1 Votes

Solar Winds Orion for Emergency Directive 21-01 (SolarWinds.Orion.Core.BusinessLayer.dll)
Log In or Register to download the BES file, and more.


Relevance

 
  * Results in a "string"/number
Show indented relevance
exists find folders "SolarWinds" whose (exists file "Orion\SolarWinds.Orion.Core.BusinessLayer.dll" whose (sha256 of it is contained by set of("019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134"; "32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77"; "a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc"; "ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c"; "c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77"; "ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6"; "d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af"; "dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b"; "eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed") OR md5 of it = "b91ce2fa41029f6955bff20079468448") of it) of ((folders ("Program Files (x86)";"Program Files") of it; it) of folders (names of drives whose (type of it = "DRIVE_FIXED")))

Property Details

ID3023026
Status
TitleSolar Winds Orion for Emergency Directive 21-01 (SolarWinds.Orion.Core.BusinessLayer.dll)
KeywordsSolar Winds Orion ED21-01 SolarWinds.Orion.Core.BusinessLayer.dll DHS Sunburst
DescriptionUpdated to add other SHA256 values based on https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ Updated to add more SHA256 values - Removed Hashes not for this DLL. Scans a subset of folders on Fixed drives for Orion\SolarWinds.Orion.Core.BusinessLayer.dll for a specific set of sha1, sha256, md5. see https://cyber.dhs.gov/ed/21-01/ Assumes one of these folders are most likely x:\Program Files\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll x:\Program Files (x86)\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll x:\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll
Added by
Last Modified by on 12/16/2020 7:47:30 AM
Counters 24 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Sharing

Relevance Image Sharing:

<a href='https://bigfix.me/cdb/relevance/3023026'><img src='https://bigfix.me/cdb/relevanceimage/3023026?width=400' border='0'></a>
Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!
jeffschafer -
spiff....these look to be related to the solarwinds installers/dlls. See: A number of backdoored installers have been identified, and are still being served from the SolarWinds website. Below is a non-exhaustive list of the installers: Version 2019.4.5220.20161 * https://downloads.solarwinds[.] com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20161/CoreInstaller.msi ( 38385a81664ce562a6777fa4564ae7b93f38f1224e1206550136e2b6b5dbb9dd ) Contains OrionCore.cab/SolarWinds.Orion.Core.BusinessLayer.dll: ( a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc ) * This version is listed as Suspicious by Microsoft (likely due to the presence of SolarWinds.Orion.Core.BusinessLayer.dll) but not confirmed malicious. Version 2020.2.5220.27327 https://downloads.solarwinds[.] com/solarwinds/CatalogResources/Core/2020.2/2020.2.5220.27327/CoreInstaller.msi ( ad2fbf4add71f61173975989d1a18395afb8538ed889012b9d2e21c19e98bbd1 ) Contains OrionCore.cab/SolarWinds.Orion.Core.BusinessLayer.dll ( 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 ) Version 2020.2.5320.27438 https://downloads.solarwinds[.] com/solarwinds/CatalogResources/Core/2020.2/2020.2.5320.27438/CoreInstaller.msi ( c20fd967d64e9722d840ec4292645b65896d0ee3ebe31090e15c5312d889c89e ) Contains OrionCore.cab/SolarWinds.Orion.Core.BusinessLayer.dll: ( ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 )
Spiff -
Thanks for the creating the analysis and list of hashes. I crossed reference your hash list with the 1 websites and these ones are not listed in either sites, can you provide the sources for these: 38385a81664ce562a6777fa4564ae7b93f38f1224e1206550136e2b6b5dbb9dd ad2fbf4add71f61173975989d1a18395afb8538ed889012b9d2e21c19e98bbd1 c20fd967d64e9722d840ec4292645b65896d0ee3ebe31090e15c5312d889c89e