General
-
Target
Solara.exe
-
Size
44KB
-
Sample
250307-ssm8zaspy7
-
MD5
f97f950cb8189fa9277dbb958a2aed50
-
SHA1
cc7f285d445084dece753a6d223750fc0c48bbe8
-
SHA256
57db2008ffe3b1c17ce48ceb0c4c08149a3830c84eefd9148bc96fefd42d69a1
-
SHA512
c3074a2112bb7c82bd6f0c4ec84747915d8bb1a10c41e1dbe8550b6bc569c89eb1d7e1dcd1144ec21cf3370538a569fc303b400c926c94755f0a33dc401fa7e7
-
SSDEEP
768:w26G+HIgGa2tdwJrMblsUUdvFFRPG9+V6OOCh5vmbW3:76hHIgmcJTvFw9+V6OOCbui3
Malware Config
Targets
-
-
Target
Solara.exe
-
Size
44KB
-
MD5
f97f950cb8189fa9277dbb958a2aed50
-
SHA1
cc7f285d445084dece753a6d223750fc0c48bbe8
-
SHA256
57db2008ffe3b1c17ce48ceb0c4c08149a3830c84eefd9148bc96fefd42d69a1
-
SHA512
c3074a2112bb7c82bd6f0c4ec84747915d8bb1a10c41e1dbe8550b6bc569c89eb1d7e1dcd1144ec21cf3370538a569fc303b400c926c94755f0a33dc401fa7e7
-
SSDEEP
768:w26G+HIgGa2tdwJrMblsUUdvFFRPG9+V6OOCh5vmbW3:76hHIgmcJTvFw9+V6OOCbui3
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1