82cd1d67b4

    • SHA512

      dfab0eaab8c40fb80369e150cd36ff2224f3a6baf713044f47182961cd501fe4222007f9a93753ac757f64513c707c68a5cf4ae914e23fecaa4656a68df8349b

    • SSDEEP

      49152:dbCJsk4VlPXA+15Om5wxw9Qsi55K+31BhZ64nW:YIIBnW

    Score
    1/10
    • Target

      Krypton.Toolkit.dll

    • Size

      4.3MB

    • MD5

      068b4f05eb35479a419bc55da643781e

    • SHA1

      1d0fe6bb23bbd63dc6d4248f7c17afcf4bc16dea

    • SHA256

      477ebd61ce116c6908a1cd1e50bc93869f6f7b9c3e0e5757551e6dd2a01b4648

    • SHA512

      f9022c7d91364519f5b773fd641741637f89a4f4f8eb1406d1c594e0a286724cea7494fb047e810bbed0579b6870db49a6828b1c79808e4554d762f326a87dcc

    • SSDEEP

      49152:tmB08naO5IDdOBQNJxtk7ryrDdkny3y+sUFdRcRkMb2J:Mu8naO5oj9k7rODdlmHOMbO

    Score
    1/10
    • Target

      Mono.Cecil.dll

    • Size

      277KB

    • MD5

      8df4d6b5dc1629fcefcdc20210a88eac

    • SHA1

      16c661757ad90eb84228aa3487db11a2eac6fe64

    • SHA256

      3e4288b32006fe8499b43a7f605bb7337931847a0aa79a33217a1d6d1a6c397e

    • SHA512

      874b4987865588efb806a283b0e785fd24e8b1562026edd43050e150bce6c883134f3c8ad0f8c107b0fb1b26fce6ddcc7e344a5f55c3788dac35035b13d15174

    • SSDEEP

      6144:iYOMWAEq+PAEwGQ9Xivs0s4EtS1Fv8jnLKdFvkPo2:AG+PpjQSHv8jA

    Score
    1/10
    • Target

      Mono.Nat.dll

    • Size

      40KB

    • MD5

      bf929442b12d4b5f9906b29834bf7db1

    • SHA1

      810a2b3c8e548d1df931538bc304cc1405f7a32b

    • SHA256

      b33435ac7cdefcf7c2adf96738c762a95414eb7a4967ef6b88dcda14d58bfee0

    • SHA512

      9fcfaf48bfe5455a466e666bafa59a7348a736368daa892333cefa0cac22bcef3255f9cee24a70ed96011b73abea8e5d3dbf24876cffa81e0b532df41dd81828

    • SSDEEP

      768:yoVesKx0V2LpibQJxoKUDHj560aSX3zlJAO:lVespQibC+H56k3fF

    Score
    1/10
    • Target

      Vestris.ResourceLib.dll

    • Size

      76KB

    • MD5

      64e9cb25aeefeeba3bb579fb1a5559bc

    • SHA1

      e719f80fcbd952609475f3d4a42aa578b2034624

    • SHA256

      34cab594ce9c9af8e12a6923fc16468f5b87e168777db4be2f04db883c1db993

    • SHA512

      b21cd93f010b345b09b771d24b2e5eeed3b73a82fc16badafea7f0324e39477b0d7033623923313d2de5513cb778428ae10161ae7fc0d6b00e446f8d89cf0f8c

    • SSDEEP

      1536:5Z0R489PUoltCY19T7Uf5DYoRvtkA2MNmjYgGKeK9jXGYWs:L0R489PUeCy7Uf5pVCMwjVG/K9jp

    Score
    1/10
    • Target

      XWorm.exe

    • Size

      456KB

    • MD5

      515a0c8be21a5ba836e5687fc2d73333

    • SHA1

      c52be9d0d37ac1b8d6bc09860e68e9e0615255ab

    • SHA256

      9950788284df125c7359aeb91435ed24d59359fac6a74ed73774ca31561cc7ae

    • SHA512

      4e2bd7ce844bba25aff12e2607c4281b59f7579b9407139ef6136ef09282c7afac1c702adebc42f8bd7703fac047fd8b5add34df334bfc04d3518ea483225522

    • SSDEEP

      6144:2uWP/BtSnurUylcrGYlnIttxv8HbcLgsd1Gus5psdrvV44dixP+MHDkBYdxtG9+V:2uWP/BZUyoLu8Agsmxwrvejkd2

    • Detect rhadamanthys stealer shellcode

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Rhadamanthys family

MITRE ATT&CK Enterprise v15

Tasks