General

  • Target

    SolaraBootsrapper.rar

  • Size

    6.1MB

  • Sample

    240717-qefwmavfpf

  • MD5

    706df4069dacbd0cd0d80c5319431eec

  • SHA1

    e582f777cc585cdbc45c1eeafcef2307727c1f17

  • SHA256

    53d6112deaab099a9da782ba5fe8ccf729b2b1328bb0a62afdc9f09f9cd427c6

  • SHA512

    e74da6eff06a8627dec2fc0f5619cbfe55d4244167679951c905367f8625f5da7638d29b34cdc7d524d02d5f8b6d1acdda407eb679638d75a87d6abea2ad4f78

  • SSDEEP

    196608:76l2VFjUSLzLnFdH1ysmVYEaqr7xzFPST7x91G/5rF:7RUSLzDFdHAJV/RHtN0x9WF

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7121631902:AAErn17xNWrdiucOEwhQIj8v6o5tvdffJT4/sendPhoto?chat_id=7391062786&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%204f1ca97b69752bcaadf13b0dd4a54c66c43cb077%0A%E2%80%A2%20Comment%3A%20br0ken%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20ELEOLWUJ%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20194.110.13.70%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CProgram%20Files%5CInternet%20Explorer%5CRegistry.ex

Targets

    • Target

      Youtube.exe

    • Size

      8.7MB

    • MD5

      d25ebdfc04bdadea74017fa72f90781f

    • SHA1

      f7278c4d04fc4db888368e0245d7607d8bcbb557

    • SHA256

      9f30de67eacb0138506eff3c67dc9c52b0e923416dc75722ac90b12210b5383f

    • SHA512

      77cca4e741a6f96cc35a3ce55c3f899f902719c8ee29c84a6f5dcb57e9d6b8f85cad2042486ff907046f3c87673f5a34da73730256822d090ae764ba21064e71

    • SSDEEP

      196608:fE7JB0tYrXLW+d7UcIxptvyUQymRDSI1WCOK5m:fE9B0OjrdLK4J/Y

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • XMRig Miner payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Blocklisted process makes network request

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks