General
-
Target
SolaraBootstrapper.rar
-
Size
2.5MB
-
Sample
240629-1tcgvs1anj
-
MD5
3917140ba46745b8a852fc8c48718a78
-
SHA1
97000a0f43db8aaccd780feb9f9ec444dbb7ff94
-
SHA256
cc4f04bb11e1e2ea13d0c1d7d6961dffa798fb480879252f147393ae3496d202
-
SHA512
5395b5b0cc573dba93b525db6d8630ab8eb21ac786d5850d89417608878c4be2fb1395dca66f5169a7ca26bca4cfbf26c75ed2dfb99e00b97ede211e88b9eb7d
-
SSDEEP
49152:+DkoW+7VTfW3zxmowokKsca1oLOgi3ZI13FwhvkhO2fEK3QeFwzt5h5Hn3YigNR:+DHWi+VMokKscGOOgeiheGOuFMh93YLn
Behavioral task
behavioral1
Sample
SolaraBootstrapper.rar
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
SolaraBootstrapper.rar
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
SolaraBootstrapper.exe
Resource
win7-20240220-en
Malware Config
Extracted
xworm
3.1
feature-mouse.gl.at.ply.gg:32683
VQh28vrCo2a4H2gG
-
Install_directory
%Temp%
-
install_file
USB.exe
Targets
-
-
Target
SolaraBootstrapper.rar
-
Size
2.5MB
-
MD5
3917140ba46745b8a852fc8c48718a78
-
SHA1
97000a0f43db8aaccd780feb9f9ec444dbb7ff94
-
SHA256
cc4f04bb11e1e2ea13d0c1d7d6961dffa798fb480879252f147393ae3496d202
-
SHA512
5395b5b0cc573dba93b525db6d8630ab8eb21ac786d5850d89417608878c4be2fb1395dca66f5169a7ca26bca4cfbf26c75ed2dfb99e00b97ede211e88b9eb7d
-
SSDEEP
49152:+DkoW+7VTfW3zxmowokKsca1oLOgi3ZI13FwhvkhO2fEK3QeFwzt5h5Hn3YigNR:+DHWi+VMokKscGOOgeiheGOuFMh93YLn
Score3/10 -
-
-
Target
SolaraBootstrapper.exe
-
Size
2.5MB
-
MD5
b438aa2ccb3380494ca147d34d3fba56
-
SHA1
fdbc721bf15236cc981a95ffda53feba6a7033ca
-
SHA256
8f26519cc724675fe6112c07b20ff129543125822d2f320f7648775b8ba4781f
-
SHA512
39b3974af9558feb0712b91b40dd2de75a785a6b02fd4c1ab2839ae3c9c352e23a4a84efbb4d48d16b30f8fd6275341fdeca59938f018070721141e8c7db1af8
-
SSDEEP
49152:fnZqHAl+vgnacJLGSeZs+OmboDdYQ4GGc5QM47XVF:fZq34nayLGSeTjg2c5Qv
-
Detect Xworm Payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-