rhadamanthys | 9925507f83ab80df2cd03ad5ffd66571adc3eaf60c6bf136240e58ff29e13893 | Triage

Sharing

General

Target

TrustThis.bat
Size

399KB
Sample

241208-t6rnzstpdp
MD5

85b6801e12b0ee43cf2560af4de44ce5
SHA1

243e69b236417be977c73eadfbdfd55325e125b7
SHA256

9925507f83ab80df2cd03ad5ffd66571adc3eaf60c6bf136240e58ff29e13893
SHA512

4d792f91e03b70833b51054053a61fabcb11bfb22eb8d47cb19a5268c9633dd50443557b41a56b8ad18def99ab0b1b8e00a3533fec0e89ff668bd4c3ea28b944
SSDEEP

6144:pKLt2bMn672f3rrEQW7064pE67o8kYJ9b+OLDG7hg+2Xr2mpB3bcJ4VLuAFsdrTi:pKCMqW3ZW7nPY3b+G4gI0jVLmVi

Score

10^/10

rhadamanthys xworm execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

C2

paris-itself.gl.at.ply.gg:49485

Attributes

Install_directory
%Public%
install_file
USB.exe

Targets

- Target
  
  TrustThis.bat
- Size
  
  399KB
- MD5
  
  85b6801e12b0ee43cf2560af4de44ce5
- SHA1
  
  243e69b236417be977c73eadfbdfd55325e125b7
- SHA256
  
  9925507f83ab80df2cd03ad5ffd66571adc3eaf60c6bf136240e58ff29e13893
- SHA512
  
  4d792f91e03b70833b51054053a61fabcb11bfb22eb8d47cb19a5268c9633dd50443557b41a56b8ad18def99ab0b1b8e00a3533fec0e89ff668bd4c3ea28b944
- SSDEEP
  
  6144:pKLt2bMn672f3rrEQW7064pE67o8kYJ9b+OLDG7hg+2Xr2mpB3bcJ4VLuAFsdrTi:pKCMqW3ZW7nPY3b+G4gI0jVLmVi
Score

10^/10

execution rhadamanthys xworm persistence rat stealer trojan
- Detect Xworm Payload
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Rhadamanthys family
  rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

rhadamanthysxwormexecutionpersistenceratstealertrojan