Overview

overview

10

Static

static

7

RoseBETA2/...re.dll

windows7-x64

1

RoseBETA2/...re.dll

windows10-2004-x64

1

RoseBETA2/...re.dll

windows7-x64

1

RoseBETA2/...re.dll

windows10-2004-x64

1

RoseBETA2/...ss.exe

windows7-x64

1

RoseBETA2/...ss.exe

windows10-2004-x64

1

RoseBETA2/...ime.js

windows7-x64

3

RoseBETA2/...ime.js

windows10-2004-x64

3

RoseBETA2/...or.exe

windows7-x64

9

RoseBETA2/...or.exe

windows10-2004-x64

9

RoseBETA2/Rose.dll

windows7-x64

8

RoseBETA2/Rose.dll

windows10-2004-x64

8

RoseBETA2/Rose.exe

windows7-x64

10

RoseBETA2/Rose.exe

windows10-2004-x64

10

RoseBETA2/...6e2.js

windows7-x64

3

RoseBETA2/...6e2.js

windows10-2004-x64

3

RoseBETA2/...x.html

windows7-x64

1

RoseBETA2/...x.html

windows10-2004-x64

1

RoseBETA2/...au.exe

windows7-x64

1

RoseBETA2/...au.exe

windows10-2004-x64

1

RoseBETA2/...au.exe

windows7-x64

1

RoseBETA2/...au.exe

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RoseBETA2.rar

  • Size

    84.0MB

  • Sample

    240521-why49sde5s

  • MD5

    bbac9e4ab071142b9fea585ce436f43f

  • SHA1

    4bc5bc31ac8fe614a2689a879ab8653f008c551a

  • SHA256

    af4a80c07d9bc62221b09ab18e2b63a756c6b15f151fcd1a331d81d46c814cda

  • SHA512

    a1314493a497f7821e2eb759395bd574f6310df213687672ba7bfa9c6c7c506662fd6414fdb54f0786287f0993cbf517842d878e0a52db7d7e9b64cff08d85d1

  • SSDEEP

    1572864:YmWfYlqeSWJhuS7JhVCZPvzosfqZOLWip8jnqjIjnBBS3Z1YeheMUjmGH2VPLjrl:YHYlqKh1hMFvzgQWLrqjinB41HheMs1E

Score
10/10
discordratxwormevasionexecutionpersistenceratrootkitspywarestealerthemidatrojanupx

Malware Config

Extracted

Family

xworm

C2

3.125.209.94:13551

Attributes
  • Install_directory

    %AppData%

  • install_file

    Roaming5.exe

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIzODIyMjM1NTkxNDk0ODYxOA.GIhaBv.jW6xqCJH4cBG7Z95TuFbhmiRz3U2zCK9bD4ZH0

  • server_id

    1237864378947207299

Targets

    • Target

      RoseBETA2/Azure.Core.dll

    • Size

      391KB

    • MD5

      e2a35e588b6fba2072c741c2987511a5

    • SHA1

      94c56bfac87ed8e2e4cd19b16ad207f21abe7b62

    • SHA256

      dfaf0994f7e329274052cc74baf18013a4940103b8374e7d5f2d9779e641bd6a

    • SHA512

      2f0ae1b88d5937d1f7bea5504dcb0193a6a786c4839dcccd1a6de0b9367e97b606407f2a7cdb2786095c59ef49506391c35a55e2099221e45e721ddde8beec4a

    • SSDEEP

      6144:dqeDbIadSkZMpd79+IadLIw16lAat7XbmrWELTYNxUG:vkkZuxQlSDXSrWELTYXUG

    Score
    1/10
    behavioral1behavioral2

    • Target

      RoseBETA2/CefSharp.BrowserSubprocess.Core.dll

    • Size

      1.1MB

    • MD5

      5b745ee879e65f7a47c56265881f16e7

    • SHA1

      e6a90771b8f1bf53beeb7c9e4268756ff07a088d

    • SHA256

      c8944a83938c39fbea72700485db8a61ab82e1c51d8e16d5dd48de4e36a6f264

    • SHA512

      3b4bef98a1f751c3a747de0eb050828bf8474efa68aa7a26d0369f1c3b42829eaab221cb612c005a54ed5b84f19180700e51aab39adb84fe7246d9e91e6899c8

    • SSDEEP

      24576:0u7vjXauHhY9GlRDLFZbJ/ogbZcECacHIDCRCSpb+ms0veXCJ2ZiVxhEDssQjPcd:0u7l41pKms0veXCJ2ZiVxhEDssQjPc8F

    Score
    1/10
    behavioral3behavioral4

    • Target

      RoseBETA2/CefSharp.BrowserSubprocess.exe

    • Size

      6KB

    • MD5

      bcd22b9511d5383e23d875e2cf3c339e

    • SHA1

      0ef86afaef536cc4b046ea2866414bb193d60702

    • SHA256

      95dd31f11ac1317559b6eee0479739930d503a4938283f5d831ac8add92ad792

    • SHA512

      c4e6821858720895c0bfae797097e3307bb7ea8f03dde4fefc16cce03b2a50fecfe8ed5c3225136fcd9d74ee0ed8673f795b410cd14890d22df58c1f03b693c6

    • SSDEEP

      96:v6ZxBI7kNmQBDvJGSkX6eFZJetmAhNt61OYcXe5U:UBIimQB9eX6eFZgsAYcXeS

    Score
    1/10
    behavioral5behavioral6

    • Target

      RoseBETA2/CefSharp.Core.Runtime.xml

    • Size

      564KB

    • MD5

      0bf88b84abbc7deb85c304aff8db3619

    • SHA1

      50381f11d0ddb000783d9301a340c9ac36e68a65

    • SHA256

      ad2a383d4bf1635defc7b67bd7124453f988b8a4814bb96dbb09c72e63cba257

    • SHA512

      b2fb0d57f5bbb79095d7ec93a65da477713e17a7766b83407d2427f204954312ccb23e17431c1bc28a560e6f270dec94f5966eccf00e43a5b3647221f2512373

    • SSDEEP

      3072:No63LIM09/AlW+Bo0ex6qoPg29BRoLpwunXzuv2SY3Hj0qKh1pwHBTq0PA5Vi75L:N7IJ9/AlF8LxzdH0qKh4Tq0z5bcY

    Score
    3/10
    execution
    behavioral7behavioral8

    • Target

      RoseBETA2/Injector.exe

    • Size

      3.4MB

    • MD5

      c6b39ee166d5b0a2c8a9021ccd1593ae

    • SHA1

      e480e7c282f64e8b0179c82afe154dd59d14217d

    • SHA256

      443b665c5f545a2bdd7855f86bf70a5ee7f35eda1b6b08615161f5809cbda02b

    • SHA512

      3864aea36c522ca5658412128e6a4c862a647cf3b1054b9adbe418488590a37600d7639c3eba94ca9de76f087b244b95644c667213b1122889cf2d9b7a4652d2

    • SSDEEP

      49152:Kl0nJ28J4VZohYWVGGjW8NhSU7zwo8oXJ2R3KPHsI7coj2J+eNgRpqNc1a:KmnJrJ4DohYWVTJNkIZZ2R6vsmA+FDqN

    Score
    9/10
    evasionthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral10behavioral9

    • Target

      RoseBETA2/Rose.dll

    • Size

      15.6MB

    • MD5

      b7660cbe69220a479611763e49cd50e1

    • SHA1

      2a89b9e56190204f7a776b6612d89baadaef911c

    • SHA256

      0c0c9b140ac34f43a7252ec81007024bcad1d5d526762e518513ec20ff0e3a2a

    • SHA512

      6b5aad55413600e57a7313779aed5868da49b6502bc2543eb675d582d0ba3ed0d1a153a7fdff04353c5019ee115c1ce01748548c24b679882be1f885be31b7ed

    • SSDEEP

      196608:d7sdHFJiem2Ijbtm+4dqFgva0HLmhBpRK5vtWAL4Lq22+oWlsHawFM+OuKsgAyhP:WViXbtm+Kvv4Rivtz+oWXuKseRP8

    Score
    8/10

    • Blocklisted process makes network request

    behavioral11behavioral12

    • Target

      RoseBETA2/Rose.exe

    • Size

      7.1MB

    • MD5

      e3a5864bd287c04b45c643e12b4ed47f

    • SHA1

      9ab0757a2cf6f8470d748ab353b3f1bdd4c8f4e5

    • SHA256

      e3a6cc03b47e76ff8b453136726a443c72b6f15ea146559bde34e11fb86fe9c6

    • SHA512

      fb3717826e0fd4c5b1e6cb276c041752a686aa921a702e35431a8511b3a1496c91e723aaf153d696fe62a984c9c780f04aae5bfc6b586b099f586c06ab59ab7b

    • SSDEEP

      196608:3z72FcW+16K2VMf/89/jGCtw9kx6Vro3Kv06u:3As69+/89/jP+kE8l

    Score
    10/10
    discordratxwormexecutionpersistenceratrootkitstealertrojanupxspyware

    • Detect Xworm Payload

    • Discord RAT

      A RAT written in C# using Discord as a C2.

      stealerrootkitratpersistencediscordrat

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral13behavioral14

    • Target

      RoseBETA2/dist/client/assets/apex-421346e2.js

    • Size

      4KB

    • MD5

      d302348bea18f9aa61e06af175c21ed0

    • SHA1

      0eeac241f4b3b2f011d6630c67d8c3f919323780

    • SHA256

      15d1325d868645f0c348ea12bae7549e0fb7b838944c0e9407022afa1d12876a

    • SHA512

      5702a9d661c8f0b36957cf2b35aacba925f28784288ddca7cd385fec74bbcb96bc04755a7441ee04ce563db2ef8924ba86768fd59cbf7d0cf01e2cc0d40e2f11

    • SSDEEP

      96:hFDHtRs+x+rbV1+/0V1+/mQskIlIGEuIBVHmQhb6z7RlwGcXRqb:hvx+rTx1QIlIhuA5mQs9liX2

    Score
    3/10
    execution
    behavioral15behavioral16

    • Target

      RoseBETA2/dist/client/index.html

    • Size

      642B

    • MD5

      dc0297e1499d6be4efc3d519623623d9

    • SHA1

      3babddcfc55a2e33f4f21bedd8d15097fe26e8dd

    • SHA256

      4988e09362697dd88b69e9185f884145ac1b939c1e883855dad7b80479465c17

    • SHA512

      7dbcdcf74a4569b2d188b5ffca867db82acaddabf3c7ba184c62250cbcc375475f31a89607d799021be918dfdf76b5b7a215a87e1a7a157a433f1b8c21f5f61b

    Score
    1/10
    behavioral17behavioral18

    • Target

      RoseBETA2/dist/shared/Rose-luau.exe

    • Size

      3.4MB

    • MD5

      ea9177735cde86b5acbd149795c2c28d

    • SHA1

      83eeb9a45fdedb0ba08bf18854a0cb7a33e8cfaf

    • SHA256

      3e435ffccc94d3bc915476654179430585517fa94b16fdf040b7de96ac30fdd8

    • SHA512

      5227dcef88a72837d60faa73505c6700b7e07416eb4d178cbfb8f60564860ed897127a9ae20e1980ce9f2782dd467d977cc76c40e4aa7161f3defe95899379c7

    • SSDEEP

      49152:IIo5oIIIpXiWyNNNNNO6kcWrVB1tcerNq+RWCifk8S3L9BO+uSUOXY9Z17N29UvB:+wQiUREezI9gfT

    Score
    1/10
    behavioral19behavioral20

    • Target

      RoseBETA2/dist/shared/bin/Rose-luau.exe

    • Size

      3.4MB

    • MD5

      12fd29fcaf6f6518b8bf9e976928fa38

    • SHA1

      1f9352e217518eaceefdd041e3f085ffbb93acb0

    • SHA256

      d38d6297b4653f30397b7f45964ed99a70c8ab73d60063f68d3380c309e626a4

    • SHA512

      b0c5bfb87639585564915f284ecff5af7e6664097ea3d9df6908c08ce09f9f6c31912225620bb7f7cf818efd6a7146280ce37e10ca7fb55bd381b95bb8a2189b

    • SSDEEP

      49152:EIo5oIIIVWVNNNNNPpXqyJh0jtX6YNimufCiZ8ylLyfMAXyDiw1P6bNi/xeLZQpV:2hugpuTcdyPs+GJH/

    Score
    1/10
    behavioral21behavioral22

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

3
T1059

JavaScript

1
T1059.007

PowerShell

2
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

2
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Process Discovery

1
T1057

Query Registry

5
T1012

System Information Discovery

7
T1082

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks