sunburst | DarkHalo[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

DarkHalo.zip
Size

253.2MB
MD5

b663a67d0ad56dd74bf241c8ff019ea3
SHA1

5f0c2f900b2b6384a3bcdfd52a8d7456c7cc61f3
SHA256

f9cf0fafb332a52c2d95e3d18ad6b0f3d7836166fb105cb38970bec2bddd1daa
SHA512

12e5a89ddc2894643c08f0991034518104da96ba3e80f4f0b74e1be0d5ebdbaa07c95f5c1cee8cd7a2e8ab7554969db661272559ffd43aba862ed9e0e32d88db

Score

10^/10

backdoor dropper sunburst teardrop supernova

Malware Config

Signatures

Detected SUNBURST backdoor 3 IoCs

SUNBURST is a backdoor for the SolarWinds Orion platform with extensive capabilities.

backdoor

Processes:

resource	yara_rule
static1/unpack001/SUNBURST/APT_Backdoor_SUNBURST/019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134	family_sunburst
static1/unpack001/SUNBURST/APT_Backdoor_SUNBURST/32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77	family_sunburst
static1/unpack001/SUNBURST/APT_Backdoor_SUNBURST/ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6	family_sunburst

Detected SUPERNOVA .NET web shell 1 IoCs

SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and reponds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args).

backdoor

Processes:

resource	yara_rule
static1/unpack001/SUNBURST/APT_Webshell_SUPERNOVA/c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71	family_supernova

Detected TEARDROP fileless dropper 4 IoCs

TEARDROP is a memory-only dropper which can read files/registry keys, decode an embedded payload, and load it directly into memory.

dropper backdoor

Processes:

resource	yara_rule
static1/unpack001/SUNBURST/APT_Dropper_Win64_TEARDROP/6e4050c6a2d2e5e49606d96dd2922da480f2e0c70082cc7e54449a7dc0d20f8d	family_teardrop
static1/unpack001/SUNBURST/FalsePositives/0201b92d3d877df4de0d109ce6f3d647cfde3ab9d881f8cddc10d4bb8e5f21ad	family_teardrop
static1/unpack001/SUNBURST/FalsePositives/191a0fc897f798860c541f0e3fcd496f5d586f54c967d6e21621d974ebdd9de5	family_teardrop
static1/unpack001/SUNBURST/FalsePositives/e8593c908f6ac1656d5261073be7df756b5dd5dd428742c090e2c0ad983df56d	family_teardrop

Sunburst family
sunburst
Supernova family
supernova
Teardrop family
teardrop

JavaScript code in executable 3 IoCs

Processes:

resource	yara_rule
static1/unpack001/SUNBURST/FalsePositives/e8593c908f6ac1656d5261073be7df756b5dd5dd428742c090e2c0ad983df56d	js
static1/unpack001/SUNBURST/FireEyeTools/a022820a62198fa3e3b89749b38db1cc3a09136524682fb99a3ce36652725065	js
static1/unpack001/SUNBURST/NcmInstaller.msi	js

Files

DarkHalo.zip
.zip

Password: infected
SUNBURST/APT_Backdoor_SUNBURST/019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
.dll windows x86
SUNBURST/APT_Backdoor_SUNBURST/32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
.dll windows x86
SUNBURST/APT_Backdoor_SUNBURST/a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc
.dll windows x86
SUNBURST/APT_Backdoor_SUNBURST/ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
.dll windows x86
SUNBURST/APT_Backdoor_SUNBURST/d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af
.dll windows x86
SUNBURST/APT_Dropper_Win64_TEARDROP/6e4050c6a2d2e5e49606d96dd2922da480f2e0c70082cc7e54449a7dc0d20f8d
.dll windows x64
SUNBURST/APT_Webshell_SUPERNOVA/c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71
.dll windows x86
SUNBURST/FalsePositives/0201b92d3d877df4de0d109ce6f3d647cfde3ab9d881f8cddc10d4bb8e5f21ad
.dll windows x86

Exports

Exports

attach
audioon
audioonwindow
backward
capture
clearblurarea
configureDVR
detach
detachwindow
detectdevice
dupvideo
fastforward
finddevice
freedvrdata
getchannelinfo
getclipdayinfo
getcliptimeinfo
getcurrenttime
geteventtimelist
getlocation
getlockfiletimeinfo
getplayerinfo
initsmartserver
oneframeforward
opendevice
openfile
openharddrive
openremote
pause
play
player_close
player_deinit
player_init
polldevice
recvdvrdata
savedvrfile
scanharddrive
seek
senddvrdata
setblurarea
setuserpassword
setvideokey
slowforward
stop
SUNBURST/FalsePositives/191a0fc897f798860c541f0e3fcd496f5d586f54c967d6e21621d974ebdd9de5
.dll windows x86

Exports

Exports

attach
audioon
audioonwindow
backward
capture
clearblurarea
configureDVR
detach
detachwindow
detectdevice
dupvideo
fastforward
finddevice
freedvrdata
getchannelinfo
getclipdayinfo
getcliptimeinfo
getcurrenttime
geteventtimelist
getlocation
getlockfiletimeinfo
getplayerinfo
initsmartserver
oneframeforward
opendevice
openfile
openharddrive
openremote
pause
play
player_close
player_deinit
player_init
polldevice
recvdvrdata
savedvrfile
scanharddrive
seek
senddvrdata
setblurarea
setuserpassword
setvideokey
slowforward
stop
SUNBURST/FalsePositives/e8593c908f6ac1656d5261073be7df756b5dd5dd428742c090e2c0ad983df56d
.exe windows x86
SUNBURST/FireEyeTools/0340043481091d92dcfb2c498aad3c0afca2fd208ef896f65af790cc147f8891
.exe windows x86
SUNBURST/FireEyeTools/078403b4e89ff06d2fe2ed7e75428a381f83ffb708dbd01b0220767498947f0c
.dll windows x86 regsvr32

Exports

Exports

DllGetClassObject
DllMain
DllRegisterServer
DllUnregisterServer
StartW
SUNBURST/FireEyeTools/1cf5710e500a423b84b51fa3afdd923fe0a8255c5817d3238175623e2ebbfad9
.dll windows x64

Exports

Exports

CPlApplet
DllUnregisterServer
SUNBURST/FireEyeTools/82cce26c60a5105e6caf5ac92eabb3dedcd883cd075f2056f27b0ec58aefaaa6
.exe windows x64
SUNBURST/FireEyeTools/a022820a62198fa3e3b89749b38db1cc3a09136524682fb99a3ce36652725065
.exe windows x86
SUNBURST/FireEyeTools/b6ef03aec5d10e371f0b06c661036d838ef55fa7dc75cf91fca3622bdefa8140
.exe windows x86
SUNBURST/FireEyeTools/c0621954bd329b5cabe45e92b31053627c27fa40853beb2cce2734fa677ffd93
.exe windows x86
SUNBURST/FireEyeTools/efb533249f71ea6ebfb6418bb67c94e8fbd5f2a26cbd82ef8ec1d30c0c90c6c1
.dll windows x64

Exports

Exports

HcB3
SUNBURST/NcmInstaller.msi
.msi
SUNBURST/SolarWinds-Core-v2019.4.5220-Hotfix5.msp

Sharing

General

Malware Config

Signatures

Files

Password: infected

Exports

Exports

Exports

Exports

Exports

Exports

Exports

Exports

Exports

Exports