da9098d4713d46c44b95758bdf17e3d2fa1633b3130c7be47b7111132dc051ff | Triage

Submit
Reports

Overview

overview

9

Static

static

3

SolaraB2/S...er.exe

windows7-x64

7

SolaraB2/S...er.exe

windows10-2004-x64

9

Resubmissions

24-06-2024 15:13

240624-slt3yasbrl 9

24-06-2024 15:12

240624-sk93rssbpj 7

Sharing

General

Target

SolaraB2.zip
Size

278KB
Sample

240624-slt3yasbrl
MD5

ea418b261e24a56105a6d328b60e9cc7
SHA1

4f89568a40fff23b381eb1009a764cc7eaf6580c
SHA256

da9098d4713d46c44b95758bdf17e3d2fa1633b3130c7be47b7111132dc051ff
SHA512

95a04802ae713e00940b6ddb55bc75ea7d3450cf31b5fb9d55f0b44aa3629bbf2695d979e1cdef244b4df987db89475cb7185f648cdaffbaa8189e3187dcc8de
SSDEEP

6144:eZJBeDFmH5elET2OhI16sf2YtiQFhL+SV0zZ5NnFJw:IJkFmH36h6seLQFhwfw

Score

9^/10

discovery evasion themida trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

SolaraB2/Solara/SolaraBootstrapper.exe

Resource

win7-20231129-en

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

SolaraB2/Solara/SolaraBootstrapper.exe

Resource

win10v2004-20240611-en

discovery evasion themida trojan

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Targets

- Target
  
  SolaraB2/Solara/SolaraBootstrapper.exe
- Size
  
  797KB
- MD5
  
  36b62ba7d1b5e149a2c297f11e0417ee
- SHA1
  
  ce1b828476274375e632542c4842a6b002955603
- SHA256
  
  8353c5ace62fda6aba330fb3396e4aab11d7e0476f815666bd96a978724b9e0c
- SHA512
  
  fddec44631e7a800abf232648bbf417969cd5cc650f32c17b0cdc12a0a2afeb9a5dbf5c1f899bd2fa496bd22307bfc8d1237c94920fceafd84f47e13a6b98b94
- SSDEEP
  
  12288:n1mzgHpbzEu8AgpQojA1j855xU9pHIRxSNN:1mzgH385QojA1j855xSHI
Score

9^/10

discovery evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

discoveryevasionthemidatrojan

© 2018-2024

Terms | Privacy