Overview

overview

10

Static

static

3

SolaraBoot...er.exe

windows10-2004-x64

Resubmissions

07-07-2024 19:51

240707-yk2paazbnc 10

07-07-2024 13:52

240707-q6m41swcle 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SolaraBootstrapper.exe

  • Size

    4.7MB

  • Sample

    240707-q6m41swcle

  • MD5

    8e188560eca9ec36adb33425dd5ded3a

  • SHA1

    8ff3c27b9d50e0eda7a7df3a94ecd701f4632c4d

  • SHA256

    f7f233269f149d89c2178a456e9d858c366d41b525a7655a5c6633bc27914e1f

  • SHA512

    da2d41f5a960b82dd5281932eedbd2df941df1a5a7a5dbbb7a0621bb483a3366932b5b9d4b7d64ce21eb8e8a492338a48ca9ee57781d38c3427e5a31f5a68ee2

  • SSDEEP

    49152:fdKiv3rs1xLqz9kD7XH3iXQ7JY89kWfKn1KO+zW5GbClxAT8b7ZwQI7y:fUfx+zCniXQ71kWfKn1RBNfg7y

Score
10/10
quasarxwormoffice04ratspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

ships-resistance.gl.at.ply.gg:53758

Mutex

90dce01d-0491-44c9-ba30-2abd7f7ec13a

Attributes
  • encryption_key

    FBC87452408857575CDBB63E221DC85973427C45

  • install_name

    svchost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Update

  • subdirectory

    SubDir

Extracted

Family

xworm

C2

fl-professor.gl.at.ply.gg:50715

Attributes
  • install_file

    USB.exe

Targets

    • Target

      SolaraBootstrapper.exe

    • Size

      4.7MB

    • MD5

      8e188560eca9ec36adb33425dd5ded3a

    • SHA1

      8ff3c27b9d50e0eda7a7df3a94ecd701f4632c4d

    • SHA256

      f7f233269f149d89c2178a456e9d858c366d41b525a7655a5c6633bc27914e1f

    • SHA512

      da2d41f5a960b82dd5281932eedbd2df941df1a5a7a5dbbb7a0621bb483a3366932b5b9d4b7d64ce21eb8e8a492338a48ca9ee57781d38c3427e5a31f5a68ee2

    • SSDEEP

      49152:fdKiv3rs1xLqz9kD7XH3iXQ7JY89kWfKn1KO+zW5GbClxAT8b7ZwQI7y:fUfx+zCniXQ71kWfKn1RBNfg7y

    Score
    10/10
    quasarxwormoffice04ratspywaretrojan

    • Detect Xworm Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks