General
-
Target
Solara.exe
-
Size
44KB
-
Sample
250307-xyx3ksvr19
-
MD5
2d77b2cc88d69fbae3a3b7d5f89e1de2
-
SHA1
09cf5e15b06a5b962247b45807594808a66e38c8
-
SHA256
2208d8cec15b9f5cb0d2633a9fa0761120a6432927b1401c0683df982f00205a
-
SHA512
f890a7a0c009a2edab6c134b51e813a97697193c3a4c47de3f8a4eb2c635444cf178f0f36b7343db79d54dd95d449bbec63957e83c40b83af2d75168f6863aac
-
SSDEEP
768:qNTRmetisWt2tKdouL3ZE9R9yFRPG9XZVkw6OOChDsGO6Mi1:qNTketz8npE92Fw9Xvkw6OOCdVO9i1
Malware Config
Extracted
xworm
5.0
AXTHi4CYiQFk7lUs
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
pastebin_url
https://pastebin.com/raw/FgmKAhUD
Targets
-
-
Target
Solara.exe
-
Size
44KB
-
MD5
2d77b2cc88d69fbae3a3b7d5f89e1de2
-
SHA1
09cf5e15b06a5b962247b45807594808a66e38c8
-
SHA256
2208d8cec15b9f5cb0d2633a9fa0761120a6432927b1401c0683df982f00205a
-
SHA512
f890a7a0c009a2edab6c134b51e813a97697193c3a4c47de3f8a4eb2c635444cf178f0f36b7343db79d54dd95d449bbec63957e83c40b83af2d75168f6863aac
-
SSDEEP
768:qNTRmetisWt2tKdouL3ZE9R9yFRPG9XZVkw6OOChDsGO6Mi1:qNTketz8npE92Fw9Xvkw6OOCdVO9i1
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1