General
-
Target
SolaraBootstrapper.exe
-
Size
13KB
-
Sample
240629-jc6kyatckg
-
MD5
8be476fb431fcf11156417f410acf978
-
SHA1
55a19def82358ffc006487e1f49be04277e12bd5
-
SHA256
14cf7648123e018dcdfc2aa386135a0510a9f7b12b8bc125ad4e32fd7f16999c
-
SHA512
cf747947ff0bedf87230e0fa08ee534f44f08962a52ae3dd0c0d734d6f4131456a0e2dc1ac230fa6500d5b254a64cae9e01161d1a690e26794c38d66e22cb5ed
-
SSDEEP
192:IUxOQrGVa/nHU0LgJ2jaVb4+LHdrDXy3pifUJ1hHxrWjd:hIQaVafU0LmqaVb4+xPy5ifU1hRyj
Static task
static1
Behavioral task
behavioral1
Sample
SolaraBootstrapper.exe
Resource
win7-20240221-en
Malware Config
Extracted
xworm
anyone-blogging.gl.at.ply.gg:22284
-
Install_directory
%Userprofile%
-
install_file
XClient.exe
Targets
-
-
Target
SolaraBootstrapper.exe
-
Size
13KB
-
MD5
8be476fb431fcf11156417f410acf978
-
SHA1
55a19def82358ffc006487e1f49be04277e12bd5
-
SHA256
14cf7648123e018dcdfc2aa386135a0510a9f7b12b8bc125ad4e32fd7f16999c
-
SHA512
cf747947ff0bedf87230e0fa08ee534f44f08962a52ae3dd0c0d734d6f4131456a0e2dc1ac230fa6500d5b254a64cae9e01161d1a690e26794c38d66e22cb5ed
-
SSDEEP
192:IUxOQrGVa/nHU0LgJ2jaVb4+LHdrDXy3pifUJ1hHxrWjd:hIQaVafU0LmqaVb4+xPy5ifU1hRyj
-
Detect Xworm Payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-