Extracted

• • Target

    Solara.exe

  • Size

    45KB

  • MD5

    04f89f83ba27038601e2321b08d0b4ca

  • SHA1

    edecd6d74ac90bbd235334ee17c2cae0ababa51b

  • SHA256

    4d3101ba1ec70ddd04a30b6f04a67817920a6601e477339e5c135c167f6ab1e2

  • SHA512

    04aece7190c9731d3a3528ef4b762eb47db6b50f670201dad4cd98c8bdf389eb1c8671488b550b02b28ae8ae61685ef0929b0a05273f09114b0e45269e4514bf

  • SSDEEP

    768:fvn+LJZ2ny8BcGhsWc3cQHqGbgEbFEP89ObA6BOuh3zjjU:fHABTMmq6FN9UA6BOuFE

  Score

  10^/10

  xwormexecutionpersistencerattrojan

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2