Overview

overview

10

Static

static

3

SolaraB/So...er.exe

windows7-x64

1

SolaraB/So...er.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SolaraB.rar

  • Size

    3.4MB

  • Sample

    240630-h15swavcjb

  • MD5

    c096c744fe5598e682ed1c1f2626a5e9

  • SHA1

    a42ee3debf621ef401e9d111bb30f2ce6412a0ec

  • SHA256

    44825fbcd6990e29a1a3c36fc9645978c17dfdde5f5355b3d5aa778e8b8fadec

  • SHA512

    36548779d3df50e0a23a9de07c122e69f65dbd13f00edb33ed2c43e30f2cbd0f7c32f6dae165dbf229751002d812a3e04c75a2d0059d6e15c7c3fbe6c675b13a

  • SSDEEP

    98304:2JZ3hy1IyMVar/e7lNhTRQBEjTxyYYvHygIpQSxrf:MdSIyLKhmBEjZgqQS5

Score
10/10
dcratevasioninfostealerratthemidatrojan

Malware Config

Targets

    • Target

      SolaraB/Solara/SolaraBootstrapper.exe

    • Size

      3.6MB

    • MD5

      1084103f4bd706bf885d41afea903c6d

    • SHA1

      13d1b69e8d5beb8da4a7064dba7d170d1a038659

    • SHA256

      a79d06166220bed4b1f1db64c211e0b8ae442d053ad3428cb7bc4a802bcb0c18

    • SHA512

      9affc2ce5813e810d686bd5f4faf70e3b4062a07da470ce8ea1214b11b078fd4c41a8c59bd49bb64505ac209b3bb91ed32ee49e8cc69617178701e6ed8390ff4

    • SSDEEP

      98304:ZqwBaxdtHuWZIJ0iDZkTBo2UYndDXJzATh:Zqw0xdtHutJ08uTBZUYnpQ

    Score
    10/10
    dcratevasioninfostealerratthemidatrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      evasiontrojan

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

2
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks