General
-
Target
App.bat
-
Size
453KB
-
Sample
240704-weld1atalg
-
MD5
af68d0412846161b3db34d09b1ed5a78
-
SHA1
95203d4f45ac898eb73b4137da1fc6c950b91c82
-
SHA256
f23d72bdcc3f87e58929146c283741c7fb63bb9c22ebc68b6b8aa0cf71643e26
-
SHA512
a9c3ba36615af7ff14b1a956d7f3d7e1f16c7ef2f6d0008294b1ccab6ca07c47026a8185e2031af08c69d752eb203d13b0704c1a9d66d81b4c8af6d61cea7803
-
SSDEEP
12288:xLsb+2t4v4osoze48cJjOxIiv4Jj5AlW2I9AxL7:xo6r8U8gJjQW2IA7
Static task
static1
Behavioral task
behavioral1
Sample
App.bat
Resource
win11-20240508-en
Malware Config
Extracted
xworm
paris-itself.gl.at.ply.gg:49485
-
Install_directory
%ProgramData%
-
install_file
USB.exe
Targets
-
-
Target
App.bat
-
Size
453KB
-
MD5
af68d0412846161b3db34d09b1ed5a78
-
SHA1
95203d4f45ac898eb73b4137da1fc6c950b91c82
-
SHA256
f23d72bdcc3f87e58929146c283741c7fb63bb9c22ebc68b6b8aa0cf71643e26
-
SHA512
a9c3ba36615af7ff14b1a956d7f3d7e1f16c7ef2f6d0008294b1ccab6ca07c47026a8185e2031af08c69d752eb203d13b0704c1a9d66d81b4c8af6d61cea7803
-
SSDEEP
12288:xLsb+2t4v4osoze48cJjOxIiv4Jj5AlW2I9AxL7:xo6r8U8gJjQW2IA7
-
Detect Xworm Payload
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1