Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Solara/Boo...V3.exe

windows7-x64

10

Solara/Boo...V3.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Solara.rar

  • Size

    2.8MB

  • Sample

    250228-pde29szmv7

  • MD5

    230345e6c16b3bbf975ccd0d670d5ce6

  • SHA1

    25d166bda673101f930c286a8411d219b23c3e49

  • SHA256

    e25e97d90a82a77d5ec4f5d1a8ab969e1ce71ed9e6d86bffa2736ee1bce9172d

  • SHA512

    ac5534f55bc0ad6a467e214c4ea10aa72b0f64cbabbffd08a16575d53ffc4e34c5c735d0047ad36368c04a9620c520cb94ff9849fcc4e6e7720ddf8fc261a44c

  • SSDEEP

    49152:JP33bAa7yKhm08xHODSIVM/3FgtlFnPP+7XXYTTNHA4AqhxakB:d3cxp04wM/3FG/n+7cAYLB

Score
10/10
xwormdefense_evasiondiscoveryexecutionratthemidatrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

child-antibody.gl.at.ply.gg:2228

Mutex

pcCY6tDAKghY4tFe

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      Solara/BootstrapperNewV3.exe

    • Size

      2.9MB

    • MD5

      3d61fb1e4f66cfc8c03bf0fc3e3d6924

    • SHA1

      9de87331128b9637ec720cf170112c2f07eaf00e

    • SHA256

      6e962533c92cbdb252536f0aae04924b80b21d327b778f708d62f277ceb5515e

    • SHA512

      1ec8ac01cfb835ac70b3d44f690a9c792ac213ed51bca72a44ebb34d3487c68ce5304bc38a5b732fa81405d596e8106379e3e49e05dd57c010918cdb13ffe1fc

    • SSDEEP

      49152:jBTvgHD819pcCFXw0qUdiGaIeAqyd/ICbHF9/llU+86Tp/TD/rFIPghgYexGo:j54HAjpr1w0+xAQCbTt869rD/rF7e4o

    Score
    10/10
    xwormrattrojandefense_evasiondiscoveryexecutionthemida

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks