General
-
Target
RoseBetaV2.exe
-
Size
25.0MB
-
Sample
240427-z1ys1age93
-
MD5
fc763af67d6332ca97e2631f3f69028e
-
SHA1
7d3e5f9f9595b27871533c0be3d6337cb7a69ce1
-
SHA256
01d2d27938986028a72ecd5073a3bec64ffc921b97d5b407e7139f119804b749
-
SHA512
fa166cea85f734a4329abc8d5975decf613ac58aa89514a08b6fcf5a3bf0a6df9dc1696125b06769066ded1a572d306004c53100a83212e18ee704513bfc8f99
-
SSDEEP
98304:8VuQs3NK4llQAKFisSbzEK5J4FESLD21qmW7+LwsbEqZ0tCeEjQEt7YX4/OTyQ6o:bQClaFnwrj4FdLD2IARbEFMBtIFTyQT
Static task
static1
Behavioral task
behavioral1
Sample
RoseBetaV2.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
RoseBetaV2.exe
Resource
win10v2004-20240419-en
Malware Config
Extracted
discordrat
-
discord_token
MTIzMzE1OTIyNDEwMDM5Mjk3MQ.GR-q2f.lSaO92LdHQXOf0Z9fXJ4_sgzy2GgWan5jLY5lI
-
server_id
1233156916117504134
Extracted
xworm
3.67.112.102:16320
-
Install_directory
%AppData%
-
install_file
XClient.exe
Targets
-
-
Target
RoseBetaV2.exe
-
Size
25.0MB
-
MD5
fc763af67d6332ca97e2631f3f69028e
-
SHA1
7d3e5f9f9595b27871533c0be3d6337cb7a69ce1
-
SHA256
01d2d27938986028a72ecd5073a3bec64ffc921b97d5b407e7139f119804b749
-
SHA512
fa166cea85f734a4329abc8d5975decf613ac58aa89514a08b6fcf5a3bf0a6df9dc1696125b06769066ded1a572d306004c53100a83212e18ee704513bfc8f99
-
SSDEEP
98304:8VuQs3NK4llQAKFisSbzEK5J4FESLD21qmW7+LwsbEqZ0tCeEjQEt7YX4/OTyQ6o:bQClaFnwrj4FdLD2IARbEFMBtIFTyQT
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-