rhadamanthys | f23d72bdcc3f87e58929146c283741c7fb63bb9c22ebc68b6b8aa0cf71643e26 | Triage

Submit
Reports

Overview

overview

Static

static

1

App.bat

windows11-21h2-x64

Sharing

General

Target

App.bat
Size

453KB
Sample

240704-weld1atalg
MD5

af68d0412846161b3db34d09b1ed5a78
SHA1

95203d4f45ac898eb73b4137da1fc6c950b91c82
SHA256

f23d72bdcc3f87e58929146c283741c7fb63bb9c22ebc68b6b8aa0cf71643e26
SHA512

a9c3ba36615af7ff14b1a956d7f3d7e1f16c7ef2f6d0008294b1ccab6ca07c47026a8185e2031af08c69d752eb203d13b0704c1a9d66d81b4c8af6d61cea7803
SSDEEP

12288:xLsb+2t4v4osoze48cJjOxIiv4Jj5AlW2I9AxL7:xo6r8U8gJjQW2IA7

Score

10^/10

rhadamanthys xworm execution persistence rat stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

App.bat

Resource

win11-20240508-en

rhadamanthys xworm execution persistence rat stealer trojan

windows11-21h2-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

paris-itself.gl.at.ply.gg:49485

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

Targets

- Target
  
  App.bat
- Size
  
  453KB
- MD5
  
  af68d0412846161b3db34d09b1ed5a78
- SHA1
  
  95203d4f45ac898eb73b4137da1fc6c950b91c82
- SHA256
  
  f23d72bdcc3f87e58929146c283741c7fb63bb9c22ebc68b6b8aa0cf71643e26
- SHA512
  
  a9c3ba36615af7ff14b1a956d7f3d7e1f16c7ef2f6d0008294b1ccab6ca07c47026a8185e2031af08c69d752eb203d13b0704c1a9d66d81b4c8af6d61cea7803
- SSDEEP
  
  12288:xLsb+2t4v4osoze48cJjOxIiv4Jj5AlW2I9AxL7:xo6r8U8gJjQW2IA7
Score

10^/10

rhadamanthys xworm execution persistence rat stealer trojan
- Detect Xworm Payload
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

rhadamanthysxwormexecutionpersistenceratstealertrojan

© 2018-2024

Terms | Privacy