General
-
Target
Solara-V3-main.zip
-
Size
3.5MB
-
Sample
240701-qhbq3sxark
-
MD5
cbb966d428f27742abbaa1dc9e7d5aac
-
SHA1
20cdd8e83e5c10875d17d8e27f7077829bc77da3
-
SHA256
63042e292b76378f8a720291e41eaba13d464b9b65eac9974b5d05e35e7f4ffb
-
SHA512
b2d799cda1eb2ab71010e788100e823d01e78ca2c1fc513b2c39c3984e2cbcaaeed365aea7bdc83e4cb0b6b171f2145ce300ba076cda6a16533bd4f548a99357
-
SSDEEP
98304:IGYuoyRq/g6A+QzqTTxvYxAXCCd13hp/ior3jdByxji5yd:HoyQ/pA+QGPxPXRrxBexd
Static task
static1
Behavioral task
behavioral1
Sample
Solara-V3-main/SolaraBootstrapper.exe
Resource
win7-20240419-en
Malware Config
Extracted
xworm
3.1
feature-mouse.gl.at.ply.gg:32683
OpwzxvxwPVDjc2iN
-
Install_directory
%Temp%
-
install_file
USB.exe
Targets
-
-
Target
Solara-V3-main/SolaraBootstrapper.exe
-
Size
3.5MB
-
MD5
8b8cc7e00f4ae98288bf4b244a6ae4b3
-
SHA1
deed0704178afef55c873a5d124788a771d8548e
-
SHA256
357ff8ff865f8a198e64f081072a8a815139b8e5014d1488671de1b43ac65d0c
-
SHA512
d1c0a018646ea8b43c5200809432898d8cb2e65d5dc46fc1753ea63a11fd49303a92308060291e11fefd42eb4cba0edbba4d990db30b436fde81604466eaa9ff
-
SSDEEP
98304:RUYIGafAzeIA+aFMJrjhOfKBCe1xTdZHYApZx5hQX9wdc:6GaozTA+ayxjdBxjRLS5
-
Detect Xworm Payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1