Overview

overview

10

Static

static

10

SolaraBootstraper.exe

windows7-x64

10

SolaraBootstraper.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    299s
  • max time network
    295s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 13:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SolaraBootstraper.exe

  • Size

    290KB

  • MD5

    288a089f6b8fe4c0983259c6daf093eb

  • SHA1

    8eafbc8e6264167bc73c159bea34b1cfdb30d34f

  • SHA256

    3536c40290b9e7e9c3c47a96ab10fe3b737f334dd6779eaf70e35e91e10a677b

  • SHA512

    c04bf3530cd471d589efb8f7e6bdddb39422fc4284afc7f2d3645a646ebbee170d57dc57eff30cee05ef091c64c6a98586c5a887d25fe53e49531c137d285448

  • SSDEEP

    6144:4XWloZM+rIkd8g+EtXHkv/iD4H/pduMzvExlwOffujfb8e1mYoiCYvZZ:JoZtL+EP8H/pduMzvExlwOffuvZR9xZ

Score
10/10
njratumbralhackedevasionpersistencestealertrojan

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1241652478991269930/lqDzm5RXmNnZJ7VyPef0j8TTJEOPw48RTySfQrhy-HoHhnjd3f7_6UBfj32ly1VjvUlo

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

having-jackson.gl.at.ply.gg:56522

Mutex

7c148ac38012fc3caa04b1bbe75feba0

Attributes
  • reg_key

    7c148ac38012fc3caa04b1bbe75feba0

  • splitter

    |'|'|

Signatures

  • Detect Umbral payload 3 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstraper.exe
    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstraper.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2060
    • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3016
    • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
      "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2496
    • C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe
      "C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1944
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe" "!FIXInj.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:2804

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\!FIXInj.exe
    Filesize

    37KB

    MD5

    ad8378c96a922dcfe813935d1eec9ae4

    SHA1

    0e7ee31880298190258f5282f6cc2797fccdc134

    SHA256

    9a7b8171f8c6bd4bb61b7d8baf7dab921983ab7767705c3f1e1265704599ab98

    SHA512

    d38a7581ef5c3dcc8752fc2465ad698605bbd38bf380201623265e5ef121510d3f34116438727e60b3832e867e2ed4fd52081d58690690ff98b28cde80f6af5f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
    Filesize

    12KB

    MD5

    06f13f50c4580846567a644eb03a11f2

    SHA1

    39ee712b6dfc5a29a9c641d92c7467a2c4445984

    SHA256

    0636e8f9816b17d7cff26ef5d280ce1c1aae992cda8165c6f4574029258a08a9

    SHA512

    f5166a295bb0960e59c176eefa89c341563fdf0eec23a45576e0ee5bf7e8271cc35eb9dd56b11d9c0bbe789f2eac112643108c46be3341fa332cfcf39b4a90b9

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Umbral.exe
    Filesize

    230KB

    MD5

    9694195bfd2d5a2d219c548d8dc65cf0

    SHA1

    d1113d97bb1114025e9260e898f3a3048a5a6fda

    SHA256

    c58b3fa42e404b4a095ee2959a7975b392d7d6b6af6e4d11c1431e3a430dfb6e

    SHA512

    24bb0f6432b221fe621d81a1c730bd473e9c295aa66a2b50cbe670ad2260f942a915f7f9aef65e6dc28320b8208fc712d9bfdc43dbc1a607ed9393bb5c17051a

    Download Submit

  • memory/2060-19-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3016-21-0x0000000000F40000-0x0000000000F4A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3056-22-0x0000000000010000-0x0000000000050000-memory.dmp

    Filesize

    256KB

    Download