General

  • Target

    Solara_Updater.exe

  • Size

    1.9MB

  • Sample

    240519-tpx5faef98

  • MD5

    f4cffd7e6cca2b88bba1f19120e9255f

  • SHA1

    28df62794d325206d1f61a400b5c5c682632e371

  • SHA256

    4a10203f9773e4a4f5173a3d1840461bed2b6c206e16b47543bb127a541192bf

  • SHA512

    cb71ef2db087c012744fcac05033cab80947131029ae9bf59b57f85dd2f819e859f105919978a2af4334ac4b8f5b060f5f757b6898cb8fddd720a114b652bfe8

  • SSDEEP

    49152:mH4Y2d/Pz0dB5h1qeU2V0ZBsvH1jBOtGQt/3c5DGqHQX+icSr:mH/QPz0d/pV0AvHLDh5HH4+i

Malware Config

Extracted

Family

xworm

C2

answer-riverside.gl.at.ply.gg:45691

Attributes
  • Install_directory

    %AppData%

  • install_file

    svhost.exe

Extracted

Family

umbral

C2

https://discordapp.com/api/webhooks/1239665745831530598/iJT0OELt4O4igXW_VMu-CUIfcqaawXLhyC4Bruuv1t2x0XOvC0_p9dc-G_RxJMO7fn-V

Targets

    • Target

      Solara_Updater.exe

    • Size

      1.9MB

    • MD5

      f4cffd7e6cca2b88bba1f19120e9255f

    • SHA1

      28df62794d325206d1f61a400b5c5c682632e371

    • SHA256

      4a10203f9773e4a4f5173a3d1840461bed2b6c206e16b47543bb127a541192bf

    • SHA512

      cb71ef2db087c012744fcac05033cab80947131029ae9bf59b57f85dd2f819e859f105919978a2af4334ac4b8f5b060f5f757b6898cb8fddd720a114b652bfe8

    • SSDEEP

      49152:mH4Y2d/Pz0dB5h1qeU2V0ZBsvH1jBOtGQt/3c5DGqHQX+icSr:mH/QPz0d/pV0AvHLDh5HH4+i

    • Detect Umbral payload

    • Detect Xworm Payload

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks