xworm | SolaraBootstrapper[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

SolaraBootstrapper.exe
Size

75KB
MD5

87e2e203db08fc338151d86e4025e173
SHA1

d77adbaad0557ccb4f0ea5373644f90f14ac0a36
SHA256

958fe1725fcd3e30b68935279059a60ed19894fe1a076795760a92a529c15b59
SHA512

659f199d60ff97dd1bd16ed8c4ea9e33ad53b3deb19de0af22dc43aafbb880a075b789a6c8ea7f1479ca8eea6251411199b9b02032c37c4dd2a0fffc05c34d05
SSDEEP

1536:7rIeyEmKZ4NAVHOlKQN00NmbMUVoc96C1zfOfjnKPPrJRN:7rIlIiNAFc0VbMstOjUD3N

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
Microsoft Corporation.exe
pastebin_url
https://pastebin.com/raw/4yPKcYq7

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
sample	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
SolaraBootstrapper.exe

Files

SolaraBootstrapper.exe
.exe .ps1 windows:4 windows x86 arch:x86 polyglot

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 72KB - Virtual size: 72KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