Analysis
-
max time kernel
129s -
max time network
136s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system -
submitted
08-07-2024 08:21
General
-
Target
SolaraBootstrapper.exe
-
Size
304KB
-
MD5
57e127da218cf91a3bd38b177099edad
-
SHA1
40138b9611a8bc7dddc94bccd6d3847ca8ab881d
-
SHA256
470914ddf3d824016ea5d00527b72f28e848ba4ef5cc48fc2d8ec65ca8d1f50d
-
SHA512
55978686bdf56f7a9f1e9209d77494320390cb6ee5175de728028a7602e1e4c7624196eb5c6b8735f4b4b15dd132d1df8491d166f832580c6a2abeec460b4ef4
-
SSDEEP
6144:q/oT6MDdbICydeBrdEGHpcJWba23UVt3QA8e0F5B:q/WJEGHpQWeGUVtj8eUB
Malware Config
Extracted
Family
44caliber
C2
https://discord.com/api/webhooks/1259774804534497342/8EZmH3dK1jU0Q5PXQDVD0hawjscINRdEpoQ85BKJvoPo3stGWAfUJE7lZN4wJCUTHdnG
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 freegeoip.app 1 freegeoip.app -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3336 SolaraBootstrapper.exe 3336 SolaraBootstrapper.exe 3336 SolaraBootstrapper.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3336 SolaraBootstrapper.exe