Overview

overview

10

Static

static

10

SolaraBootstapper.exe

windows7-x64

10

SolaraBootstapper.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SolaraB.rar

  • Size

    38KB

  • Sample

    240724-h4nc1axclc

  • MD5

    a7dd1ccb2a508548af327d3a831b1540

  • SHA1

    edae272b29a0fc480db3512f8d698793aa56d84b

  • SHA256

    35ba562b6c3e8b92a791db5a6341150428fea42222f82abf40f120a81b6d7c58

  • SHA512

    bb224f85d0f63e6f31f2bb079be7c82f2c6845fb12097add1bca297fab58ed2bde3424dd67733a477db9008b3396de8e3ab703678820bc3bcf274f549f01b8d2

  • SSDEEP

    768:UooHRJXPXgfSFfSypjNdUoM224xWKr/OWtMiK7eE1nUVBqSYgK00LPfVaaIY:NG9hRcBSQq/OWG7R1+XKXfVJP

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

loss-winners.gl.at.ply.gg:61007

Attributes
  • Install_directory

    %AppData%

  • install_file

    Expensive 3.1.exe

Targets

    • Target

      SolaraBootstapper.exe

    • Size

      65KB

    • MD5

      6e7a02155f6abafcdaf3203ee8407a31

    • SHA1

      6379c4b9d9398d6faf7fc5e40c45fd86d94e9d3b

    • SHA256

      4d827a102b732bf26cb1624030434a9427a9fc44cd0d787f4a8488bd3947a820

    • SHA512

      7ce060561f541fd49a7a9bfe2ae6e0f5f5880447618660577a468e345115f0461e8b5277f009dd15cb9164f3fcbe83656d936b7cd243071495c69570b0329964

    • SSDEEP

      1536:hs9sLzLCyOgNbco4jvLl2p16pg8rOlaHqd:0vgNbc5vLlWn8rOlaKd

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks