API tools faq
paste
Guest User

Solarigate IoCs

a guest
Dec 13th, 2020
1,841
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.16 KB | None | 0 0
raw download clone embed print report
  1. Solarigate IoCs
  2.  
  3. Based on global telemetry, we have seen seven malicious DLLs related to this incident so far. The following list is non-exhaustive, as the situation develops:
  4.  
  5. Sha256: 32519685c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
  6. Sha1: 76640508b1e7759e548771a5359eaed353bfleec
  7. File Size: 1011032 bytes
  8. File Version: 2019.4.5200.9083
  9. Date first seen: March 2020
  10.  
  11. Sha256: dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b
  12. Sha 1: 1acf3108bf1e376c8848fbb25dc87424f2c2a39c
  13. File Size: 1028072 bytes
  14. File Version: 2020.2.100.12219
  15. Date first seen: March 2020 •
  16.  
  17. Sha256: eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed
  18. Sha 1t: e257236206e99f5a5c62035c9c59c57206728b28
  19. File Size: 1026024 bytes
  20. File Version: 2020.2.100.11831
  21. Date first seen: March 2020
  22.  
  23. Sha256: c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77
  24. Sha 1: bcb5a4dcbc60d26a5f619518f2cfcl b4bb4e4387
  25. File Size: 1026024 bytes
  26. File Version: not available
  27. Date first seen: March 2020
  28.  
  29. Sha256: acl1b2b89e60707a20e9ebl ca480bc3410ead40643b386d624c5d21b47c02917c
  30.  
  31. Moreover, aside from the malicious DLLs listed above, Microsoft researchers have observed code anomalies in two files since October 2019 when a class was added to the SolarWinds DLL Note however that these two do not have active malicious code or methods
  32.  
  33. Sha256: a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc
  34. Sha1: 5e643654179e8b4cfe1d3c1906a90a4c8d611cea
  35. File Size: 934232 bytes
  36. File Version: 2019.4.5200.8890
  37. Date first seen: October 2019
  38.  
  39. Sha256: d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af
  40. Sha1: ebe711516d0f5cd8126f4d53e375c90b7b95e8f2
  41. File Size: 940304 bytes
  42. File Version: 2019.4.5200.8890
  43. Date first seen: October 2019
  44.  
  45.  
  46.  
  47.  
  48. Sha256: ad1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c
  49. Sha1: 6fdd82b7ca1c1f0ec67c05b36d14c9517065353b
  50. File Size: 1029096 bytes
  51. File Version: 2020.4.100.478
  52. Date first seen: April 2020
  53.  
  54.  
  55. Sha256: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
  56. Sha1: 2f1a5a7411d015d01aaee4535835400191645023
  57. File Size: 1028072 bytes
  58. File Version: 2020.2.5200.12394
  59. Date first seen: April 2020 •
  60.  
  61. Sha256: ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0bOaa8211fe858d6
  62. Sha1: d130bd75645c2433f88ac03e73395fba172ef676
  63. File Size: 1028072 bytes
  64. File Version: 2020.2.5300.12432
  65. Date first seen: May 2020
  66.  
  67.  
  68.  
  69.  
  70.  
  71. The attackers have compromised signed libraries that used the target companies' own digital certificates, attempting to evade application control technologies. Microsoft already removed these certificates from its trusted list. The certificate details with the signer hash are shown below:
  72.  
  73. "Signer": "Solarwinds Worldwide, LLC",
  74. "SignerHash": "47d92d49e6f7f296260dalaf355f941eb25360c4"
  75.  
  76. The DLL then loads from the installation folder of the SolarWinds application. Afterwards, the main implant installs as a Windows service and as a DLL file in the following path using a folder with different names.
  77. • installation folder , for example, <drive letter>:)Program Files (x86))SolarWinds)Orion)SolarWinds.Orion.Core.BusinessLayerdll
  78. • the NET Assembly cache folder (when compiled)
  79. C:\Windows1System32\configlsystemprofile\AppData\Local\assembly\tmp)<random-named folder) SolarWinds.Orion.Core.BusinessLayer.dll
  80.  
  81. While Microsoft researcher observed malicious code from the attacker activated only when running under SolarWinds.BusinessLayerHost.exe process context, for the DLL samples currently analyzed, Microsoft Researchers have also seen different SolarWinds processes potentially loading the malicious library. The following list is again non-exhaustive as the situation is still developing at this point. We recommend monitoring the history and network or process activity of this SolarWinds process closely, especially activity coming from
  82. SolarWinds.BusinessLayerHostexe:
  83.  
  84. • ConfigurationWizard.exe
  85. • NetflowDatabaseMaintenance.exe
  86. • NetFlowService.exe
  87. • SolarWinds.Administration.exe
  88. • SolarWinds.BusinessLayerHost.exe
  89. • SolarWinds.Collector.Service.exe
  90. • SolarwindsDiagnostics.exe
  91.  
  92. twitter.com/kwestin
  93.  
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!