General

  • Target

    SolaraV2ExecutorBootstrapper.rar

  • Size

    39KB

  • Sample

    241030-187xbascrc

  • MD5

    91f98f0f7a8b2f992a59e105c46c22e8

  • SHA1

    94aff1e0a89e3bbfe6b0801fb560db6c3ec79504

  • SHA256

    04fcf73a07b602122139094e3a0d83583e647e72731337cb3901dbf24cc360d1

  • SHA512

    d061708d5f42804e3b26776b242e1e16dc83bae2493945df891af81b807f4241192d70831444c8f75e3381bd574b48c052158f4d94e4a3703b04baeda68f3789

  • SSDEEP

    768:/WwqYM3FCn8Ps/SAoB4wZp/N6qAgLl/+NB0hRSIShv4vPw/sSUunLZ:uwqV3Q8k/YB4wZh9bL1mmfnni7LZ

Malware Config

Extracted

Family

xworm

C2

status-jeremy.gl.at.ply.gg:41791

Attributes
  • Install_directory

    %AppData%

  • install_file

    Console Window Host.exe

Targets

    • Target

      SolaraV2ExecutorBootstrapper.exe

    • Size

      66KB

    • MD5

      886ee4db82d105bd5860b8ea8530e8fd

    • SHA1

      debafc71ab28da7d3572b45ba29cf20f3f7d04c1

    • SHA256

      de8d04f20865e77beff3e2e493bce79317e2696c6120c69a262b91dfb719f9a5

    • SHA512

      f2076caa3cd82c34512c26f4adf6ad12178fcef1490758ba24f0da8b4ef998b46e91e60fdde322e924d0bdc9cfa5206e7b847f8e457869b7f2af2bcf272682c3

    • SSDEEP

      1536:c82ZauFOWnMjv7PwY+bcPw8gVKy/CaI6v4zOpBDZtI:c85Drd+bcPe/fl4zOpBPI

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks