Extracted

Extracted

• • Target

    BetterSolara.exe

  • Size

    16.7MB

  • MD5

    3934847f717f78cf77739e4000f3eb05

  • SHA1

    6c567b0e3a2779836988bc331b9ac3cec928930e

  • SHA256

    3cb38b6703b6de0b6d3ccd9c600c217b497d694f7c76566cc38f5a518848306e

  • SHA512

    ac049def2ca4875abf560fead264b3599ec0cf476c911ab8b5d93ecdb2f4b0e828a07a18253bbd7c67914b53d1c6c594f8093e0b45252de8c606662da6c56b58

  • SSDEEP

    393216:Y/m3wnMS9DKfopmskhjDd8Bcq1GX4yKQ4x6XEdrme:Y/cSdUopm5dqBBUVT46Use

  Score

  10^/10

  skuldxenoratevasionratstealerthemidatrojanpersistence

  • Skuld stealer

    An info stealer written in Go lang.

    stealerskuld

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Themida packer

    Detects Themida, an advanced Windows software protection system.

    themida

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2