Overview

overview

10

Static

static

1

Sharp CS V1.bat

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Sharp CS V1.bat

  • Size

    555B

  • Sample

    240629-qnz1vs1erm

  • MD5

    0d521243334977834c249e26f879d0e5

  • SHA1

    c8a6339e8aff5ac5db00dae42a5f8c577b814421

  • SHA256

    cb8da43f966cd7d743931093a1bf1368ab46628357b957407844c05d7af14e5c

  • SHA512

    32182d1b82b55eeb771e816f3fc60a02adf8c6224407f52f2e92eb6649143e0b8d4901f1167b32f096425937d855111948dc40a7969ed8d4433485cf7628172d

Score
10/10
discordratxwormdefense_evasionexecutionpersistenceratrootkitstealertrojan

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI0MzQwMDg0MDc3NDE2MDM4NQ.Gnre8o.K_NB2WHxREqF5j5C1y9xsPSpv67TWHFacISXVA

  • server_id

    1256564842899181648

Extracted

Family

xworm

C2

147.185.221.20:5050

192.168.1.11:5050
Attributes
  • Install_directory

    %AppData%

  • install_file

    Client.exe

Targets

    • Target

      Sharp CS V1.bat

    • Size

      555B

    • MD5

      0d521243334977834c249e26f879d0e5

    • SHA1

      c8a6339e8aff5ac5db00dae42a5f8c577b814421

    • SHA256

      cb8da43f966cd7d743931093a1bf1368ab46628357b957407844c05d7af14e5c

    • SHA512

      32182d1b82b55eeb771e816f3fc60a02adf8c6224407f52f2e92eb6649143e0b8d4901f1167b32f096425937d855111948dc40a7969ed8d4433485cf7628172d

    Score
    10/10
    discordratxwormdefense_evasionexecutionpersistenceratrootkitstealertrojan

    • Detect Xworm Payload

    • Discord RAT

      A RAT written in C# using Discord as a C2.

      stealerrootkitratpersistencediscordrat

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion
    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Credential Access

Discovery

System Information Discovery

1
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks