General

  • Target

    SolaraBootstrapper.exe

  • Size

    1.5MB

  • Sample

    240719-m1qq6sxdpk

  • MD5

    fc883c9c23018f529b6df57a37752ee2

  • SHA1

    5f144d9aa5c24c309baf6b2a6b9975795bfc5795

  • SHA256

    84f0cb45e1f9d6f73ff0033ecc509cf19648a546966e381f227d89bd2ab5882a

  • SHA512

    5c29d4ef5194455d662d04be687c5fd7923071991ec792e623bf58e299cd4a64a60d3193699eb16cd3f4395a87f579f19f3925d948cd8bcaf37a28439d1e5ca4

  • SSDEEP

    24576:U2G/nvxW3Ww0tAcd/ADwvjwqeGOu98QhwrY//TgvCsOtZl8PeZUY:UbA30AG/ADp5G38U7xsOtZl8GH

Malware Config

Targets

    • Target

      SolaraBootstrapper.exe

    • Size

      1.5MB

    • MD5

      fc883c9c23018f529b6df57a37752ee2

    • SHA1

      5f144d9aa5c24c309baf6b2a6b9975795bfc5795

    • SHA256

      84f0cb45e1f9d6f73ff0033ecc509cf19648a546966e381f227d89bd2ab5882a

    • SHA512

      5c29d4ef5194455d662d04be687c5fd7923071991ec792e623bf58e299cd4a64a60d3193699eb16cd3f4395a87f579f19f3925d948cd8bcaf37a28439d1e5ca4

    • SSDEEP

      24576:U2G/nvxW3Ww0tAcd/ADwvjwqeGOu98QhwrY//TgvCsOtZl8PeZUY:UbA30AG/ADp5G38U7xsOtZl8GH

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v15

Tasks