Extracted

• • Target

    SolaraTool.scr

  • Size

    705KB

  • MD5

    eb4ebc917c666de8de736b7086ca3362

  • SHA1

    eabc64c7ea4e246bc195780997e6afccee00f66a

  • SHA256

    4b2a5bd64311a852d668dd8252cb0ec8abae94a3d76abb8f1fe8ab5f0cd7589e

  • SHA512

    554865c9e6c39010bea3f126e2c3f119b19850b0341a82eb7fefd93d89df3382a6b4d53997aea7aa59654243779c775ec6c586be96ca238fe1a61cc731661cfe

  • SSDEEP

    12288:xyveQB/fTHIGaPkKEYzURNAwbAgB2X+t4BUJ/5s1aMk7QngJpryKypkkM:xuDXTIGaPhEYzUzA0/0BUB13cg7m5pkp

  Score

  10^/10

  xwormrattrojandiscovery

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Blocklisted process makes network request

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2