Analysis
-
max time kernel
140s -
max time network
143s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
05-01-2025 16:12
General
-
Target
XWorm-Remote-Access-Tool
-
Size
281KB
-
MD5
65144d8fc0b5a0fde2ee124726fad169
-
SHA1
aa7aac2d1b5a9be008ca9adf74e457780e170f89
-
SHA256
2adc0d57769484c1d72d873cc4e9b20fedf5e552ff9f36ee572253a1ef864318
-
SHA512
6be657e20bd9fc572bb1abba83b0e7d85d13ecbd58aeefb6e3ef90a6e321698d7448a3b40f12784424c3d37a1fdf138d5212c129efd3691f441d4280cb49b476
-
SSDEEP
6144:c4NPJpOL/saqkPV9Fe2LtcIDSsmwM9XvZJT3CqbMrhryf65NRPaCieMjAkvCJv1N:VNPJpOL/saqkPV9Fe2LtcIDSsmwM9Xv6
Malware Config
Signatures
-
Detect rhadamanthys stealer shellcode 4 IoCs
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Rhadamanthys family
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 5 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 31 IoCs
-
Suspicious use of SendNotifyMessage 10 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\XWorm-Remote-Access-Tool1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a04f3f20-b0af-4de8-8a1f-8d4e7a83a8ca} 4836 "\\.\pipe\gecko-crash-server-pipe.4836" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2336 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6e19dbe-0ed1-4524-875d-a25661d50af6} 4836 "\\.\pipe\gecko-crash-server-pipe.4836" socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2764 -childID 1 -isForBrowser -prefsHandle 2828 -prefMapHandle 2924 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1372 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71784e89-ed06-4e8c-a7ef-9c3410116931} 4836 "\\.\pipe\gecko-crash-server-pipe.4836" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3744 -childID 2 -isForBrowser -prefsHandle 3752 -prefMapHandle 3740 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1372 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e52b4571-2649-414e-8d22-2f373a74dfb5} 4836 "\\.\pipe\gecko-crash-server-pipe.4836" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4660 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4716 -prefMapHandle 4664 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7e81859-ce7d-4013-aa34-6ea51e02bf73} 4836 "\\.\pipe\gecko-crash-server-pipe.4836" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5272 -childID 3 -isForBrowser -prefsHandle 5264 -prefMapHandle 5164 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1372 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be286a3d-2426-47ea-9bc9-90483b44e0dc} 4836 "\\.\pipe\gecko-crash-server-pipe.4836" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5492 -childID 4 -isForBrowser -prefsHandle 5412 -prefMapHandle 5416 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1372 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4734c2f1-b8c6-4731-8cd5-879dc0d751cc} 4836 "\\.\pipe\gecko-crash-server-pipe.4836" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5608 -childID 5 -isForBrowser -prefsHandle 5688 -prefMapHandle 5684 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1372 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3057695-562d-4686-bab0-d1afe8f6a619} 4836 "\\.\pipe\gecko-crash-server-pipe.4836" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6112 -childID 6 -isForBrowser -prefsHandle 6104 -prefMapHandle 6040 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1372 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23d42e58-84a2-40c6-b758-a4ffa53bc6c6} 4836 "\\.\pipe\gecko-crash-server-pipe.4836" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5328 -childID 7 -isForBrowser -prefsHandle 5356 -prefMapHandle 5340 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1372 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62fb723a-4769-4cff-a03e-b36e9070ecfa} 4836 "\\.\pipe\gecko-crash-server-pipe.4836" tab3⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\XWorm-Remote-Access-Tool-main\XWorm-Remote-Access-Tool-main\XWorm.exe"C:\Users\Admin\Downloads\XWorm-Remote-Access-Tool-main\XWorm-Remote-Access-Tool-main\XWorm.exe"1⤵
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD5df04a40c68b2286856fe785db5dcbd98
SHA1c0c7755c9bd852c1eb59f5bbf93c66dba21d029d
SHA256fa2eb1060aa30ed088ec899820f54e584d0d1931297d378482bb3bb86b1bbd3b
SHA5128b8e828de2d7916bda0405829f6b60a7ea6939abe45ede99f97baee4cb9beb0763c048e1075b229164374c22fbda38a1e90e3fc7b70582b8ed06ed47daaf6699
-
Filesize
61KB
MD57d9fde44ed0a7f11b91c148832bb2a28
SHA16337beb2c467b2629402220822b76bd7201e6966
SHA256f934bcd84cbea25a85329e20279d75be7185882d31b17c89e18a1546690ed9a1
SHA5126fc3640195203eb48576c9dca9ddbf806ba85bffb15f8c605cbc37c1e8c52a0123c7c18af148b5ced9af308b883656cfa483cfc6332cc4a371a595bd0d22a9cd
-
Filesize
15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
7KB
MD53ea6bb6acf3e44f3e424115e40456b4e
SHA131f0bbc2e356bb5dcf84c2376d35441c6cd29f0b
SHA2569c21c9adaea6245b14ea4eb95a91f0db97351e2033e7f8947640b346c98993a8
SHA51202bc94551eb480cef59bfd1c48f7a24c997cc7f4b179db7dd204cd2cb3b5c626af3526ead8135310e43dd8756005dad0a8c069de5fc9c2df2616ec2938f9863e
-
Filesize
12KB
MD584d783f19ecbe138e938e45773d529fc
SHA15bfbf58006250c81049689d43b4efec985d02a3a
SHA25622c36043c184c36fd79673e89699a60dbf1c156592f181b33b2866fe62e8cdb3
SHA5126ebcf6dca37e3910ea3711df18467b62c1f1db13800cf9d536cad5b15ebdc39f9623045eba9ea5c21fdc859931dcd3a07eadd775dbb472a158fa85359487e4ed
-
Filesize
5KB
MD5c33eb4e1b0250d6858a37c1f2201ce7b
SHA1720f536c19c07b33ca98d43897f5938be3bf05ca
SHA2561503a093ae407ed23988324f27c3de824c54b16d4a7713f84314e7f119c6e077
SHA512852b90597dd240a105437b1fdae570bcd8a4b5cca7b24aa687a4f79e91934ba40c7d327ea89f6d7dd627281d6f1251ee4d6082972394a53ab3b3d78f1c859192
-
Filesize
5KB
MD5e84e7ac06d43df33d23d805f66866443
SHA17175ce5d652916b96496867c5b0a8d92790093a8
SHA256f5f1e6107b672aa612dc9960bcb81d0932fbea5143494bd4a21fd48ecfa0043a
SHA512ee7896f5a8abfb72a0a96360192714d9793020408d9a526e9b3c52f08b3f274f768388dd349f7bfc16e13d4f3960a580490aa4d44478fdf2fb27565c07b60ee3
-
Filesize
982B
MD56955d717d4ca86d6dafda6e80037890f
SHA1699eacd6cbc6eb548fd1ef37953de8f03e8fb294
SHA25696fd41d5d19062f5db022e4f18e74d52395ee6ac4832b22652cbc8d089a4e0c1
SHA512ebfc20ee8a796068e69cd22ffb93d4b80ba6195b5153756a5366c655874570057d62de7324c28737990e581412708deb2d2fee39f050ae0ce67ff859086d6697
-
Filesize
25KB
MD5620a58feece73f1fbde907a5281b4807
SHA12e656fb8e1f8ff0c8be9ddf4b1bedd90a1951182
SHA25636a85c4d2ec36eb2dba67acc308881e5e78e34cbef5cb60062d53c914e002a74
SHA5128ff5087aee243f51031df0e6f110ee40f1b52254fecb071d14060fdb8f6f38fc09a377869b2128c76a4defdd4c7d917cc04a95c54e5f6f381ef320ba056404c5
-
Filesize
671B
MD5b3809e14783bdbe1983feafbee0add09
SHA1de178a8ecc6405b12241e30031d94b8bdcb4bf3d
SHA256c97a5c2a9e69814dfc75b5096f9f22735bcec32ccfa49bc5804bccf70d5326b4
SHA512e0c0a47f72557de399b2663d47694d67fd1c86395ebab4304b9c3e5a37fc327a0847ebc5721216e1c1c23c6b99d30464613f1bddd11b49ea4ec65c06223ee0d2
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD5fc85059b3898829ac921fe1937f7ee74
SHA1a82674b624f11f564f11f580d44e30804d4ee5b4
SHA256bdf9d95754e34a8a0bfaebccda074a7e50407428a0d1348d44c8392ed52b4db4
SHA51233dd447288ab5829a9f8c522a28efebc7e171a2dd28f15adab15f4db7d2666a575f8226f8e05eb9265991997c1c77de81a7c1f0004652058e8bb486f07956721
-
Filesize
10KB
MD5a744c55ecbb580108dc9fa60e4542f2a
SHA1a363ea9836da07d8dc1984c6869c8ca5ce1070b5
SHA25669f733f07f56558f029316d00bfd3e09a382dda5a7d6c30e39a992553609a807
SHA512fe08565b01123953010e2aecdc34d8968a42e6da2c07d5d19823d325a9a2ccdcc0d07ea23b700cfb195d7fe915e933e40a6d6b42fec31d10038f86d5740f01d5
-
Filesize
11KB
MD5224c088eca228e503348f2f7ca6add5d
SHA117aee5d4a4c874e74a0f1ff575ca1a3b1d116eb2
SHA256d4719b932b9ac6df79b0f5162be3892cdc37768e6e089458129b6c4fc789be7a
SHA512c715429cda7da189a3402af85ab187fdaa51e052dcb68a34d0db2e455df06c6e3bd3f0919ed5ccb35f1e3a1438e84476054b2d3ce8e0abbe6de14a620cffba50
-
Filesize
3KB
MD59061b27c0051c85f5b4190c8f79e9be1
SHA1d3741750622458ba74e72d72795dbd0b9cb26554
SHA256987584696d6c8af4c07c823697932901b43f23942a299dc3cc7097e58b7bc9ce
SHA5126030c657e46ebfc8938a76483c0f8a0ddbfe1f8d3f0bfadddd87a1c63e82c30716cd75054c88e292e5ba0dafad9d250a16710f7bae25d5fdcdc075080723d4b2
-
Filesize
4KB
MD520837f70931bfd46c8a07aa2e7980f76
SHA17781c1f0413b85e74070804032ceca5dbf8bf852
SHA2564de0d205745b10f4ad597f79d705c783745ae91a5ec3227581236697de8e3f0a
SHA5124b15e3228d9904cb2d7fe3500986af1aa0af5e2bf39dfdc27b132750eb4bbf32edb18b0f6f34b9ef1231a5b1542a075af17a7690d809b85e08173cf9d1640a50
-
Filesize
4KB
MD5b9a20b6fc3d1acdab7a84af6284d4b48
SHA100432ae93e08384080df2bdeb7f069f610f96612
SHA25695f0d4cd6bda2e7b125cd8396199cdc12e268cee5c97335c27b6d959ced4c775
SHA5123ae7742a1ba7c41e79c6aa27bd49f4639a6c0e0e8a5748baf7bb7ca875075fac099bd265304841f316d21381d27eabb1166dd7b4977ba48b1c81fe490b640f7c
-
Filesize
5KB
MD54e2adad5bd1aac224a409693d2b27cb9
SHA10a70b68d8af1d50ad4a2e7fa91cf800be6078a52
SHA2568bd98eaaa26897b2165124503aae45af2696aaca9a8f197a39593ab0e56b28e9
SHA5121c52461dfc395708cfaf7157071e6ed5cfd6b16935cc276884688c01bbddaf21991fbf59631d3a564d18a8ceebc06001a23055d46fb2fad28df323421fa09f13
-
Filesize
384KB
MD5585e8bef57973400aeccbcf12be93218
SHA104036922927a1ba00583c774484c4961a123a9d9
SHA256c2aa3b407eca4847e0ca83dcf0b71482e24f205e24ec92979f9562fc2791a314
SHA512cc9854d219e91140c178bc31eb4f9afaf20a2c7fe9d4f224fad887fb958b1d71c735cf8f3d42396ff4a4bfa62b024c4604e81c4f32ebab62728b7b592372388b
-
Filesize
5.0MB
MD5bf0fb6062098e30425a7445ab0a9d0ba
SHA15c990387ca1d16ae01a7617df5d0836fddbbcc77
SHA2568a7a0550cf9194d62f023f712512b5dce1295106ab2f8e8d3939391fd25d0bd4
SHA512ad0915d6445733fee79ccf3caf8205483265cb7d20f4149fbd44cec40e67a8b921b6fe7f63f34890695b8d874f4b608f17998b40bd46d68a5db46b474627264d
-
Filesize
28KB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
4.0MB