General
-
Target
Solara.exe
-
Size
439KB
-
Sample
240902-1j37tsxgmm
-
MD5
bbc212bd99b3cdbdf9ebea621b2ec078
-
SHA1
31b3bd37ea5c37ee034ed92c3643fef177b130e5
-
SHA256
def6f4ec76d2069322983c6eca95a313cb9a8d2456447dae67db7cb1dfe3acdd
-
SHA512
286e2dbe13d9e3732406bda3d55a1a673deb1c8f81669d8d8dc1d2bc5e30f2e8dbd13fc59bef3d13417afc1427243c51223d754422b2efd45b20600987c11737
-
SSDEEP
1536:Y52g9057DKXIvjKqx+bSIijoJLU6Bv0JVOfCTPnlp4Z9l:42V8q+bSIjv07Oq734ZP
Malware Config
Extracted
xworm
127.0.0.1:13970
accessories-retrieve.gl.at.ply.gg:13970
-
Install_directory
%AppData%
-
install_file
Loader.exe
Targets
-
-
Target
Solara.exe
-
Size
439KB
-
MD5
bbc212bd99b3cdbdf9ebea621b2ec078
-
SHA1
31b3bd37ea5c37ee034ed92c3643fef177b130e5
-
SHA256
def6f4ec76d2069322983c6eca95a313cb9a8d2456447dae67db7cb1dfe3acdd
-
SHA512
286e2dbe13d9e3732406bda3d55a1a673deb1c8f81669d8d8dc1d2bc5e30f2e8dbd13fc59bef3d13417afc1427243c51223d754422b2efd45b20600987c11737
-
SSDEEP
1536:Y52g9057DKXIvjKqx+bSIijoJLU6Bv0JVOfCTPnlp4Z9l:42V8q+bSIjv07Oq734ZP
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1