Overview
overview
10Static
static
3XWorm-v5-R...it.dll
windows11-21h2-x64
1XWorm-v5-R...43.dll
windows11-21h2-x64
7XWorm-v5-R...it.dll
windows11-21h2-x64
1XWorm-v5-R...il.dll
windows11-21h2-x64
1XWorm-v5-R...at.dll
windows11-21h2-x64
1XWorm-v5-R...ib.dll
windows11-21h2-x64
1XWorm-v5-R...rm.exe
windows11-21h2-x64
10General
-
Target
Unconfirmed 155663.crdownload
-
Size
5.0MB
-
Sample
240620-mtjz2sxdkm
-
MD5
4009932a7e44d607b529598df00ff375
-
SHA1
ff8bff1c6f707101215aee8d7ff315cba991001d
-
SHA256
50505aa9a36faa076b8a6894297bc8fed02269938e6592b7b7be7c9c809897dd
-
SHA512
b77816e1aaaf9a09155f91aa91070a099fcd09acec92c28ac6afa4bdf2abcec3d4e1eaa028efc4ff9b0999fc6b90ceaa71146d9023aaecc074a49945364c38de
-
SSDEEP
98304:pKF5kw1zDBMXSm5yH6FhCUJ4LGH2TqYeRTZ6Im81Xvm/UxRrBMGxaz5naIizTKM:Ic0ev5yaSU6GH2Th2TZsEfms+/kzOM
Static task
static1
Behavioral task
behavioral1
Sample
XWorm-v5-Remote-Access-Tool-main/ComponentFactory.Krypton.Toolkit.dll
Resource
win11-20240611-en
Behavioral task
behavioral2
Sample
XWorm-v5-Remote-Access-Tool-main/D3DX9_43.dll
Resource
win11-20240611-en
Behavioral task
behavioral3
Sample
XWorm-v5-Remote-Access-Tool-main/Krypton.Toolkit.dll
Resource
win11-20240508-en
Behavioral task
behavioral4
Sample
XWorm-v5-Remote-Access-Tool-main/Mono.Cecil.dll
Resource
win11-20240508-en
Behavioral task
behavioral5
Sample
XWorm-v5-Remote-Access-Tool-main/Mono.Nat.dll
Resource
win11-20240508-en
Behavioral task
behavioral6
Sample
XWorm-v5-Remote-Access-Tool-main/Vestris.ResourceLib.dll
Resource
win11-20240611-en
Behavioral task
behavioral7
Sample
XWorm-v5-Remote-Access-Tool-main/XWorm.exe
Resource
win11-20240508-en
Malware Config
Targets
-
-
Target
XWorm-v5-Remote-Access-Tool-main/ComponentFactory.Krypton.Toolkit.dll
-
Size
2.8MB
-
MD5
129884de0e136521fd650c59b2633e82
-
SHA1
43fea10a62670568c00a2910c3ee6fc1ceaa1bdc
-
SHA256
8c69f5df110bc1a61bdc3d8754ebfd3f49d9d995b9dd129accaf88371ce71e30
-
SHA512
fbd40a8dd172449de46cecc08cdc2078409e5d893426364630c974903499c617f8cca2f4fd52cf030a835a376e140daf113a6d385027a9e2ede289ba32c8da43
-
SSDEEP
24576:9aA+gKf9mE6kWF2IaltkdgZUfoOJtMl6X1ZTJxf9VqY7djlb1IqdGsUfSYqsyb:UIaltkdgqHJtMl6XD7h7Nh1ImYqsy
Score1/10 -
-
-
Target
XWorm-v5-Remote-Access-Tool-main/D3DX9_43.dll
-
Size
2.3MB
-
MD5
7160fc226391c0b50c85571fa1a546e5
-
SHA1
2bf450850a522a09e8d1ce0f1e443d86d934f4ad
-
SHA256
84b900dbd7fa978d6e0caee26fc54f2f61d92c9c75d10b35f00e3e82cd1d67b4
-
SHA512
dfab0eaab8c40fb80369e150cd36ff2224f3a6baf713044f47182961cd501fe4222007f9a93753ac757f64513c707c68a5cf4ae914e23fecaa4656a68df8349b
-
SSDEEP
49152:dbCJsk4VlPXA+15Om5wxw9Qsi55K+31BhZ64nW:YIIBnW
Score7/10-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
XWorm-v5-Remote-Access-Tool-main/Krypton.Toolkit.dll
-
Size
4.3MB
-
MD5
068b4f05eb35479a419bc55da643781e
-
SHA1
1d0fe6bb23bbd63dc6d4248f7c17afcf4bc16dea
-
SHA256
477ebd61ce116c6908a1cd1e50bc93869f6f7b9c3e0e5757551e6dd2a01b4648
-
SHA512
f9022c7d91364519f5b773fd641741637f89a4f4f8eb1406d1c594e0a286724cea7494fb047e810bbed0579b6870db49a6828b1c79808e4554d762f326a87dcc
-
SSDEEP
49152:tmB08naO5IDdOBQNJxtk7ryrDdkny3y+sUFdRcRkMb2J:Mu8naO5oj9k7rODdlmHOMbO
Score1/10 -
-
-
Target
XWorm-v5-Remote-Access-Tool-main/Mono.Cecil.dll
-
Size
277KB
-
MD5
8df4d6b5dc1629fcefcdc20210a88eac
-
SHA1
16c661757ad90eb84228aa3487db11a2eac6fe64
-
SHA256
3e4288b32006fe8499b43a7f605bb7337931847a0aa79a33217a1d6d1a6c397e
-
SHA512
874b4987865588efb806a283b0e785fd24e8b1562026edd43050e150bce6c883134f3c8ad0f8c107b0fb1b26fce6ddcc7e344a5f55c3788dac35035b13d15174
-
SSDEEP
6144:iYOMWAEq+PAEwGQ9Xivs0s4EtS1Fv8jnLKdFvkPo2:AG+PpjQSHv8jA
Score1/10 -
-
-
Target
XWorm-v5-Remote-Access-Tool-main/Mono.Nat.dll
-
Size
40KB
-
MD5
bf929442b12d4b5f9906b29834bf7db1
-
SHA1
810a2b3c8e548d1df931538bc304cc1405f7a32b
-
SHA256
b33435ac7cdefcf7c2adf96738c762a95414eb7a4967ef6b88dcda14d58bfee0
-
SHA512
9fcfaf48bfe5455a466e666bafa59a7348a736368daa892333cefa0cac22bcef3255f9cee24a70ed96011b73abea8e5d3dbf24876cffa81e0b532df41dd81828
-
SSDEEP
768:yoVesKx0V2LpibQJxoKUDHj560aSX3zlJAO:lVespQibC+H56k3fF
Score1/10 -
-
-
Target
XWorm-v5-Remote-Access-Tool-main/Vestris.ResourceLib.dll
-
Size
76KB
-
MD5
64e9cb25aeefeeba3bb579fb1a5559bc
-
SHA1
e719f80fcbd952609475f3d4a42aa578b2034624
-
SHA256
34cab594ce9c9af8e12a6923fc16468f5b87e168777db4be2f04db883c1db993
-
SHA512
b21cd93f010b345b09b771d24b2e5eeed3b73a82fc16badafea7f0324e39477b0d7033623923313d2de5513cb778428ae10161ae7fc0d6b00e446f8d89cf0f8c
-
SSDEEP
1536:5Z0R489PUoltCY19T7Uf5DYoRvtkA2MNmjYgGKeK9jXGYWs:L0R489PUeCy7Uf5pVCMwjVG/K9jp
Score1/10 -
-
-
Target
XWorm-v5-Remote-Access-Tool-main/XWorm.exe
-
Size
456KB
-
MD5
515a0c8be21a5ba836e5687fc2d73333
-
SHA1
c52be9d0d37ac1b8d6bc09860e68e9e0615255ab
-
SHA256
9950788284df125c7359aeb91435ed24d59359fac6a74ed73774ca31561cc7ae
-
SHA512
4e2bd7ce844bba25aff12e2607c4281b59f7579b9407139ef6136ef09282c7afac1c702adebc42f8bd7703fac047fd8b5add34df334bfc04d3518ea483225522
-
SSDEEP
6144:2uWP/BtSnurUylcrGYlnIttxv8HbcLgsd1Gus5psdrvV44dixP+MHDkBYdxtG9+V:2uWP/BZUyoLu8Agsmxwrvejkd2
Score10/10-
Detect rhadamanthys stealer shellcode
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1