rhadamanthys | 463eb31b863993ffc7ebd1e67a593c0fc01bfcef367a988191926facfb93d93a

General

Target

XWorm.rar
Size

3.8MB
MD5

72ed99d6168329b94021eaf282af0552
SHA1

0be0ad479efa7b5d3021b06ab5f6b71f858ba08f
SHA256

463eb31b863993ffc7ebd1e67a593c0fc01bfcef367a988191926facfb93d93a
SHA512

b11c5657389e8e6f5af5bdbef2b22daef62e26484117c9a30de184a63980e6108cd804e43db7494f24057eaeec32ced7ab5ebd6f7aedb6467a207a209a2bd2a7
SSDEEP

98304:AdRaDzmLW/nQDItjvhd8cMOBmYS1svAJFFa6XmeuwSqUjGMtokcqh:AAearjJd8vNYNQFzEvBVtoFqh

Score

10^/10

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 10 IoCs

resource	yara_rule
behavioral1/memory/5856-32-0x0000000002470000-0x0000000002870000-memory.dmp	family_rhadamanthys
behavioral1/memory/5856-33-0x0000000002470000-0x0000000002870000-memory.dmp	family_rhadamanthys
behavioral1/memory/5856-34-0x0000000002470000-0x0000000002870000-memory.dmp	family_rhadamanthys
behavioral1/memory/5856-35-0x0000000002470000-0x0000000002870000-memory.dmp	family_rhadamanthys
behavioral1/memory/5708-47-0x0000000002350000-0x0000000002750000-memory.dmp	family_rhadamanthys
behavioral1/memory/4296-54-0x0000000002320000-0x0000000002720000-memory.dmp	family_rhadamanthys
behavioral1/memory/5036-60-0x0000000002370000-0x0000000002770000-memory.dmp	family_rhadamanthys
behavioral1/memory/3512-63-0x0000000002560000-0x0000000002960000-memory.dmp	family_rhadamanthys
behavioral1/memory/3660-66-0x00000000022E0000-0x00000000026E0000-memory.dmp	family_rhadamanthys
behavioral1/memory/5940-70-0x00000000023C0000-0x00000000027C0000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Executes dropped EXE 7 IoCs

pid	Process
5856	XWorm.exe
5708	XWorm.exe
4296	XWorm.exe
5036	XWorm.exe
3512	XWorm.exe
3660	XWorm.exe
5940	XWorm.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	XWorm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	XWorm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XWorm.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XWorm.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XWorm.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
5856	XWorm.exe
5856	XWorm.exe
4804	7zFM.exe
4804	7zFM.exe
5708	XWorm.exe
5708	XWorm.exe
4804	7zFM.exe
4804	7zFM.exe
4296	XWorm.exe
4296	XWorm.exe
5036	XWorm.exe
5036	XWorm.exe
3512	XWorm.exe
3512	XWorm.exe
3660	XWorm.exe
3660	XWorm.exe
5940	XWorm.exe
5940	XWorm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4804	7zFM.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	4804	7zFM.exe
Token: 35	4804	7zFM.exe
Token: SeSecurityPrivilege	4804	7zFM.exe
Token: SeSecurityPrivilege	4804	7zFM.exe
Token: SeShutdownPrivilege	5856	XWorm.exe
Token: SeCreatePagefilePrivilege	5856	XWorm.exe
Token: SeSecurityPrivilege	4804	7zFM.exe
Token: SeSecurityPrivilege	4804	7zFM.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4804	7zFM.exe
4804	7zFM.exe
4804	7zFM.exe
4804	7zFM.exe
4804	7zFM.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 5856	4804	7zFM.exe	81
PID 4804 wrote to memory of 5856	4804	7zFM.exe	81
PID 4804 wrote to memory of 5856	4804	7zFM.exe	81
PID 4804 wrote to memory of 5708	4804	7zFM.exe	85
PID 4804 wrote to memory of 5708	4804	7zFM.exe	85
PID 4804 wrote to memory of 5708	4804	7zFM.exe	85

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Users\Admin\AppData\Local\Temp\7zO4C247C38\XWorm.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4C247C38\XWorm.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5856
- C:\Users\Admin\AppData\Local\Temp\7zO4C2EA968\XWorm.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4C2EA968\XWorm.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5708

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3700

C:\Users\Admin\Desktop\XWorm.exe
"C:\Users\Admin\Desktop\XWorm.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4296

C:\Users\Admin\Desktop\XWorm.exe
"C:\Users\Admin\Desktop\XWorm.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5036

C:\Users\Admin\Desktop\XWorm.exe
"C:\Users\Admin\Desktop\XWorm.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3512

C:\Users\Admin\Desktop\XWorm.exe
"C:\Users\Admin\Desktop\XWorm.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3660

C:\Users\Admin\Desktop\XWorm.exe
"C:\Users\Admin\Desktop\XWorm.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO4C247C38\XWorm.exe

Filesize
456KB

MD5
515a0c8be21a5ba836e5687fc2d73333

SHA1
c52be9d0d37ac1b8d6bc09860e68e9e0615255ab

SHA256
9950788284df125c7359aeb91435ed24d59359fac6a74ed73774ca31561cc7ae

SHA512
4e2bd7ce844bba25aff12e2607c4281b59f7579b9407139ef6136ef09282c7afac1c702adebc42f8bd7703fac047fd8b5add34df334bfc04d3518ea483225522

Download Submit
memory/3512-63-0x0000000002560000-0x0000000002960000-memory.dmp

Filesize
4.0MB

Download
memory/3660-66-0x00000000022E0000-0x00000000026E0000-memory.dmp

Filesize
4.0MB

Download
memory/4296-54-0x0000000002320000-0x0000000002720000-memory.dmp

Filesize
4.0MB

Download
memory/5036-60-0x0000000002370000-0x0000000002770000-memory.dmp

Filesize
4.0MB

Download
memory/5708-47-0x0000000002350000-0x0000000002750000-memory.dmp

Filesize
4.0MB

Download
memory/5856-31-0x0000000002400000-0x0000000002407000-memory.dmp

Filesize
28KB

Download
memory/5856-32-0x0000000002470000-0x0000000002870000-memory.dmp

Filesize
4.0MB

Download
memory/5856-33-0x0000000002470000-0x0000000002870000-memory.dmp

Filesize
4.0MB

Download
memory/5856-34-0x0000000002470000-0x0000000002870000-memory.dmp

Filesize
4.0MB

Download
memory/5856-35-0x0000000002470000-0x0000000002870000-memory.dmp

Filesize
4.0MB

Download
memory/5940-70-0x00000000023C0000-0x00000000027C0000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing