Indicator_Release_Hashes.csv


      
        
          
            SHA256
            SHA1
            MD5
            FILENAME
            Version
            Compile Time
            Signing time
            MIME
            Malware Family
            Role
            Notes 
        
      
      
          
            
              d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600
              1b476f58ca366b54f34d714ffce3fd73cc30db1a
              02af7cec58b9a5da1c542b5a32151ba1
              CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp
              
              
              
              application/vnd.ms-office
              SUNBURST
              Installer
              
          
          
            
              53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7
              47d92d49e6f7f296260da1af355f941eb25360c4
              08e35543d6110ed11fdf558bb093d401
              Solarwinds Worldwide, LLC 
              
              
              
              application/x-x509-server-cert
              Code Signing Certificate
              Legitimate SolarWinds code-signing certificate
              Used to sign samples containing SUNBURST from March 2020 forward 
          
          
            
              32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
              76640508b1e7759e548771a5359eaed353bf1eec
              b91ce2fa41029f6955bff20079468448
              SolarWinds.Orion.Core.BusinessLayer.dll
              2019.4.5200.9083
              2020-03-24 08:52:34
              2020-03-24 08:53:43
              application/x-dosexec
              SUNBURST
              
              
          
          
            
              abe22cf0d78836c3ea072daeaf4c5eeaf9c29b6feb597741651979fc8fbd2417
              b485953ed77caefe81bff0d9b349a33c5cea4cde
              d5aad0d248c237360cf39c054b654d69
              SolarWinds.Orion.Core.BusinessLayer.dll
              2020.2.100.12299
              2020-03-25 19:03:48
              2020-03-25 19:04:53
              application/x-dosexec
              SUNBURST
              
              
          
          
            
              019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
              2f1a5a7411d015d01aaee4535835400191645023
              2c4a910a1299cdae2a4e55988a2f102e
              SolarWinds.Orion.Core.BusinessLayer.dll
              2020.2.5200.12394
              2020-04-21 14:53:33
              2020-04-21 14:54:41
              application/x-dosexec
              SUNBURST
              
              
          
          
            
              ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
              d130bd75645c2433f88ac03e73395fba172ef676
              846e27a652a5e1bfbd0ddd38a16dc865
              SolarWinds.Orion.Core.BusinessLayer.dll
              2020.2.5300.12432
              2020-05-11 21:32:40
              2020-05-11 21:33:50
              application/x-dosexec
              SUNBURST
              
              
          
          
            
              439bcd0a17d53837bc29fb51c0abd9d52a747227f97133f8ad794d9cc0ef191e
              cfc57d48effb5bbd4e0a6f80e6041d9faf7d7ab4
              baa3d3488db90289eb2889c1a2acbcde
              Solarwinds Worldwide, LLC 
              
              
              
              application/x-x509-server-cert
              Code Signing Certificate
              Legitimate SolarWinds code-signing certificate
              Used to sign samples containing class named <OrionImprovementBusinessLayer>, but no malicious SUNBURST code. Suspected to be attacker testing.
          
          
            
              a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc
              5e643654179e8b4cfe1d3c1906a90a4c8d611cea
              e18a6a21eb44e77ca8d739a72209c370
              SolarWinds.Orion.Core.BusinessLayer.dll
              2019.4.5200.8890
              2019-10-10 13:26:39
              2019-10-10 13:28:10
              application/x-dosexec
              Benign
              
              Contains class named <OrionImprovementBusinessLayer>, but no malicious SUNBURST code. Suspected to be attacker testing.
          
          
            
              d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af
              ebe711516d0f5cd8126f4d53e375c90b7b95e8f2
              3e329a4c9030b26ba152fb602a1d5893
              SolarWinds.Orion.Core.BusinessLayer.dll
              2019.4.5200.8890
              2019-10-10 13:26:39
              2019-10-11 08:45:19
              application/x-dosexec
              Benign
              
              Contains class named <OrionImprovementBusinessLayer>, but no malicious SUNBURST code. Suspected to be attacker testing.
          
          
            
              292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712
              c2c30b3a287d82f88753c85cfb11ec9eb1466bad
              4f2eb62fa529c0283b28d05ddd311fae
              OrionImprovementBusinessLayer.2.cs
              
              
              
              text/plain
              SUNBURST
              Decompiled and corrected source code for SUNBURST
              Extracted from 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 
          
          
            
              c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71
              75af292f34789a1c782ea36c7127bf6106f595e8
              56ceb6d0011d87b6e4d7023d7ef85676
              app_web_logoimagehandler.ashx.b6031896.dll
              
              2020-03-24 09:16:10
              
              application/x-dosexec
              SUPERNOVA
              Webshell
              While malicious, SUPERNOVA has not been currently tied to the UNC2452 SolarWinds compromise
SHA256	SHA1	MD5	FILENAME	Version	Compile Time	Signing time	MIME	Malware Family	Role	Notes
d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600	1b476f58ca366b54f34d714ffce3fd73cc30db1a	02af7cec58b9a5da1c542b5a32151ba1	CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp				application/vnd.ms-office	SUNBURST	Installer
53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7	47d92d49e6f7f296260da1af355f941eb25360c4	08e35543d6110ed11fdf558bb093d401	Solarwinds Worldwide, LLC				application/x-x509-server-cert	Code Signing Certificate	Legitimate SolarWinds code-signing certificate	Used to sign samples containing SUNBURST from March 2020 forward
32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77	76640508b1e7759e548771a5359eaed353bf1eec	b91ce2fa41029f6955bff20079468448	SolarWinds.Orion.Core.BusinessLayer.dll	2019.4.5200.9083	2020-03-24 08:52:34	2020-03-24 08:53:43	application/x-dosexec	SUNBURST
abe22cf0d78836c3ea072daeaf4c5eeaf9c29b6feb597741651979fc8fbd2417	b485953ed77caefe81bff0d9b349a33c5cea4cde	d5aad0d248c237360cf39c054b654d69	SolarWinds.Orion.Core.BusinessLayer.dll	2020.2.100.12299	2020-03-25 19:03:48	2020-03-25 19:04:53	application/x-dosexec	SUNBURST
019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134	2f1a5a7411d015d01aaee4535835400191645023	2c4a910a1299cdae2a4e55988a2f102e	SolarWinds.Orion.Core.BusinessLayer.dll	2020.2.5200.12394	2020-04-21 14:53:33	2020-04-21 14:54:41	application/x-dosexec	SUNBURST
ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6	d130bd75645c2433f88ac03e73395fba172ef676	846e27a652a5e1bfbd0ddd38a16dc865	SolarWinds.Orion.Core.BusinessLayer.dll	2020.2.5300.12432	2020-05-11 21:32:40	2020-05-11 21:33:50	application/x-dosexec	SUNBURST
439bcd0a17d53837bc29fb51c0abd9d52a747227f97133f8ad794d9cc0ef191e	cfc57d48effb5bbd4e0a6f80e6041d9faf7d7ab4	baa3d3488db90289eb2889c1a2acbcde	Solarwinds Worldwide, LLC				application/x-x509-server-cert	Code Signing Certificate	Legitimate SolarWinds code-signing certificate	Used to sign samples containing class named <OrionImprovementBusinessLayer>, but no malicious SUNBURST code. Suspected to be attacker testing.
a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc	5e643654179e8b4cfe1d3c1906a90a4c8d611cea	e18a6a21eb44e77ca8d739a72209c370	SolarWinds.Orion.Core.BusinessLayer.dll	2019.4.5200.8890	2019-10-10 13:26:39	2019-10-10 13:28:10	application/x-dosexec	Benign		Contains class named <OrionImprovementBusinessLayer>, but no malicious SUNBURST code. Suspected to be attacker testing.
d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af	ebe711516d0f5cd8126f4d53e375c90b7b95e8f2	3e329a4c9030b26ba152fb602a1d5893	SolarWinds.Orion.Core.BusinessLayer.dll	2019.4.5200.8890	2019-10-10 13:26:39	2019-10-11 08:45:19	application/x-dosexec	Benign		Contains class named <OrionImprovementBusinessLayer>, but no malicious SUNBURST code. Suspected to be attacker testing.
292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712	c2c30b3a287d82f88753c85cfb11ec9eb1466bad	4f2eb62fa529c0283b28d05ddd311fae	OrionImprovementBusinessLayer.2.cs				text/plain	SUNBURST	Decompiled and corrected source code for SUNBURST	Extracted from 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71	75af292f34789a1c782ea36c7127bf6106f595e8	56ceb6d0011d87b6e4d7023d7ef85676	app_web_logoimagehandler.ashx.b6031896.dll		2020-03-24 09:16:10		application/x-dosexec	SUPERNOVA	Webshell	While malicious, SUPERNOVA has not been currently tied to the UNC2452 SolarWinds compromise