General

  • Target

    Solara.exe

  • Size

    63KB

  • Sample

    240530-k7nt2sdg44

  • MD5

    b0366ac55894b55435b8532d38d832eb

  • SHA1

    4deadb6e63ed9a55613582f55d00260131af2f63

  • SHA256

    ac8a918e84ef35d0f4c0c05f68f50ba8700f00b0e4af46e9b798d4aba9d818ff

  • SHA512

    94b9689a365bd4491249e0ac4283a3829463753b60636edf655cd2bebb8fd63bd6bb5e2b44a4c2e82d22f9e308eeb475f25228dc6b62f4d5489d79208cc01a04

  • SSDEEP

    1536:PZLydsig+nK5EzHRzEnlm32ErNZWLRJZ45J3q5fKAr1:esiRngORIl0rNkLRJZAJ6V5R

Malware Config

Targets

    • Target

      Solara.exe

    • Size

      63KB

    • MD5

      b0366ac55894b55435b8532d38d832eb

    • SHA1

      4deadb6e63ed9a55613582f55d00260131af2f63

    • SHA256

      ac8a918e84ef35d0f4c0c05f68f50ba8700f00b0e4af46e9b798d4aba9d818ff

    • SHA512

      94b9689a365bd4491249e0ac4283a3829463753b60636edf655cd2bebb8fd63bd6bb5e2b44a4c2e82d22f9e308eeb475f25228dc6b62f4d5489d79208cc01a04

    • SSDEEP

      1536:PZLydsig+nK5EzHRzEnlm32ErNZWLRJZ45J3q5fKAr1:esiRngORIl0rNkLRJZAJ6V5R

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Disables Task Manager via registry modification

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks