xworm | 63042e292b76378f8a720291e41eaba13d464b9b65eac9974b5d05e35e7f4ffb | Triage

Submit
Reports

Overview

overview

Static

static

3

Solara-V3-...er.exe

windows7-x64

Solara-V3-...er.exe

windows10-2004-x64

Sharing

General

Target

Solara-V3-main.zip
Size

3.5MB
Sample

240701-qhbq3sxark
MD5

cbb966d428f27742abbaa1dc9e7d5aac
SHA1

20cdd8e83e5c10875d17d8e27f7077829bc77da3
SHA256

63042e292b76378f8a720291e41eaba13d464b9b65eac9974b5d05e35e7f4ffb
SHA512

b2d799cda1eb2ab71010e788100e823d01e78ca2c1fc513b2c39c3984e2cbcaaeed365aea7bdc83e4cb0b6b171f2145ce300ba076cda6a16533bd4f548a99357
SSDEEP

98304:IGYuoyRq/g6A+QzqTTxvYxAXCCd13hp/ior3jdByxji5yd:HoyQ/pA+QGPxPXRrxBexd

Score

10^/10

xworm evasion persistence rat themida trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Solara-V3-main/SolaraBootstrapper.exe

Resource

win7-20240419-en

xworm evasion persistence rat themida trojan

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

Solara-V3-main/SolaraBootstrapper.exe

Resource

win10v2004-20240508-en

xworm evasion persistence rat themida trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

3.1

C2

feature-mouse.gl.at.ply.gg:32683

Mutex

OpwzxvxwPVDjc2iN

Attributes

Install_directory
%Temp%
install_file
USB.exe

aes.plain

Targets

- Target
  
  Solara-V3-main/SolaraBootstrapper.exe
- Size
  
  3.5MB
- MD5
  
  8b8cc7e00f4ae98288bf4b244a6ae4b3
- SHA1
  
  deed0704178afef55c873a5d124788a771d8548e
- SHA256
  
  357ff8ff865f8a198e64f081072a8a815139b8e5014d1488671de1b43ac65d0c
- SHA512
  
  d1c0a018646ea8b43c5200809432898d8cb2e65d5dc46fc1753ea63a11fd49303a92308060291e11fefd42eb4cba0edbba4d990db30b436fde81604466eaa9ff
- SSDEEP
  
  98304:RUYIGafAzeIA+aFMJrjhOfKBCe1xTdZHYApZx5hQX9wdc:6GaozTA+ayxjdBxjRLS5
Score

10^/10

xworm evasion persistence rat themida trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xwormevasionpersistenceratthemidatrojan

behavioral2

xwormevasionpersistenceratthemidatrojan

© 2018-2024

Terms | Privacy