Overview

overview

10

Static

static

3

Solara.exe

windows10-1703-x64

10

Solara.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    24s
  • max time network
    28s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 15:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Solara.exe

  • Size

    489KB

  • MD5

    304fb1af10c5964bb55597f7c87e5ee3

  • SHA1

    7774fd280dc74e4b8846f7938261b7e22373b576

  • SHA256

    969e1396d2f6932f10c6de742659667070e3d6158d9e5a7d9a16d7254ca3afc7

  • SHA512

    3602afe1c97c78cdb871fe40dde53fc8e9c4766532e3d4ffccacf189e5e38e32c9bd55c681085ec0d5e62d9340a0724537143afd2b39705550b8368561280453

  • SSDEEP

    12288:7Jf/DdUC83OIgFc+tYjhLFH8rX+t498oHLMYK4K:7N/BUBb+tYjBFH8d7rM

Score
10/10
44caliberspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1247933862773002240/9Ju3ByvnHXBxYOd33G7M9TjSgLAgPA4USgjS9eElxrDf_-b46LbXhTNC2EWbI4iMzaGU

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Solara.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4792
    • C:\Users\Admin\AppData\Local\Temp\Insidious.exe
      "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4720
    • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Insidious.exe
    Filesize

    303KB

    MD5

    4983f032e0e84628d9e228436fdc5de6

    SHA1

    575cf03d4ab0f1c86bc864ce6da83cacdd9be621

    SHA256

    35bccba601ac65b50cbcdc2f953c7fe185163756858457e73aff0b6a02a3b445

    SHA512

    eb77f9f7f139492cdd38bf2ad9bdaf1aca58ca7b9d3cfc094e1b1aa9b6473631f8eab34ee68aa758c08fc36a824d9386de031b72b15cdbf11e9f0ceb961c109a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
    Filesize

    13KB

    MD5

    6557bd5240397f026e675afb78544a26

    SHA1

    839e683bf68703d373b6eac246f19386bb181713

    SHA256

    a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239

    SHA512

    f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97

    Download Submit

  • memory/4720-21-0x00000214F5ED0000-0x00000214F5F22000-memory.dmp

    Filesize

    328KB

    Download

  • memory/4720-23-0x00007FF9F8C03000-0x00007FF9F8C05000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4720-52-0x00007FF9F8C00000-0x00007FF9F96C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4720-59-0x00007FF9F8C00000-0x00007FF9F96C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5064-56-0x00000000750FE000-0x00000000750FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5064-57-0x0000000000A70000-0x0000000000A7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5064-58-0x0000000005440000-0x000000000544A000-memory.dmp

    Filesize

    40KB

    Download