General

  • Target

    SolaraBootstrapper.exe

  • Size

    2.6MB

  • Sample

    240609-1fm2fafh77

  • MD5

    bf3f5123a1a71b1f9f235cbc325d1c70

  • SHA1

    4eb19a43f14f689f1ee05836022918c8f175d057

  • SHA256

    4a8f10759984f27edaed60d418d231f564c406817b6398f462daa3deb8a05867

  • SHA512

    36031872fbc6774cc15b7d66a3f9dc5fb27a5fd5a8d3fff0fa0d282cac26ddf425c76c9e2c3f5204266c5419e435cf6727a9770764e55381561c35764acd5083

  • SSDEEP

    49152:8xmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyx0:8xx9NUFkQx753uWuCyyx0

Malware Config

Targets

    • Target

      SolaraBootstrapper.exe

    • Size

      2.6MB

    • MD5

      bf3f5123a1a71b1f9f235cbc325d1c70

    • SHA1

      4eb19a43f14f689f1ee05836022918c8f175d057

    • SHA256

      4a8f10759984f27edaed60d418d231f564c406817b6398f462daa3deb8a05867

    • SHA512

      36031872fbc6774cc15b7d66a3f9dc5fb27a5fd5a8d3fff0fa0d282cac26ddf425c76c9e2c3f5204266c5419e435cf6727a9770764e55381561c35764acd5083

    • SSDEEP

      49152:8xmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyx0:8xx9NUFkQx753uWuCyyx0

    • Modifies visiblity of hidden/system files in Explorer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks