Analysis
-
max time kernel
123s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-08-2024 16:37
Behavioral task
behavioral1
Sample
SolaraBootstrapper.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
SolaraBootstrapper.exe
Resource
win10v2004-20240802-en
General
-
Target
SolaraBootstrapper.exe
-
Size
303KB
-
MD5
7553c649cdd15e01bc47cfa2dc88fdae
-
SHA1
1ad33f546146e52d05e667f0907262c1e55cb958
-
SHA256
12a8d265fe2c0fb139d2dc9994ebdfaf7aea93a2ecc18dc4e132f1a04d36eda6
-
SHA512
b40c066725b3f9ece6f75dd11598ad73f702b608253a4fa990774d2a61433b7a8218e19c3f5b348b62d18f533069f0cb228bcd5904497e98cd8f77d94a9d1849
-
SSDEEP
6144:k1E0T6MDdbICydeB1MnyCvG/9GzC6jmA1D0Kzp:k1z6yCvGFG+Y1Dtp
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1256365156401680444/Q4ybvTW8-P8cHM7v5CKOThKUJqTZ4f03jPUNC4To8TouPRnWl442RcsKLBOptm6uvg63
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 freegeoip.app -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
SolaraBootstrapper.exepid process 4924 SolaraBootstrapper.exe 4924 SolaraBootstrapper.exe 4924 SolaraBootstrapper.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SolaraBootstrapper.exedescription pid process Token: SeDebugPrivilege 4924 SolaraBootstrapper.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4924
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4808