Overview

overview

10

Static

static

3

XWorm-v5-R...it.dll

windows11-21h2-x64

5

XWorm-v5-R...43.dll

windows11-21h2-x64

10

XWorm-v5-R...it.dll

windows11-21h2-x64

1

XWorm-v5-R...il.dll

windows11-21h2-x64

1

XWorm-v5-R...at.dll

windows11-21h2-x64

1

XWorm-v5-R...ib.dll

windows11-21h2-x64

1

XWorm-v5-R...rm.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Unconfirmed 155663.crdownload

  • Size

    5.0MB

  • Sample

    240620-mngyhasgmd

  • MD5

    4009932a7e44d607b529598df00ff375

  • SHA1

    ff8bff1c6f707101215aee8d7ff315cba991001d

  • SHA256

    50505aa9a36faa076b8a6894297bc8fed02269938e6592b7b7be7c9c809897dd

  • SHA512

    b77816e1aaaf9a09155f91aa91070a099fcd09acec92c28ac6afa4bdf2abcec3d4e1eaa028efc4ff9b0999fc6b90ceaa71146d9023aaecc074a49945364c38de

  • SSDEEP

    98304:pKF5kw1zDBMXSm5yH6FhCUJ4LGH2TqYeRTZ6Im81Xvm/UxRrBMGxaz5naIizTKM:Ic0ev5yaSU6GH2Th2TZsEfms+/kzOM

Score
10/10
rhadamanthysexecutionstealer

Malware Config

Targets

    • Target

      XWorm-v5-Remote-Access-Tool-main/ComponentFactory.Krypton.Toolkit.dll

    • Size

      2.8MB

    • MD5

      129884de0e136521fd650c59b2633e82

    • SHA1

      43fea10a62670568c00a2910c3ee6fc1ceaa1bdc

    • SHA256

      8c69f5df110bc1a61bdc3d8754ebfd3f49d9d995b9dd129accaf88371ce71e30

    • SHA512

      fbd40a8dd172449de46cecc08cdc2078409e5d893426364630c974903499c617f8cca2f4fd52cf030a835a376e140daf113a6d385027a9e2ede289ba32c8da43

    • SSDEEP

      24576:9aA+gKf9mE6kWF2IaltkdgZUfoOJtMl6X1ZTJxf9VqY7djlb1IqdGsUfSYqsyb:UIaltkdgqHJtMl6XD7h7Nh1ImYqsy

    Score
    5/10

    • Drops file in System32 directory

    behavioral1

    • Target

      XWorm-v5-Remote-Access-Tool-main/D3DX9_43.dll

    • Size

      2.3MB

    • MD5

      7160fc226391c0b50c85571fa1a546e5

    • SHA1

      2bf450850a522a09e8d1ce0f1e443d86d934f4ad

    • SHA256

      84b900dbd7fa978d6e0caee26fc54f2f61d92c9c75d10b35f00e3e82cd1d67b4

    • SHA512

      dfab0eaab8c40fb80369e150cd36ff2224f3a6baf713044f47182961cd501fe4222007f9a93753ac757f64513c707c68a5cf4ae914e23fecaa4656a68df8349b

    • SSDEEP

      49152:dbCJsk4VlPXA+15Om5wxw9Qsi55K+31BhZ64nW:YIIBnW

    Score
    10/10
    rhadamanthysexecutionstealer

    • Detect rhadamanthys stealer shellcode

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      XWorm-v5-Remote-Access-Tool-main/Krypton.Toolkit.dll

    • Size

      4.3MB

    • MD5

      068b4f05eb35479a419bc55da643781e

    • SHA1

      1d0fe6bb23bbd63dc6d4248f7c17afcf4bc16dea

    • SHA256

      477ebd61ce116c6908a1cd1e50bc93869f6f7b9c3e0e5757551e6dd2a01b4648

    • SHA512

      f9022c7d91364519f5b773fd641741637f89a4f4f8eb1406d1c594e0a286724cea7494fb047e810bbed0579b6870db49a6828b1c79808e4554d762f326a87dcc

