Overview

overview

10

Static

static

3

Solara-main.zip

windows10-1703-x64

1

Solara-main/README.md

windows10-1703-x64

3

Solara-mai...ra.zip

windows10-1703-x64

1

Solara/Sol...er.exe

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Solara-main.zip

  • Size

    401KB

  • Sample

    240630-pyvy8a1enk

  • MD5

    033b6b9d8a597b10cf18cd4afa9507c7

  • SHA1

    555842f13061dff86306d1b79f47c0327c7628b4

  • SHA256

    16cca0f0005d05175568adc4d1927ccf9a1775f51a67bf0e28e38df042d205d2

  • SHA512

    5fbc045439fa100056554fef3141b1d85088318819021918ec0416fceb144f06fac3ffcdaea8dbe5d84ac7c5e71ebbfa722631b7045cdb7d705d693ae92634fb

  • SSDEEP

    12288:iDfC0Y74SD9BsAJ7gib3aPcNYmn9nr+YRmMuyxgyL:TUSPNbKPcNYmn9nUyx/L

Score
10/10
44caliberevasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1169713279464120370/GUIw2wEmQMllUHEfRf3MNeS3DBNrZN-RuTQ9QbFfAqIZNVHtIlkj1yiD5QqgrIlv8gQi

Targets

    • Target

      Solara-main.zip

    • Size

      401KB

    • MD5

      033b6b9d8a597b10cf18cd4afa9507c7

    • SHA1

      555842f13061dff86306d1b79f47c0327c7628b4

    • SHA256

      16cca0f0005d05175568adc4d1927ccf9a1775f51a67bf0e28e38df042d205d2

    • SHA512

      5fbc045439fa100056554fef3141b1d85088318819021918ec0416fceb144f06fac3ffcdaea8dbe5d84ac7c5e71ebbfa722631b7045cdb7d705d693ae92634fb

    • SSDEEP

      12288:iDfC0Y74SD9BsAJ7gib3aPcNYmn9nr+YRmMuyxgyL:TUSPNbKPcNYmn9nUyx/L

    Score
    1/10
    behavioral1

    • Target

      Solara-main/README.md

    • Size

      1KB

    • MD5

      99610e3f26a12cde98862aedd945ec84

    • SHA1

      e10a549c9ae6414744ca9336a390eb62fb7f79b1

    • SHA256

      072856d085b8184cd4df7e53ec4d74df81c3ee4b31435f52d13b2d23ae0ddc40

    • SHA512

      a1d84b2b74bae2b18287d19b1c3965420d53d3f76fba5308e3a29f090b5ce8215e4ec6b1ed9cdec94cb38f77d05972d4b7936109b09852af957223d4cb949e37

    Score
    3/10
    behavioral2

    • Target

      Solara-main/Solara.zip

    • Size

      400KB

    • MD5

      20804935c8018d330c47fa7acde89358

    • SHA1

      7e79e69996cf54bf3da5807e37805db03d23f34e

    • SHA256

      65dcaf8699e4d8d8aaa1c177fc49bfe4ff69ad4fd3891d61f68c5239e217cb14

    • SHA512

      7c7cf8a3e6d90376a1a958c57527750c5a04d6d27c90397aac458898a34601a36c5f345afeabaa72f0ece7f3701ac729b68b5bd9f93252552feb4a1f092fc398

    • SSDEEP

      12288:/3IY0Y/4SF9rsCJmLagibphNFc6V9pr+YJGIYKxgDc:/3NAS3mL2b/rV9pUKxGc

    Score
    1/10
    behavioral3

    • Target

      Solara/SolaraB/SolaraBootstrapper.exe

    • Size

      826KB

    • MD5

      886d05ab350457e2ddde2f569dc0668a

    • SHA1

      3448ca0ce7b2f279694f8a360348c0ade71b9322

    • SHA256

      286b6d3aa77caa78854b3648d96d80a1f207d7b94fb54103b44600a6f72839b5

    • SHA512

      31186e5e079389f820a026843340468cf183c31ee18d60537d48e83b4ecb08b86f2e1b41012b4fa25ebbbd33a4fbc833986815e71010b74df3e04fdaf49d7962

    • SSDEEP

      12288:gCQjgAtAHM+vetZxF5EWry8AJGy03eJxZM6gMkIhS:g5ZWs+OZVEWry8AFL06gGS

    Score
    10/10
    44caliberevasionspywarestealerthemidatrojan

    • 44Caliber

      An open source infostealer written in C#.

      stealer44caliber

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

System Information Discovery

5
T1082

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks