General
-
Target
RoseBeta.exe
-
Size
26.0MB
-
Sample
240428-3nv35aca96
-
MD5
670d03602beafeaab412627dc909d6f3
-
SHA1
8113fa1c66c923ebd8c0422ff6a282a1c6da2fad
-
SHA256
01ac0d16fd021fe8552deeb325866f9eee1a6fe3a0b6a78611e18656d6a2b771
-
SHA512
7f8676453a41b43c5407c305a89c7f1e811bbdabacb4064e06c92165e80a9cca5c121a4974c3fa517603d79a827d7eeec8de8d76838139d8b989d40c31d5e30f
-
SSDEEP
196608:wtk72Wh/ehadGsVkyXeh/MYn9SizHD2GcILXGzCSB:weyWtSakQ80uci7D2Gc4N0
Static task
static1
Behavioral task
behavioral1
Sample
RoseBeta.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
RoseBeta.exe
Resource
win10v2004-20240419-en
Malware Config
Extracted
discordrat
-
discord_token
MTIzMzE1OTIyNDEwMDM5Mjk3MQ.Gn6c8D.xvOUqc_ZTRTU9DcSYc5abnsQe1Y5hLu-U7jOOQ
-
server_id
1233156916117504134
Extracted
xworm
3.67.62.142:12971
-
Install_directory
%AppData%
-
install_file
XClient.exe
Targets
-
-
Target
RoseBeta.exe
-
Size
26.0MB
-
MD5
670d03602beafeaab412627dc909d6f3
-
SHA1
8113fa1c66c923ebd8c0422ff6a282a1c6da2fad
-
SHA256
01ac0d16fd021fe8552deeb325866f9eee1a6fe3a0b6a78611e18656d6a2b771
-
SHA512
7f8676453a41b43c5407c305a89c7f1e811bbdabacb4064e06c92165e80a9cca5c121a4974c3fa517603d79a827d7eeec8de8d76838139d8b989d40c31d5e30f
-
SSDEEP
196608:wtk72Wh/ehadGsVkyXeh/MYn9SizHD2GcILXGzCSB:weyWtSakQ80uci7D2Gc4N0
-
Detect Xworm Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-