    • SSDEEP

      49152:tmB08naO5IDdOBQNJxtk7ryrDdkny3y+sUFdRcRkMb2J:Mu8naO5oj9k7rODdlmHOMbO

    Score
    1/10
    behavioral3

    • Target

      XWorm-v5-Remote-Access-Tool-main/Mono.Cecil.dll

    • Size

      277KB

    • MD5

      8df4d6b5dc1629fcefcdc20210a88eac

    • SHA1

      16c661757ad90eb84228aa3487db11a2eac6fe64

    • SHA256

      3e4288b32006fe8499b43a7f605bb7337931847a0aa79a33217a1d6d1a6c397e

    • SHA512

      874b4987865588efb806a283b0e785fd24e8b1562026edd43050e150bce6c883134f3c8ad0f8c107b0fb1b26fce6ddcc7e344a5f55c3788dac35035b13d15174

    • SSDEEP

      6144:iYOMWAEq+PAEwGQ9Xivs0s4EtS1Fv8jnLKdFvkPo2:AG+PpjQSHv8jA

    Score
    1/10
    behavioral4

    • Target

      XWorm-v5-Remote-Access-Tool-main/Mono.Nat.dll

    • Size

      40KB

    • MD5

      bf929442b12d4b5f9906b29834bf7db1

    • SHA1

      810a2b3c8e548d1df931538bc304cc1405f7a32b

    • SHA256

      b33435ac7cdefcf7c2adf96738c762a95414eb7a4967ef6b88dcda14d58bfee0

    • SHA512

      9fcfaf48bfe5455a466e666bafa59a7348a736368daa892333cefa0cac22bcef3255f9cee24a70ed96011b73abea8e5d3dbf24876cffa81e0b532df41dd81828

    • SSDEEP

      768:yoVesKx0V2LpibQJxoKUDHj560aSX3zlJAO:lVespQibC+H56k3fF

    Score
    1/10
    behavioral5

    • Target

      XWorm-v5-Remote-Access-Tool-main/Vestris.ResourceLib.dll

    • Size

      76KB

    • MD5

      64e9cb25aeefeeba3bb579fb1a5559bc

    • SHA1

      e719f80fcbd952609475f3d4a42aa578b2034624

    • SHA256

      34cab594ce9c9af8e12a6923fc16468f5b87e168777db4be2f04db883c1db993

    • SHA512

      b21cd93f010b345b09b771d24b2e5eeed3b73a82fc16badafea7f0324e39477b0d7033623923313d2de5513cb778428ae10161ae7fc0d6b00e446f8d89cf0f8c

    • SSDEEP

      1536:5Z0R489PUoltCY19T7Uf5DYoRvtkA2MNmjYgGKeK9jXGYWs:L0R489PUeCy7Uf5pVCMwjVG/K9jp

    Score
    1/10
    behavioral6

    • Target

      XWorm-v5-Remote-Access-Tool-main/XWorm.exe

    • Size

      456KB

    • MD5

      515a0c8be21a5ba836e5687fc2d73333

    • SHA1

      c52be9d0d37ac1b8d6bc09860e68e9e0615255ab

    • SHA256

      9950788284df125c7359aeb91435ed24d59359fac6a74ed73774ca31561cc7ae

    • SHA512

      4e2bd7ce844bba25aff12e2607c4281b59f7579b9407139ef6136ef09282c7afac1c702adebc42f8bd7703fac047fd8b5add34df334bfc04d3518ea483225522

    • SSDEEP

      6144:2uWP/BtSnurUylcrGYlnIttxv8HbcLgsd1Gus5psdrvV44dixP+MHDkBYdxtG9+V:2uWP/BZUyoLu8Agsmxwrvejkd2

    Score
    10/10
    rhadamanthysstealer

    • Detect rhadamanthys stealer shellcode

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys
    behavioral7

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks