discordrat | 01ac0d16fd021fe8552deeb325866f9eee1a6fe3a0b6a78611e18656d6a2b771

Resubmissions

28-04-2024 23:40

240428-3nv35aca96 10

28-04-2024 23:29

240428-3ght8acb7v 10

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RoseBeta.exe
Size

26.0MB
MD5

670d03602beafeaab412627dc909d6f3
SHA1

8113fa1c66c923ebd8c0422ff6a282a1c6da2fad
SHA256

01ac0d16fd021fe8552deeb325866f9eee1a6fe3a0b6a78611e18656d6a2b771
SHA512

7f8676453a41b43c5407c305a89c7f1e811bbdabacb4064e06c92165e80a9cca5c121a4974c3fa517603d79a827d7eeec8de8d76838139d8b989d40c31d5e30f
SSDEEP

196608:wtk72Wh/ehadGsVkyXeh/MYn9SizHD2GcILXGzCSB:weyWtSakQ80uci7D2Gc4N0

Score

10^/10

discordrat xworm persistence rat rootkit stealer trojan upx

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIzMzE1OTIyNDEwMDM5Mjk3MQ.Gn6c8D.xvOUqc_ZTRTU9DcSYc5abnsQe1Y5hLu-U7jOOQ
server_id
1233156916117504134

Extracted

Family

xworm

3.67.62.142:12971

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2532-47-0x0000000000850000-0x000000000086C000-memory.dmp	family_xworm
behavioral1/files/0x000c000000013417-4.dat	family_xworm
behavioral1/memory/2612-190-0x00000000012F0000-0x000000000130C000-memory.dmp	family_xworm

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 5 IoCs

pid	Process
2532	XClient.exe
2620	Client-built.exe
2432	Built.exe
2492	Built.exe
2612	XClient.exe

Loads dropped DLL 17 IoCs

pid	Process
3064	RoseBeta.exe
3064	RoseBeta.exe
2432	Built.exe
2492	Built.exe
2492	Built.exe
2492	Built.exe
2492	Built.exe
2492	Built.exe
2492	Built.exe
2492	Built.exe
1560	WerFault.exe
1560	WerFault.exe
1560	WerFault.exe
1560	WerFault.exe
1560	WerFault.exe
1064	Process not Found
1064	Process not Found

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2492-97-0x000007FEF0350000-0x000007FEF07BE000-memory.dmp	upx
behavioral1/files/0x0006000000016d10-96.dat	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\XClient.exe	RoseBeta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2092	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2400	timeout.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2532	XClient.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2760	powershell.exe
1240	powershell.exe
108	powershell.exe
2792	powershell.exe
960	powershell.exe
2532	XClient.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	XClient.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	108	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	2532	XClient.exe
Token: SeDebugPrivilege	2612	XClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2532	XClient.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2760	3064	RoseBeta.exe	28
PID 3064 wrote to memory of 2760	3064	RoseBeta.exe	28
PID 3064 wrote to memory of 2760	3064	RoseBeta.exe	28
PID 3064 wrote to memory of 2760	3064	RoseBeta.exe	28
PID 3064 wrote to memory of 2532	3064	RoseBeta.exe	30
PID 3064 wrote to memory of 2532	3064	RoseBeta.exe	30
PID 3064 wrote to memory of 2532	3064	RoseBeta.exe	30
PID 3064 wrote to memory of 2532	3064	RoseBeta.exe	30
PID 3064 wrote to memory of 2620	3064	RoseBeta.exe	31
PID 3064 wrote to memory of 2620	3064	RoseBeta.exe	31
PID 3064 wrote to memory of 2620	3064	RoseBeta.exe	31
PID 3064 wrote to memory of 2620	3064	RoseBeta.exe	31
PID 3064 wrote to memory of 2432	3064	RoseBeta.exe	32
PID 3064 wrote to memory of 2432	3064	RoseBeta.exe	32
PID 3064 wrote to memory of 2432	3064	RoseBeta.exe	32
PID 3064 wrote to memory of 2432	3064	RoseBeta.exe	32
PID 2432 wrote to memory of 2492	2432	Built.exe	33
PID 2432 wrote to memory of 2492	2432	Built.exe	33
PID 2432 wrote to memory of 2492	2432	Built.exe	33
PID 2620 wrote to memory of 1560	2620	Client-built.exe	34
PID 2620 wrote to memory of 1560	2620	Client-built.exe	34
PID 2620 wrote to memory of 1560	2620	Client-built.exe	34
PID 2532 wrote to memory of 1240	2532	XClient.exe	36
PID 2532 wrote to memory of 1240	2532	XClient.exe	36
PID 2532 wrote to memory of 1240	2532	XClient.exe	36
PID 2532 wrote to memory of 108	2532	XClient.exe	38
PID 2532 wrote to memory of 108	2532	XClient.exe	38
PID 2532 wrote to memory of 108	2532	XClient.exe	38
PID 2532 wrote to memory of 2792	2532	XClient.exe	40
PID 2532 wrote to memory of 2792	2532	XClient.exe	40
PID 2532 wrote to memory of 2792	2532	XClient.exe	40
PID 2532 wrote to memory of 960	2532	XClient.exe	42
PID 2532 wrote to memory of 960	2532	XClient.exe	42
PID 2532 wrote to memory of 960	2532	XClient.exe	42
PID 2532 wrote to memory of 2092	2532	XClient.exe	44
PID 2532 wrote to memory of 2092	2532	XClient.exe	44
PID 2532 wrote to memory of 2092	2532	XClient.exe	44
PID 1636 wrote to memory of 2612	1636	taskeng.exe	47
PID 1636 wrote to memory of 2612	1636	taskeng.exe	47
PID 1636 wrote to memory of 2612	1636	taskeng.exe	47
PID 2532 wrote to memory of 2852	2532	XClient.exe	50
PID 2532 wrote to memory of 2852	2532	XClient.exe	50
PID 2532 wrote to memory of 2852	2532	XClient.exe	50
PID 2532 wrote to memory of 1576	2532	XClient.exe	52
PID 2532 wrote to memory of 1576	2532	XClient.exe	52
PID 2532 wrote to memory of 1576	2532	XClient.exe	52
PID 1576 wrote to memory of 2400	1576	cmd.exe	54
PID 1576 wrote to memory of 2400	1576	cmd.exe	54
PID 1576 wrote to memory of 2400	1576	cmd.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\RoseBeta.exe
"C:\Users\Admin\AppData\Local\Temp\RoseBeta.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaQBuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHUAbgB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAYgBhACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\XClient.exe
  "C:\Windows\XClient.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\XClient.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1240
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:108
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:960
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2092
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "XClient"
    3⤵
    PID:2852
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpEE07.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2400
- C:\Users\Admin\AppData\Local\Client-built.exe
  "C:\Users\Admin\AppData\Local\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2620 -s 596
    3⤵
    - Loads dropped DLL
    PID:1560
- C:\Users\Admin\AppData\Roaming\Built.exe
  "C:\Users\Admin\AppData\Roaming\Built.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Users\Admin\AppData\Roaming\Built.exe
    "C:\Users\Admin\AppData\Roaming\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2492

C:\Windows\system32\taskeng.exe
taskeng.exe {A522E825-FA26-4769-AD08-971AE4DB2506} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEE07.tmp.bat

Filesize
136B

MD5
9549e53f22be6c261c6c1ffe248e62e8

SHA1
fd328736b12bb820deb6acd01184c2e1f98e2a2f

SHA256
d54babdbdaf84c75aa645c65a8aa25fb3d939a3be38f3d54b0ddbfdac183563b

SHA512
d26e202847bf5411eb17c2c9d8ec6ac4c3af61c8ae0eb9bc75ea9925759f34f10ea9692605738d11eebac480affd1a436e872218650168d112c65e596f1fae50

Download Submit
C:\Users\Admin\AppData\Roaming\Built.exe

Filesize
6.7MB

MD5
034979f13de4bf0e71729917122bba64

SHA1
0f2cad58c5a7260d3104974323c509a5a0a737b7

SHA256
b5b872c3270b736d151b3ab719bdbb0b9f971c4a3ac64236e486a868b357f6ad

SHA512
bd5c3444e9be27650295c2a3e89d572b52eacc1f6f50fd9f38a9f1c0e92a42e90ed2da99166ee8e86eebc6b02d52f73a9ce9281da4d2d0b5e8458312962fd602

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EZ1YIATMXUWTEI3F4GOF.temp

Filesize
7KB

MD5
cb54808e57645c287dce5b8a7a30e73c

SHA1
87754db0a1f71b167718626f9d190f654465c8ef

SHA256
8118ce3b0ecd8e17a80ad61d14ac9d3cb48c03cdd0b6ae5331ff498bb042cbdf

SHA512
c27b09064bca7c10dc955e2d1df6dfb74c11c5a244bbc8fa0c6657561360fafd26165dcb154101bb8aee04cf646987fb8ff914f2cd7b90a778e01b576f1f979b

Download Submit
C:\Windows\XClient.exe

Filesize
88KB

MD5
73ac469e938290eb4e95ab6fc7d3b9f0

SHA1
349a97f5fa1c2665475610e9dac9c88d9a364324

SHA256
cfe816f55462fa50b36a683dcb32134724a3edbac420a554490f975ab278783e

SHA512
9d98575ac544be7d05777e12301a649a1ec0cde15ba1bf6b3ec238995d63d6cfc9065ac5bdb95f074bc28f0f77aed07b36941245078988b5fcd2299e6fadeeac

Download Submit
\Users\Admin\AppData\Local\Client-built.exe

Filesize
78KB

MD5
5392e31bf08c620200727b67f506f74f

SHA1
5a6aa8cd3a82a54d6de955a99ccad63b24c3115a

SHA256
df83b05d975a092ef45ada2e2e30da30688414946e8e49763f47d53de8509942

SHA512
077271684a680f977e4f838636232f0553385f78cf9427392e7d88ae3f8cf29751652c5225d0619fe93c56bce5ef21ec73437cb36a8476fa189b5e400a071651

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24322\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
bcb8b9f6606d4094270b6d9b2ed92139

SHA1
bd55e985db649eadcb444857beed397362a2ba7b

SHA256
fa18d63a117153e2ace5400ed89b0806e96f0627d9db935906be9294a3038118

SHA512
869b2b38fd528b033b3ec17a4144d818e42242b83d7be48e2e6da6992111758b302f48f52e0dd76becb526a90a2b040ce143c6d4f0e009a513017f06b9a8f2b9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24322\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24322\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
20ddf543a1abe7aee845de1ec1d3aa8e

SHA1
0eaf5de57369e1db7f275a2fffd2d2c9e5af65bf

SHA256
d045a72c3e4d21165e9372f76b44ff116446c1e0c221d9cea3ab0a1134a310e8

SHA512
96dd48df315a7eea280ca3da0965a937a649ee77a82a1049e3d09b234439f7d927d7fb749073d7af1b23dadb643978b70dcdadc6c503fe850b512b0c9c1c78dd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24322\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
4380d56a3b83ca19ea269747c9b8302b

SHA1
0c4427f6f0f367d180d37fc10ecbe6534ef6469c

SHA256
a79c7f86462d8ab8a7b73a3f9e469514f57f9fe456326be3727352b092b6b14a

SHA512
1c29c335c55f5f896526c8ee0f7160211fd457c1f1b98915bcc141112f8a730e1a92391ab96688cbb7287e81e6814cc86e3b057e0a6129cbb02892108bfafaf4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24322\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
2554060f26e548a089cab427990aacdf

SHA1
8cc7a44a16d6b0a6b7ed444e68990ff296d712fe

SHA256
5ab003e899270b04abc7f67be953eaccf980d5bbe80904c47f9aaf5d401bb044

SHA512
fd4d5a7fe4da77b0222b040dc38e53f48f7a3379f69e2199639b9f330b2e55939d89ce8361d2135182b607ad75e58ee8e34b90225143927b15dcc116b994c506

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24322\python310.dll

Filesize
1.4MB

MD5
178a0f45fde7db40c238f1340a0c0ec0

SHA1
dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

SHA256
9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

SHA512
4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24322\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
memory/108-115-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/108-114-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/1240-107-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/1240-108-0x0000000002040000-0x0000000002048000-memory.dmp

Filesize
32KB

Download
memory/2492-97-0x000007FEF0350000-0x000007FEF07BE000-memory.dmp

Filesize
4.4MB

Download
memory/2532-47-0x0000000000850000-0x000000000086C000-memory.dmp

Filesize
112KB

Download
memory/2612-190-0x00000000012F0000-0x000000000130C000-memory.dmp

Filesize
112KB

Download
memory/2620-46-0x000000013F100000-0x000000013F118000-memory.dmp

Filesize
96KB

Download