General
-
Target
Solara.exe
-
Size
63KB
-
Sample
240530-xjjlmsgb6x
-
MD5
b0366ac55894b55435b8532d38d832eb
-
SHA1
4deadb6e63ed9a55613582f55d00260131af2f63
-
SHA256
ac8a918e84ef35d0f4c0c05f68f50ba8700f00b0e4af46e9b798d4aba9d818ff
-
SHA512
94b9689a365bd4491249e0ac4283a3829463753b60636edf655cd2bebb8fd63bd6bb5e2b44a4c2e82d22f9e308eeb475f25228dc6b62f4d5489d79208cc01a04
-
SSDEEP
1536:PZLydsig+nK5EzHRzEnlm32ErNZWLRJZ45J3q5fKAr1:esiRngORIl0rNkLRJZAJ6V5R
Static task
static1
Malware Config
Targets
-
-
Target
Solara.exe
-
Size
63KB
-
MD5
b0366ac55894b55435b8532d38d832eb
-
SHA1
4deadb6e63ed9a55613582f55d00260131af2f63
-
SHA256
ac8a918e84ef35d0f4c0c05f68f50ba8700f00b0e4af46e9b798d4aba9d818ff
-
SHA512
94b9689a365bd4491249e0ac4283a3829463753b60636edf655cd2bebb8fd63bd6bb5e2b44a4c2e82d22f9e308eeb475f25228dc6b62f4d5489d79208cc01a04
-
SSDEEP
1536:PZLydsig+nK5EzHRzEnlm32ErNZWLRJZ45J3q5fKAr1:esiRngORIl0rNkLRJZAJ6V5R
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-