{
	"id": "124eba5f-b115-4f47-ba60-3ecffaac5339",
	"created_at": "2026-04-06T00:15:35.843658Z",
	"updated_at": "2026-04-10T03:22:07.427483Z",
	"deleted_at": null,
	"sha1_hash": "d877218be0d2ebc5955fc318ac3665b85364af8c",
	"title": "SolarWinds Attack: Sunburst's DLL Technical Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 111761,
	"plain_text": "SolarWinds Attack: Sunburst's DLL Technical Analysis\r\nBy Fareed Fauzi\r\nPublished: 2021-01-21 · Archived: 2026-04-05 19:13:03 UTC\r\nSolarWinds Attack: Sunburst's DLL Technical Analysis\r\nPosted by Fareed Fauzi\r\nIntroduction\r\nIn late 2020, a sophisticated SolarWinds attack that hit organizations through the supply chain has recently been\r\ndisclosed by various sources. This was done via a compromised version of SolarWinds Orion which we called the\r\nbackdoor with the name “Sunburst”. Once the update (include the malicious DLL) is installed, the malicious DLL\r\nwill be imported and loaded by the legitimate SolarWinds.BusinessLayerHost.exe executable. \r\nSunburst is a trojan version of a digitally signed SolarWinds Orion plugin named\r\nSolarWinds.Orion.Core.BusinessLayer.dll. The malicious DLL contains a backdoor code used to initiate a\r\nfunction that will do the communication with the victim’s system via HTTP to the attacker’s command and control\r\nserver [1]. The malicious code initiation will give full access to the victim which may retrieve and execute\r\ncommands that instruct the backdoor to transfer files, remote execution, profile victim’s system information, and\r\ncomplete control over the affected system.\r\nName: SolarWinds.Orion.Core.BusinessLayer.dll\r\nMD5: b91ce2fa41029f6955bff20079468448\r\nFile type: Dynamic Link Library\r\nThe malicious function code that was being patched in the compromised DLL by the attacker resides\r\nin OrionImprovementBusinessLayer.Initialize which all malicious subfunctions were started right here. The\r\nfunction Initialize was invoked at line 119 by the parent function RefreshInternal as shown in Figure 1 below. \r\nFigure 1: Invoking of Initialize function\r\nIn the Initialize method in Figure 2 below, we can see that the code trying to check if the current process\r\nexecutable is solarwinds.businesslayerhost where the hash of the current process being generated by the function\r\nGetHash. \r\nFigure 2: Check if the current process is solarwinds.businesslayerhost\r\nhttps://notes.netbytesec.com/2021/01/solarwinds-attack-sunbursts-dll.html\r\nPage 1 of 8\n\nThe code use function GetHash to check the hash of the process. We will see this GetHash function often after this\r\nas the attacker obfuscate those important strings. Deep diving into the code of the GetHash will give us ideas how\r\nthings get going. Looking into the subroutine GetHash, the function uses Fowler–Noll–Vo hash (FNV-1a) + XOR\r\nalgorithm which we can refer to in Wikipedia. Figures 3 and 4 below comparing the algorithm being used.\r\nFigure 3: GetHash function\r\nFigure 3: Wikipedia's FNV-1a explained\r\nThe next thing that needs to be explained in the Initialize function is at lines 116 to 118 in figure 4 below. At these\r\nlines, the malware waits about two weeks/12 days before it executes to avoid any suspicious activity detection.\r\nFigure 4: The malware waits for about 2 weeks to execute\r\nAfter about 2 weeks, the malware starts to execute the next line where the malware creates the named pipe\r\n583da945-62af-10e8-4902-a8f205c72b2e to ensure only one instance of the backdoor is running. \r\nFigure 5: The sample creates named pipe\r\nIn figure 5, after creates the named pipe, the sample check for modes of operation as described by FireEye. If the\r\nmode return \"Truncate\", the malware will be terminate and exit.\r\nFigure 6: Makes some delay execution\r\nAfter the truncate mode being checked and pass, the malware then will delay the execution of the next line about\r\n30min to 120min.\r\nFigure 7: Sunburst check for domain-joined\r\nIn figure 7, Sunburst also checks if the victim is joined to an Active Directory domain. Those blacklisted AD\r\ndomains as follows:\r\nFigure 8: Hashes of blacklisted domain\r\nhttps://notes.netbytesec.com/2021/01/solarwinds-attack-sunbursts-dll.html\r\nPage 2 of 8\n\nThe next lines of codes will be executed if the current victim does not join the blacklisted AD domains. These\r\nencoded strings have been brute-forced by FireEye to determine what are the decoded result of these encoded\r\nstrings. Refer SolarWinds/SunBurst FNV-1a-XOR hash founds analysis spreadsheet shared by FireEye.