General

  • Target

    SolaraBETA3.rar

  • Size

    52.8MB

  • Sample

    240522-t7ytpahe2w

  • MD5

    89db6d8f13e3132810d1ed02735aaa8a

  • SHA1

    e469f02df6a07510f53064c0a6cb6e0a1c417eb0

  • SHA256

    953a78c09d4aa7bec811695ab607ae82f3f304273fc53202192a97083cb606b5

  • SHA512

    0803659473a9fc3dd2ff02aee29320dc8836ee62c35eba153073466c2b6788c59772b333a603e5cc258cc32c8b03a9c6ff226d50c44833c3ad0ad6c2912b9e06

  • SSDEEP

    786432:F7ktIBgNiBMhrko1t8LNWTeMRDbSkxnweIVa8SpV3rNV+PnpYBh8Ab8E9bmVvP6/:J2hHwWTeeSkxnwzg8cNqngV5qX6/3J1b

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

  • pastebin_url

    https://pastebin.com/raw/cXrVe9uw

  • telegram

    https://api.telegram.org/bot6979293307:AAEOPp5yyNk59nmm3T6LeHhjYWWOLjWSYdU/sendMessage?chat_id=1370207735

Targets

    • Target

      SolaraBETA3/Monaco/vs/language/css/cssworker.js

    • Size

      489KB

    • MD5

      152244e2ab4f663141e9466a8282ebe8

    • SHA1

      e9c0e86fbc108600d3e42a6654c5de073607ddce

    • SHA256

      288bb68a2c685957b5dc3e5353b1a03dc482b10858059063b99c1549d5fef01c

    • SHA512

      112039647883a1cdb6a860ce1d2980562222b593508da1ea8c9838b7184e76f72de9eb68d2727ce12c78e3c0be7e85101591df6ebde1e73dcf8c2495c8454855

    • SSDEEP

      6144:PhKjqIze+tAxt+A7zOM1L0G52ppgGDcoFGPL2gXwiOcFt+oiEipHxJKnVZPUsf:IqkA7zO/pUIPsf

    Score
    3/10
    • Target

      SolaraBETA3/Monaco/vs/language/html/htmlmode.js

    • Size

      18KB

    • MD5

      c944ad9527d22b6ca6c0d54fd0723296

    • SHA1

      ddfb323ded66de709fa8b05abe0ada931ac9dd43

    • SHA256

      80d6f099563af129b4deff66f7b9d4dfb27ad0058dcb5b77d927e460022dafee

    • SHA512

      3a6abb3a15401d28e4926ac008f991b7a19b359c8420d7e5bb6804061b6f82a2bedfb86823862e1ccfbc046e896cb1a5759199f7e723fd7b1b5e6aeb19f92f58

    • SSDEEP

      192:hA6ZF2Cw7DrFcelxzEKfxmflhyLpYvws8edvt9vKVwZVtDFzp6RMSyotuK1sD5Sv:hJw7DTfAlhCpvedmw+MS+KOD5Sc7Pzo

    Score
    3/10
    • Target

      SolaraBETA3/Monaco/vs/language/html/htmlworker.js

    • Size

      154KB

    • MD5

      3f5802a91a29e4504d5cd2f10ac280b8

    • SHA1

      368d01e59eaf25f164ab1d80b7f5d74b625b242d

    • SHA256

      e80444d8fa519ff86e5c696a40843bc8392b2d3afb83118a2dd92da5497c9212

    • SHA512

      2f3670227710c291e5e9136b2cac5c70421c2537b86219fe17ed33161136a08f5cb2069822b16a58ce377b6d1a265cf33215a1695bda5a701bae566410ce33e7

    • SSDEEP

      3072:wNxSv2ym9FNq9m8iktJFu/TgHdcyDnLEOhUm3xSvp:wNxSv2ym9FNimBmFu/TgHdcgnLEOhUmE

    Score
    3/10
    • Target

      SolaraBETA3/Monaco/vs/language/json/jsonmode.js

    • Size

      38KB

    • MD5

      44955b6c43b7aac58492233efeeb70ad

    • SHA1

      528b1f0d8ebce7a607c008aa66a1d0ecd903d3d3

    • SHA256

      08af59e449f6c058514bf05c54511ee6ec83934ab9dc3e803257196b2812e8ae

    • SHA512

      5a86921260ae9f87eb134513809231c9b512200cd2f330df37a098124db0da8c8bcef5dc668875e21328ce9a6c79440811dbbc3371147690c71d31b97745666e

    • SSDEEP

      768:ghT0rpM0GwBsUWdD5Sw7NibC2FyGf5Zot3OYoHAymtVoQvafg+HfNc75eEWAdy0h:gyM0GwBeD5jhiA3B7VjIQfdy0h

    Score
    3/10
    • Target

      SolaraBETA3/Monaco/vs/language/json/jsonworker.js

    • Size

      99KB

    • MD5

      61e9b732bedc39b547804ac7e8897aab

    • SHA1

      187cba5fbd9c31257119dde24a28573b4973ef5c

    • SHA256

      7c6d37bb341cf59335f6a3e5e336d0de863124fa40a8f9b5f29d8da07891b649

    • SHA512

      200e32143bbcda809b0003298aa561ebb27509d309168de81ad8529476ab64caee0502b9fe0b513469c21b82edb421b642183a250d2ba4d65c74ba4c1cbe39dc

    • SSDEEP

      1536:rIAGGhzNFVAg0Edqq6L05i4Xw9dA+IKFt:cRyzNFV5jXOA+IKT

    Score
    3/10
    • Target

      SolaraBETA3/Monaco/vs/language/typescript/lib/typescriptservices.js

    • Size

      1.6MB

    • MD5

      0a1a293455f5451ba11e07386ea62d4f

    • SHA1

      d6a43c68812a3dcddc2973db3f2dd8a6b0e45f1e

    • SHA256

      90e98063c644749a948edd5a7801f7b00c554e3189fe7c2811926b01eaf1b41f

    • SHA512

      1674e2ad75c53f99475743618ec59d90ce8eb262131c15daead963ecb847cb70278a6d4608c66710c3cd5e92e03b5552a05401b6b008184dbf892683b27ca34a

    • SSDEEP

      49152:G6qR6wZ7g2oZNDR3Oy4mtYsT2ACKRRrcLHd5:W61/4mTy

    Score
    3/10
    • Target

      SolaraBETA3/Monaco/vs/language/typescript/tsmode.js

    • Size

      19KB

    • MD5

      8c1a82479c380d2b2c6b096e12ee9632

    • SHA1

      78e429dd4a9279267679423ddb0b6d06c11172ac

    • SHA256

      70957c5ede2834adf1b5bc264e119f82b4e8e6c169fc8ff140d637d1c5287bd9

    • SHA512

      409c8724ecfa045a7563b5c142ef0a107bffe126140bcbe5202dad59b9ba5ec0db91c74c77d5a60be92110b9d0c942fac61a782ee30a4288774f547f303e1c4a

    • SSDEEP

      384:hgFzm27hrrEZAmdHpjHenNvaOm/6xS1oTEXx3KjFRMqxRh2l3eBVq1A8WKm3d5vp:2FyHhzHenNvaF6xCoSx3KjFqqxL21eBp

    Score
    3/10
    • Target

      SolaraBETA3/Monaco/vs/language/typescript/tsworker.js

    • Size

      1.7MB

    • MD5

      1e0047691c3637ad1e0da62023ba0e0d

    • SHA1

      64902c923c2194e007bc727f7ea4f30b3a796dab

    • SHA256

      2ccc6b6b1b5d884fe8df3e7b2f2bacca0c4529b68bbfe3c547fcc74f204cc5d1

    • SHA512

      c1bef7bfd60acfcfb206b9631f8a730b787e94101d519d157d346d8377104d1302c0e9853ba2db944d63f03b181511950b9ea25dd21e41f40b4aeba4bc44c0c8

    • SSDEEP

      24576:pQIJc020hIvUjQQ0s2oI4Q0s2oI4QIJc020hIvUjQQ0s2oI4Q0s2oIq:Qo3MfgfHo3Mfgfq

    Score
    3/10
    • Target

      SolaraBETA3/Monaco/vs/loader.js

    • Size

      27KB

    • MD5

      8a3086f6c6298f986bda09080dd003b1

    • SHA1

      8c7d41c586bfa015fb5cc50a2fdc547711b57c3c

    • SHA256

      0512d9ed3e5bb3daef94aa5c16a6c3e2ee26ffed9de00d1434ffe46a027b16b9

    • SHA512

      9e586742f4e19938132e41145deec584a7b8c7e111b3c6e9254f8d11db632ebe4d66898458ed7bcfc0614d06e20eb33d5a6a8eb8b32d91110557255cf1dbf017

    • SSDEEP

      768:3J6C/c2x0cAu57XQxJRDRi+R/TvrCv3zM2GRl0VEj:Z6grH7qTXRvmDI

    Score
    3/10
    • Target

      SolaraBETA3/Newtonsoft.Json.dll

    • Size

      695KB

    • MD5

      195ffb7167db3219b217c4fd439eedd6

    • SHA1

      1e76e6099570ede620b76ed47cf8d03a936d49f8

    • SHA256

      e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

    • SHA512

      56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

    • SSDEEP

      12288:GBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:GBjk38WuBcAbwoA/BkjSHXP36RMG/

    Score
    1/10
    • Target

      SolaraBETA3/WebView2Loader.dll

    • Size

      133KB

    • MD5

      a0bd0d1a66e7c7f1d97aedecdafb933f

    • SHA1

      dd109ac34beb8289030e4ec0a026297b793f64a3

    • SHA256

      79d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36

    • SHA512

      2a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50

    • SSDEEP

      3072:e5i6Uab3sFhPk6vEmG1PU6dLXm2ng3esQDqEt2JljdTu:e5P2e6vERtUyTmHEtmI

    Score
    1/10
    • Target

      SolaraBETA3/Wpf.Ui.dll

    • Size

      5.2MB

    • MD5

      aead90ab96e2853f59be27c4ec1e4853

    • SHA1

      43cdedde26488d3209e17efff9a51e1f944eb35f

    • SHA256

      46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed

    • SHA512

      f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d

    • SSDEEP

      98304:Com1p/B6MvSmaRI+VcDNkq4pmvhAHDfyyrhl:W1HZNkq4p

    Score
    1/10
    • Target

      SolaraBETA3/XcHvYYrNa.dll

    • Size

      5.2MB

    • MD5

      85b0dcb64053e35280477d88e1e05505

    • SHA1

      70ebc4da4ac422bb47c1c49114d935d01848436b

    • SHA256

      0c11716983653fef7d0f403c31429d9730c3c182eecc2e518ab98b4de6dd6730

    • SHA512

      2f79e49f093fd0aaef79cbda75924ddec34a8172182a5cb7ddcde5227897f46e9e55dccf310779918afd1144f2af9a003d58939b5e631ecda147c81b95ad4d64

    • SSDEEP

      98304:Hjq4IKpMF9j28xRr3gylwOjA3iquS4+RUk2o9/C/omTI:Dq7sMTj2w0yGyGKzmC/om

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      SolaraBETA3/XcHvYYrNa.exe

    • Size

      35.7MB

    • MD5

      17a5b2e38e52ba783232e01686477307

    • SHA1

      19905670b94997dfbcbccdd3437e3595119d9538

    • SHA256

      f58b4cb63d8d082dd1c6061c4f87f292d194fb7a19c55f6df5ee781431dce31a

    • SHA512

      e7417c40188807f7b5a2facb6bf10813ec7450a82be9b0d47795e519083e484eb5cf045fa1e7b169695b1f56aefd078294969351d83a38e70a099395e93a6951

    • SSDEEP

      786432:/QUiPmbQYUS3jKoNpSaDlLlrfrvacgl8x8MQkEweK:/vs1UuDapLlrmcgCxzP

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      SolaraBETA3/XcHvYYrNa.exe.WebView2/EBWebView/Subresource Filter/Unindexed Rules/10.34.0.52/adblock_snippet.js

    • Size

      2KB

    • MD5

      4dfa3a341bfcdadb42f25a9a4bfdf152

    • SHA1

      94cf328db1e1c355f2e008ac5408d1d929582863

    • SHA256

      a12f977a31624efa0d30eaf0a4e613fc1924e7494411fb8584530016b6cae1c0

    • SHA512

      5273b146edba6a1465f2360b9be46771f575c43c6240c822cab0ddb475e980d048a8f5f9c87312ce425122d70f7c8f6d6c7b700774746fe9c155c344547c9d67

    Score
    3/10
    • Target

      SolaraBETA3/api-ms-win-crt-convert-l1-1-0.dll

    • Size

      24KB

    • MD5

      0485c463cd8d2ae1cbd42df6f0591246

    • SHA1

      ea634140905078e8f687a031ae919cff23c27e6f

    • SHA256

      983f4d4c7b7330e7f5f091080c1e81905575ebccd97e11dff8a064979ec8d9b8

    • SHA512

      ddf947a1b86c3826859570a3e1d59e4ec4564cfcf25c84841383a4b5f5ad6c2fe618078416aed201fb744d5fbd6c39dab7c1e964dd5e148da018a825fcc0044a

    • SSDEEP

      384:WruyxWfhWMLm0GfeQ1MgKlx+YY30Jl0huSwp+M:PlRhg8Ihep+M

    Score
    1/10
    • Target

      SolaraBETA3/api-ms-win-crt-filesystem-l1-1-0.dll

    • Size

      22KB

    • MD5

      1193f810519fbc07beb3ffbad3247fc4

    • SHA1

      db099628a19b2d34e89028c2e16bc89df28ed78f

    • SHA256

      ab2158fe6b354fb429f57f374ca25105b44e97edcbdc1b752650d895dadd6fd1

    • SHA512

      3222a10c3be5098aca0211015efe75cfbcd408fd28315acedd016d8f77513f81e207536b072001525965635da39c4aae8ef9f6ad367f5d695de67b1614179353

    • SSDEEP

      384:W3q6nWm5CpWfhWNLm0Gf3Jl0huSwJ+Ruh91MgKlx+YV:l6nWm5Ce4RVheJUUwg8V

    Score
    1/10

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

11
T1059

PowerShell

1
T1059.001

JavaScript

10
T1059.007

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Modify Registry

1
T1112

Discovery

Query Registry

7
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

7
T1082

Command and Control

Web Service

1
T1102

Tasks

static1

themida
Score
7/10

behavioral1

execution
Score
3/10

behavioral2

execution
Score
3/10

behavioral3

execution
Score
3/10

behavioral4

execution
Score
3/10

behavioral5

execution
Score
3/10

behavioral6

execution
Score
3/10

behavioral7

execution
Score
3/10

behavioral8

execution
Score
3/10

behavioral9

execution
Score
3/10

behavioral10

execution
Score
3/10

behavioral11

execution
Score
3/10

behavioral12

execution
Score
3/10

behavioral13

execution
Score
3/10

behavioral14

execution
Score
3/10

behavioral15

execution
Score
3/10

behavioral16

execution
Score
3/10

behavioral17

execution
Score
3/10

behavioral18

execution
Score
3/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

evasionthemidatrojan
Score
9/10

behavioral26

evasionthemidatrojan
Score
9/10

behavioral27

xwormevasionexecutionpersistenceratthemidatrojan
Score
10/10

behavioral28

xwormevasionexecutionpersistenceratthemidatrojan
Score
10/10

behavioral29

execution
Score
3/10

behavioral30

execution
Score
3/10

behavioral31

Score
1/10

behavioral32

Score
1/10