pysilon | 675a635c4a4d1a5cb124600b4644f8126b3e5fbfc6e6a42488a664d14f9a6a2c | Triage

Submit
Reports

Overview

overview

Static

static

SolaraBoot...er.exe

windows11-21h2-x64

9

Sharing

General

Target

SolaraBootstrapper.exe
Size

104.7MB
Sample

240805-s9fv8a1aqk
MD5

bdbf76228ee4c587b81885e011ce908d
SHA1

24219497fc9b0392558a433341c2220089318bb3
SHA256

675a635c4a4d1a5cb124600b4644f8126b3e5fbfc6e6a42488a664d14f9a6a2c
SHA512

637f6afc11062ccc0065f8db56fcb4a9c413b4338409f5042c41c4a74d478b5e9150bffcf201f12fa5687aeb271422f78c126cdc966a1949016be6b37516593b
SSDEEP

3145728:HZop8S6xjKcBaIc2qHO5iVY2nGQbRe0zJcBWos9U:HZtSWNaIsHCiH1XcBW1

Score

10^/10

pysilon discovery evasion execution persistence themida trojan

Static task

static1

themida pysilon

4 signatures

Behavioral task

behavioral1

Sample

SolaraBootstrapper.exe

Resource

win11-20240802-en

discovery evasion execution persistence themida trojan

windows11-21h2-x64

24 signatures

150 seconds

Malware Config

Targets

- Target
  
  SolaraBootstrapper.exe
- Size
  
  104.7MB
- MD5
  
  bdbf76228ee4c587b81885e011ce908d
- SHA1
  
  24219497fc9b0392558a433341c2220089318bb3
- SHA256
  
  675a635c4a4d1a5cb124600b4644f8126b3e5fbfc6e6a42488a664d14f9a6a2c
- SHA512
  
  637f6afc11062ccc0065f8db56fcb4a9c413b4338409f5042c41c4a74d478b5e9150bffcf201f12fa5687aeb271422f78c126cdc966a1949016be6b37516593b
- SSDEEP
  
  3145728:HZop8S6xjKcBaIc2qHO5iVY2nGQbRe0zJcBWos9U:HZtSWNaIsHCiH1XcBW1
Score

9^/10

discovery evasion execution persistence themida trojan
- Enumerates VirtualBox DLL files
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Browser Information Discovery

File and Directory Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryevasionexecutionpersistencethemidatrojan

© 2018-2025

Terms | Privacy