\r\n1. swdev.local\r\n2. emea.sales\r\n3. pci.local\r\n4. apac.lab\r\n5. swdev.dmz\r\n6. cork.lab\r\n7. saas.swi\r\n8. dmz.local\r\n9. lab.local\r\n10. dev.local\r\n11. lab.rio\r\n12. lab.brno\r\n13. lab.na\r\n14. test\r\n15. solarwinds\r\nThe sample then performs another checking functionality to generate the user ID of the current victim as shown in\r\nfigures 8 and 9.\r\nFigure 8: GetOrCreateUserID call\r\nFigure 9: GetOrCreateUserID code\r\nIn figure 9, the user ID of the victim is built based on 3 values:\r\n1. Network interface MAC address that is up and not a loopback device from the ReadDeviceInfo function\r\n2. The domain name that contains in variable domain4\r\n3. HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid value\r\nAfter that, the user ID is encoded with the XOR MD5 of the value at line 424 to 434 shown in figure 9.\r\nFigure 10: Method Update being invoke\r\nThe backdoor then invokes method Update which main part of the backdoor resides in here.\r\nhttps://notes.netbytesec.com/2021/01/solarwinds-attack-sunbursts-dll.html\r\nPage 3 of 8\n\nFigure 11: Snippet code of the Update method\r\nIn the first part of the code, as shown in Figure 11, the backdoor begins the domain algorithm generation (DGA)\r\nthings using class CryptoHelper.\r\nFigure 12: Content of CryptoHelper\r\nSunburst victims, who have been installed and infected by one of the malicious SolarWinds Orion software\r\nupdates, will query for domain names. The part of the malicious code of the software update will construct and\r\nresolve a subdomain of avsvmcloud.com. \r\nThe code generates those domain names by taking the victim's User ID and computer’s domain name and encoded\r\nit with a simple substitution cipher. These encoded strings of subdomains are then being concatenated with one of\r\nthe following domains to create the hostname to resolve:\r\n.appsync-api.eu-west-1[.]avsvmcloud[.]com\r\n.appsync-api.us-west-2[.]avsvmcloud[.]com\r\n.appsync-api.us-east-1[.]avsvmcloud[.]com\r\n.appsync-api.us-east-2[.]avsvmcloud[.]com\r\nThe example of the generated and encoded C2 domain name as follows:\r\n02m6hcopd17p6h450gt3.appsync-api.us-west-2.avsvmcloud.com\r\n06o0865eliou4t0btvef0b12eu1.appsync-api.us-east-1.avsvmcloud.com\r\n04spiistorug1jq5o6o0.appsync-api.us-west-2.avsvmcloud.com\r\n060mpkprgdk087ebcr1jov0te2h.appsync-api.us-east-1.avsvmcloud.com\r\nThe subdomains highlighted above are the encoded User ID and computer’s domain name which can be decoded\r\nusing tools from Netresec.\r\nAfter generated the domain, Sunburst continues invoking another important method called UpdateNotification.\r\nFigure 13: UpdateNotification invoked.\r\nFigure 14: Check is there any blacklisted process running\r\nIn this method, the backdoor check for the blacklisted processes running based on Figure 14. If there is a\r\nblacklisted process running, the backdoor will exit the code. If we deep dive into the method, we can see three\r\nimportant sub-method which are SearchAssemblies, SearchServices, and SearchConfiguration.\r\nhttps://notes.netbytesec.com/2021/01/solarwinds-attack-sunbursts-dll.html\r\nPage 4 of 8\n\nFigure 15: Identify AV, EDR, tools, and drivers\r\nThe backdoor uses several blocklists to identify anti-virus and endpoint detection response processes, drivers, and\r\nservices. It also checks for any forensic and malware analysis tools in these three functions.\r\nSearchAssemblies = Processes of malware analysis and forensics tools\r\nSearchServices = Anti-Virus and EDR services\r\nSearchConfiguration = Anti-Virus and EDR drivers\r\nBelow figures (Figure 16-19) show the hashes of the blacklisted process of malware analysis and forensics tools,\r\nAV and EDR services, and drivers:\r\nFigure 16: The processes hashes included in the field assemblyTimeStamps\r\nFigure 17: List of the blacklisted malware analysis and forensics tools hashes.\r\nFigure 16: The services hashes included in the field svcList\r\nFigure 17: List of the blacklisted AV and EDR services hashes.\r\nFigure 18: The drivers hashes included in the field configTimeStamps\r\nThe backdoor retrieves all the driver listing via the WMI query Select * From Win32_SystemDriver as shown in\r\nfigure 18. The drivers hashes are included in the field configTimeStamps.\r\nFigure 19: List of the blacklisted AV and EDR drivers hashes.\r\nAll the decoded version of the encoded hashes can be checked here. Thanks to the FireEye team!\r\nhttps://notes.netbytesec.com/2021/01/solarwinds-attack-sunbursts-dll.html\r\nPage 5 of 8\n\nFigure 20: Bruteforced blacklist hashes spreadsheet\r\nNext, in the while loop, the sample check for the processes, services, and drivers again. If the victims do not have\r\nthe indicator of the blacklisted processes, services, and drivers, the backdoor continues to execute the following\r\ncodes.\r\nFigure 21: Check for the process again\r\nContinue investigation of the code at line 222 as we see the backdoor trying to get the AdressFamily of the victim\r\nand decide its decision in the switch case after that shown in figure 22.\r\nFigure 22: Switch case of socket AddressFamily Netbios\r\nThe Command and Control beaconing is starting from here. If the AddressFamily is NetBios the backdoor\r\nwill either initiate the C2 beaconing or continue the command and control beaconing which we can see at line 248\r\nin Figure 22 where method Initialize being invoked.\r\nFigure 23: C2 things in Initialize method\r\nSupported commands for the C2 can be view in the JobEngine field as shown as follow in figure 24.\r\nFigure 24: JobEngine contains the supported command of the Command and Control\r\nOnce the Sunburst is gained access to the victim machine, depending on the objectives of the actor, any malicious\r\nactions and activities can be executed like stealing sensitive data, source codes, etc.\r\nConclusion\r\nThe cyberattack of this campaign is a highly skilled adversary. The threat actors behind this cyber attack campaign\r\ngot access to numerous organizations around the world including Malaysia's organizations. Every organization in\r\nthe world that using SolarWind’s Orion IT monitoring and management software must be alerted with this\r\ncampaign to take precautions for this matter as the attack still ongoing right now.\r\nIOC\r\nThe following SHA256 hashes are associated with Sunburst DLL files:\r\ne0b9eda35f01c1540134aba9195e7e6393286dde3e001fce36fb661cc346b91d\r\na58d02465e26bdd3a839fd90e4b317eece431d28cab203bbdde569e11247d9e2\r\n32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77\r\nhttps://notes.netbytesec.com/2021/01/solarwinds-attack-sunbursts-dll.html\r\nPage 6 of 8\n\ndab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b\r\neb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed\r\nc09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77\r\nffdbdd460420972fd2926a7f460c198523480bc6279dd6cca177230db18748e8\r\nb8a05cc492f70ffa4adcd446b693d5aa2b71dc4fa2bf5022bf60d7b13884f666\r\n20e35055113dac104d2bb02d4e7e33413fae0e5a426e0eea0dfd2c1dce692fd9\r\n0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589\r\ncc082d21b9e880ceb6c96db1c48a0375aaf06a5f444cb0144b70e01dc69048e6\r\nac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c\r\n019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134\r\nce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6\r\n2b3445e42d64c85a5475bdbc88a50ba8c013febb53ea97119a11604b7595e53d\r\n92bd1c3d2a11fc4aba2735d9547bd0261560fb20f36a0e7ca2f2d451f1b62690\r\na3efbc07068606ba1c19a7ef21f4de15d15b41ef680832d7bcba485143668f2d\r\na25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc\r\nd3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af\r\nd0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600\r\nc15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71\r\nThe following domain names are associated with Sunburst cyber-attack campaign:\r\navsvmcloud[.]com\r\ndatabasegalore[.]com\r\ndeftsecurity[.]com\r\ndigitalcollege[.]org\r\nfreescanonline[.]com\r\nglobalnetworkissues[.]com\r\nhighdatabase[.]com\r\nincomeupdate[.]com\r\nkubecloud[.]com\r\nlcomputers[.]com\r\nmobilnweb[.]com\r\npanhardware[.]com\r\nseobundlekit[.]com\r\nsolartrackingsystem[.]net\r\nthedoccloud[.]com\r\nvirtualwebdata[.]com\r\nwebcodez[.]com\r\nwebsitetheme[.]com\r\nzupertech[.]com\r\nReference\r\nhttps://notes.netbytesec.com/2021/01/solarwinds-attack-sunbursts-dll.html\r\nPage 7 of 8\n\n1. https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html\r\n2. https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\r\n3. https://docs.google.com/spreadsheets/d/1u0_Df5OMsdzZcTkBDiaAtObbIOkMa5xbeXdKk_k0vWs/edit#gid=0\r\n4. https://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/\r\n5. Colin Hardy videos on Sunburst on Youtube\r\nSource: https://notes.netbytesec.com/2021/01/solarwinds-attack-sunbursts-dll.html\r\nhttps://notes.netbytesec.com/2021/01/solarwinds-attack-sunbursts-dll.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://notes.netbytesec.com/2021/01/solarwinds-attack-sunbursts-dll.html"
	],
	"report_names": [
		"solarwinds-attack-sunbursts-dll.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434535,
	"ts_updated_at": 1775791327,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d877218be0d2ebc5955fc318ac3665b85364af8c.pdf",
		"text": "https://archive.orkl.eu/d877218be0d2ebc5955fc318ac3665b85364af8c.txt",
		"img": "https://archive.orkl.eu/d877218be0d2ebc5955fc318ac3665b85364af8c.jpg"
	}
}