General

  • Target

    SolaraBootstrapper.exe

  • Size

    56KB

  • Sample

    240719-g73fnazfjf

  • MD5

    531ab3880581aa1715864b4f101dbeb8

  • SHA1

    126fe92bb2d367f816d14d8748b7de2e54cce4d3

  • SHA256

    b599c347056fe4bfa9bf3138e6e35fa0d29a2525ee1fa226f0b7dd5c1b90362e

  • SHA512

    98a78e6ddb012b222840a3f2843427e210303280505894b332d0543ea894f66728f9980e9b04872fbf63e00c86d77d78f85477a55d715af499c20ad914988f2e

  • SSDEEP

    1536:yEwY717Orc6qIDaXvKXPRFXeoWpCZewuHMCC99W:l1arckOvKX5ptiC0C9Q

Malware Config

Extracted

Family

xworm

C2

necessary-threatened.gl.at.ply.gg:15323

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    dllhost.exe

Targets

    • Target

      SolaraBootstrapper.exe

    • Size

      56KB

    • MD5

      531ab3880581aa1715864b4f101dbeb8

    • SHA1

      126fe92bb2d367f816d14d8748b7de2e54cce4d3

    • SHA256

      b599c347056fe4bfa9bf3138e6e35fa0d29a2525ee1fa226f0b7dd5c1b90362e

    • SHA512

      98a78e6ddb012b222840a3f2843427e210303280505894b332d0543ea894f66728f9980e9b04872fbf63e00c86d77d78f85477a55d715af499c20ad914988f2e

    • SSDEEP

      1536:yEwY717Orc6qIDaXvKXPRFXeoWpCZewuHMCC99W:l1arckOvKX5ptiC0C9Q

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Detect Xworm Payload

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks