General
-
Target
RoseBetaV2.exe
-
Size
25.0MB
-
Sample
240427-z3esxagf36
-
MD5
fc763af67d6332ca97e2631f3f69028e
-
SHA1
7d3e5f9f9595b27871533c0be3d6337cb7a69ce1
-
SHA256
01d2d27938986028a72ecd5073a3bec64ffc921b97d5b407e7139f119804b749
-
SHA512
fa166cea85f734a4329abc8d5975decf613ac58aa89514a08b6fcf5a3bf0a6df9dc1696125b06769066ded1a572d306004c53100a83212e18ee704513bfc8f99
-
SSDEEP
98304:8VuQs3NK4llQAKFisSbzEK5J4FESLD21qmW7+LwsbEqZ0tCeEjQEt7YX4/OTyQ6o:bQClaFnwrj4FdLD2IARbEFMBtIFTyQT
Static task
static1
Behavioral task
behavioral1
Sample
RoseBetaV2.exe
Resource
win10-20240404-en
Malware Config
Extracted
discordrat
-
discord_token
MTIzMzE1OTIyNDEwMDM5Mjk3MQ.GR-q2f.lSaO92LdHQXOf0Z9fXJ4_sgzy2GgWan5jLY5lI
-
server_id
1233156916117504134
Extracted
xworm
3.67.112.102:16320
-
Install_directory
%AppData%
-
install_file
XClient.exe
Targets
-
-
Target
RoseBetaV2.exe
-
Size
25.0MB
-
MD5
fc763af67d6332ca97e2631f3f69028e
-
SHA1
7d3e5f9f9595b27871533c0be3d6337cb7a69ce1
-
SHA256
01d2d27938986028a72ecd5073a3bec64ffc921b97d5b407e7139f119804b749
-
SHA512
fa166cea85f734a4329abc8d5975decf613ac58aa89514a08b6fcf5a3bf0a6df9dc1696125b06769066ded1a572d306004c53100a83212e18ee704513bfc8f99
-
SSDEEP
98304:8VuQs3NK4llQAKFisSbzEK5J4FESLD21qmW7+LwsbEqZ0tCeEjQEt7YX4/OTyQ6o:bQClaFnwrj4FdLD2IARbEFMBtIFTyQT
-
Detect Xworm Payload
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-