General

  • Target

    Solara.exe

  • Size

    489KB

  • Sample

    240701-td7jqsyand

  • MD5

    304fb1af10c5964bb55597f7c87e5ee3

  • SHA1

    7774fd280dc74e4b8846f7938261b7e22373b576

  • SHA256

    969e1396d2f6932f10c6de742659667070e3d6158d9e5a7d9a16d7254ca3afc7

  • SHA512

    3602afe1c97c78cdb871fe40dde53fc8e9c4766532e3d4ffccacf189e5e38e32c9bd55c681085ec0d5e62d9340a0724537143afd2b39705550b8368561280453

  • SSDEEP

    12288:7Jf/DdUC83OIgFc+tYjhLFH8rX+t498oHLMYK4K:7N/BUBb+tYjBFH8d7rM

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1247933862773002240/9Ju3ByvnHXBxYOd33G7M9TjSgLAgPA4USgjS9eElxrDf_-b46LbXhTNC2EWbI4iMzaGU

Targets

    • Target

      Solara.exe

    • Size

      489KB

    • MD5

      304fb1af10c5964bb55597f7c87e5ee3

    • SHA1

      7774fd280dc74e4b8846f7938261b7e22373b576

    • SHA256

      969e1396d2f6932f10c6de742659667070e3d6158d9e5a7d9a16d7254ca3afc7

    • SHA512

      3602afe1c97c78cdb871fe40dde53fc8e9c4766532e3d4ffccacf189e5e38e32c9bd55c681085ec0d5e62d9340a0724537143afd2b39705550b8368561280453

    • SSDEEP

      12288:7Jf/DdUC83OIgFc+tYjhLFH8rX+t498oHLMYK4K:7N/BUBb+tYjBFH8d7rM

    • 44Caliber

      An open source infostealer written in C#.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.