General
-
Target
SolaraLauncher.exe
-
Size
260KB
-
Sample
240918-1evd5avcjl
-
MD5
ac3903005056433da36fafc44fa89888
-
SHA1
21ee3fdfbecc401c987054b65f1f186067aa26e8
-
SHA256
a0e45f967f2d4e41f7501b02b7792b8b69e5726b491595d17fb58fea18caa5f1
-
SHA512
caf46189157197f8e2440cb361a7dc124bda54569cf2fa00015ad81698d5fe20ba115601c174068456b79508d293a63d52779e0fa2809682a8b787d966034d80
-
SSDEEP
6144:djXgCAH7cEnaBaVoWv3ji8Nylh7r+SesepRTcq6tOQgBZQD:djX98cOVoely/uHp2q6s6
Malware Config
Extracted
xworm
5.0
127.0.0.1:13970
accessories-retrieve.gl.at.ply.gg:13970
nipMTFYV6XUBvXZW
-
Install_directory
%AppData%
-
install_file
Loader.exe
Targets
-
-
Target
SolaraLauncher.exe
-
Size
260KB
-
MD5
ac3903005056433da36fafc44fa89888
-
SHA1
21ee3fdfbecc401c987054b65f1f186067aa26e8
-
SHA256
a0e45f967f2d4e41f7501b02b7792b8b69e5726b491595d17fb58fea18caa5f1
-
SHA512
caf46189157197f8e2440cb361a7dc124bda54569cf2fa00015ad81698d5fe20ba115601c174068456b79508d293a63d52779e0fa2809682a8b787d966034d80
-
SSDEEP
6144:djXgCAH7cEnaBaVoWv3ji8Nylh7r+SesepRTcq6tOQgBZQD:djX98cOVoely/uHp2q6s6
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1