General

  • Target

    Solara.exe

  • Size

    241KB

  • Sample

    240624-jwfhvssblh

  • MD5

    5551324bfc3838900ae449d1ffdfbde3

  • SHA1

    6aa58fc95bc7b0c2fcd0e819f21f594edbd91812

  • SHA256

    e1db7050fa7db2444af89ea3f6f5b25042c03af29626d89321b1647f7a3edb70

  • SHA512

    997ce1d544edf972c5627ff76eeb90f6937344912e763b961621be3fa16af995bf40dbd23e87148db32b068b0b37f2fea8ed6cdba99dc90a85a31039b94e6a36

  • SSDEEP

    6144:l9xYLd8bIq20AG+FgHUhcX7elbKTua9bfF/H9d9n:/PNrH3X3u+

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/VcvJgLVt

Targets

    • Target

      Solara.exe

    • Size

      241KB

    • MD5

      5551324bfc3838900ae449d1ffdfbde3

    • SHA1

      6aa58fc95bc7b0c2fcd0e819f21f594edbd91812

    • SHA256

      e1db7050fa7db2444af89ea3f6f5b25042c03af29626d89321b1647f7a3edb70

    • SHA512

      997ce1d544edf972c5627ff76eeb90f6937344912e763b961621be3fa16af995bf40dbd23e87148db32b068b0b37f2fea8ed6cdba99dc90a85a31039b94e6a36

    • SSDEEP

      6144:l9xYLd8bIq20AG+FgHUhcX7elbKTua9bfF/H9d9n:/PNrH3X3u+

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks