General

  • Target

    RoseBetaV2.exe

  • Size

    25.0MB

  • Sample

    240427-z3esxagf36

  • MD5

    fc763af67d6332ca97e2631f3f69028e

  • SHA1

    7d3e5f9f9595b27871533c0be3d6337cb7a69ce1

  • SHA256

    01d2d27938986028a72ecd5073a3bec64ffc921b97d5b407e7139f119804b749

  • SHA512

    fa166cea85f734a4329abc8d5975decf613ac58aa89514a08b6fcf5a3bf0a6df9dc1696125b06769066ded1a572d306004c53100a83212e18ee704513bfc8f99

  • SSDEEP

    98304:8VuQs3NK4llQAKFisSbzEK5J4FESLD21qmW7+LwsbEqZ0tCeEjQEt7YX4/OTyQ6o:bQClaFnwrj4FdLD2IARbEFMBtIFTyQT

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIzMzE1OTIyNDEwMDM5Mjk3MQ.GR-q2f.lSaO92LdHQXOf0Z9fXJ4_sgzy2GgWan5jLY5lI

  • server_id

    1233156916117504134

Extracted

Family

xworm

C2

3.67.112.102:16320

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Targets

    • Target

      RoseBetaV2.exe

    • Size

      25.0MB

    • MD5

      fc763af67d6332ca97e2631f3f69028e

    • SHA1

      7d3e5f9f9595b27871533c0be3d6337cb7a69ce1

    • SHA256

      01d2d27938986028a72ecd5073a3bec64ffc921b97d5b407e7139f119804b749

    • SHA512

      fa166cea85f734a4329abc8d5975decf613ac58aa89514a08b6fcf5a3bf0a6df9dc1696125b06769066ded1a572d306004c53100a83212e18ee704513bfc8f99

    • SSDEEP

      98304:8VuQs3NK4llQAKFisSbzEK5J4FESLD21qmW7+LwsbEqZ0tCeEjQEt7YX4/OTyQ6o:bQClaFnwrj4FdLD2IARbEFMBtIFTyQT

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

    • Detect Xworm Payload

    • Discord RAT

      A RAT written in C# using Discord as a C2.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks