MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ece977efec20274f3da6f621bf59a1ced851eb0d571412d86d9e91af60c31aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ece977efec20274f3da6f621bf59a1ced851eb0d571412d86d9e91af60c31aa
SHA3-384 hash: 5ff3696eb808d019df3eb32dccd9cbfd2dfb6c427f10a577807471af87a7409fab103fbe55d7af6d5e18cfa4170349e6
SHA1 hash: e43d3d17ba845aa757066c4e23da741fe5191425
MD5 hash: 85ff6500a8273d797edc83147d2e94a1
humanhash: cat-four-autumn-sodium
File name:SolaraExecutor.exe.bin
Download: download sample
Signature XWorm
Create hunting rule
File size:3'733'504 bytes
First seen:2025-03-16 11:49:09 UTC
Last seen:2025-03-16 12:44:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'845 x AgentTesla, 19'778 x Formbook, 12'299 x SnakeKeylogger)
ssdeep 49152:0ds2CjifdJZwEVRrydbZiF5HeaJb7WoN9RlZOVBXmeQUrSw407ibX1Am/CskiKOG:as2CjilJZou5+aJb73BORexyCkiJox
TLSH T19B06127705D40566D16CFE3A70E149FA866089BC83F1BC5CA628EC81EC123E57F7E869
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter KatzenTech
Tags:exe xworm

Intelligence

File Origin
# of uploads :
2
# of downloads :
422
Origin country :
RU RU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SolaraExecutor.exe
Verdict:
Malicious activity
Analysis date:
2025-03-16 01:28:56 UTC
Tags:
github evasion remote xworm autorun-reg autorun-startup ransomware
Link:
https://app.any.run/tasks/9386af5d-e39c-4e8a-82ba-fa687c54908b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d6d6153962f1a6f471e5a9
Tags:
asyncrat autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Creating a window
Searching for synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Setting a global event handler for the keyboard
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/67d6bac0dab9a7b6c594fc6b/reports/0fc587d8-bfdf-43f3-be81-54200aaa8e1a/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/4ece977efec20274f3da6f621bf59a1ced851eb0d571412d86d9e91af60c31aa
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0bfffcd5-2067-4c08-b923-b53659194a09
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1639870
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates multiple autostart registry keys
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1639870 Sample: SolaraExecutor.exe.bin.exe Startdate: 16/03/2025 Architecture: WINDOWS Score: 100 66 court-accept.gl.at.ply.gg 2->66 68 raw.githubusercontent.com 2->68 70 2 other IPs or domains 2->70 80 Suricata IDS alerts for network traffic 2->80 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 12 other signatures 2->86 10 SolaraExecutor.exe.bin.exe 4 2->10         started        14 SolaraSupport.exe 2->14         started        16 svchost.exe 2->16         started        19 3 other processes 2->19 signatures3 process4 dnsIp5 56 C:\Users\user\AppData\...\SolaraExecutor.exe, PE32 10->56 dropped 58 C:\Users\user\...\SolaraExecutor(1).exe, PE32 10->58 dropped 60 C:\Users\...\SolaraExecutor.exe.bin.exe.log, CSV 10->60 dropped 98 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->98 21 SolaraExecutor(1).exe 4 10->21         started        25 SolaraExecutor.exe 15 4 10->25         started        100 Antivirus detection for dropped file 14->100 102 Multi AV Scanner detection for dropped file 14->102 64 127.0.0.1 unknown unknown 16->64 file6 signatures7 process8 dnsIp9 52 C:\Users\user\AppData\...\SolaraSupport.exe, PE32 21->52 dropped 54 C:\Users\user\AppData\...\BootstrapperNew.exe, PE32+ 21->54 dropped 90 Antivirus detection for dropped file 21->90 92 Multi AV Scanner detection for dropped file 21->92 28 SolaraSupport.exe 15 6 21->28         started        33 BootstrapperNew.exe 17 21->33         started        72 court-accept.gl.at.ply.gg 147.185.221.26, 49685, 49692, 49698 SALSGIVERUS United States 25->72 74 ip-api.com 208.95.112.1, 49682, 49684, 80 TUT-ASUS United States 25->74 76 2 other IPs or domains 25->76 94 Creates multiple autostart registry keys 25->94 96 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 25->96 file10 signatures11 process12 dnsIp13 78 193.161.193.99, 21764, 49701, 49702 BITREE-ASRU Russian Federation 28->78 62 C:\ProgramData\SolaraSupport.exe, PE32 28->62 dropped 104 Antivirus detection for dropped file 28->104 106 Multi AV Scanner detection for dropped file 28->106 108 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->108 110 4 other signatures 28->110 35 powershell.exe 28->35         started        38 powershell.exe 28->38         started        40 powershell.exe 28->40         started        42 powershell.exe 28->42         started        file14 signatures15 process16 signatures17 88 Loading BitLocker PowerShell Module 35->88 44 conhost.exe 35->44         started        46 conhost.exe 38->46         started        48 conhost.exe 40->48         started        50 conhost.exe 42->50         started        process18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4ece977efec20274f3da6f621bf59a1ced851eb0d571412d86d9e91af60c31aa
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ece977efec20274f3da6f621bf59a1ced851eb0d571412d86d9e91af60c31aa/
Threat name:
Win32.Exploit.Xworm
Create hunting rule
Status:
Malicious
First seen:
2025-03-16 01:28:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
27 of 36 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j3hjo7x6yibhj462n5rbx5m2dtwykhvq2vyuclmg3hurv5qmggva._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
error
XWorm
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm rat trojan
Link:
https://tria.ge/reports/250316-ny42fszxfz/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
193.161.193.99:21764
Verdict:
Malicious
Tags:
external_ip_lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/c621d039-8303-41f2-a8e4-f96d4417958f
Unpacked files
SH256 hash:
4ece977efec20274f3da6f621bf59a1ced851eb0d571412d86d9e91af60c31aa
MD5 hash:
85ff6500a8273d797edc83147d2e94a1
SHA1 hash:
e43d3d17ba845aa757066c4e23da741fe5191425
Link:
https://www.unpac.me/results/57d64b08-4ed1-41f8-a4a7-f53a9d74a298/
SH256 hash:
268de01c962d64cadea37ad785b0aed9d9c3a06685050dc5820d8a116aef8d97
MD5 hash:
3ad827994f795448d2ee4b1c3f9c6293
SHA1 hash:
2926c1a33e9eeff776e184610333afb4375b5564
Detections:
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
Link:
https://www.unpac.me/results/57d64b08-4ed1-41f8-a4a7-f53a9d74a298/
SH256 hash:
08da7551995bad095ca9e22ad11264e565a023caf9ef799f298f4c235ec44d26
MD5 hash:
472fe7fe7163333db68640dc7827bc17
SHA1 hash:
35a127ed3c08379dd270761547f209bb56d6b9e8
Detections:
win_xworm_w0
Create hunting rule
XWorm
Create hunting rule
win_xworm_bytestring
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/57d64b08-4ed1-41f8-a4a7-f53a9d74a298/
Parent samples :
c029d185a694aa636fc5a085a2d1d77fe084a40d8c162740a1ef4868c9ce91eb
4ece977efec20274f3da6f621bf59a1ced851eb0d571412d86d9e91af60c31aa
08da7551995bad095ca9e22ad11264e565a023caf9ef799f298f4c235ec44d26
2e92d49510ae3e2be370ef41079b314a8fcc936fe0cd220c7d88ed5895943af4
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4ece977efec2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4ece977efec20274f3da6f621bf59a1ced851eb0d571412d86d9e91af60c31aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments