Resubmissions

28-04-2024 23:40

240428-3nv35aca96 10

28-04-2024 23:29

240428-3ght8acb7v 10

General

  • Target

    RoseBeta.exe

  • Size

    26.0MB

  • Sample

    240428-3nv35aca96

  • MD5

    670d03602beafeaab412627dc909d6f3

  • SHA1

    8113fa1c66c923ebd8c0422ff6a282a1c6da2fad

  • SHA256

    01ac0d16fd021fe8552deeb325866f9eee1a6fe3a0b6a78611e18656d6a2b771

  • SHA512

    7f8676453a41b43c5407c305a89c7f1e811bbdabacb4064e06c92165e80a9cca5c121a4974c3fa517603d79a827d7eeec8de8d76838139d8b989d40c31d5e30f

  • SSDEEP

    196608:wtk72Wh/ehadGsVkyXeh/MYn9SizHD2GcILXGzCSB:weyWtSakQ80uci7D2Gc4N0

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIzMzE1OTIyNDEwMDM5Mjk3MQ.Gn6c8D.xvOUqc_ZTRTU9DcSYc5abnsQe1Y5hLu-U7jOOQ

  • server_id

    1233156916117504134

Extracted

Family

xworm

C2

3.67.62.142:12971

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Targets

    • Target

      RoseBeta.exe

    • Size

      26.0MB

    • MD5

      670d03602beafeaab412627dc909d6f3

    • SHA1

      8113fa1c66c923ebd8c0422ff6a282a1c6da2fad

    • SHA256

      01ac0d16fd021fe8552deeb325866f9eee1a6fe3a0b6a78611e18656d6a2b771

    • SHA512

      7f8676453a41b43c5407c305a89c7f1e811bbdabacb4064e06c92165e80a9cca5c121a4974c3fa517603d79a827d7eeec8de8d76838139d8b989d40c31d5e30f

    • SSDEEP

      196608:wtk72Wh/ehadGsVkyXeh/MYn9SizHD2GcILXGzCSB:weyWtSakQ80uci7D2Gc4N0

    • Detect Xworm Payload

    • Discord RAT

      A RAT written in C# using Discord as a C2.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks