Overview

overview

10

Static

static

3

Bootstrapp...nt.dll

windows7-x64

1

Bootstrapp...nt.dll

windows10-2004-x64

1

Bootstrapp...on.dll

windows7-x64

1

Bootstrapp...on.dll

windows10-2004-x64

1

Bootstrapp...ss.dll

windows7-x64

1

Bootstrapp...ss.dll

windows10-2004-x64

1

Bootstrapp...er.exe

windows7-x64

1

Bootstrapp...er.exe

windows10-2004-x64

1

Bootstrapp...er.exe

windows7-x64

1

Bootstrapp...er.exe

windows10-2004-x64

10

Bootstrapp...rp.dll

windows7-x64

1

Bootstrapp...rp.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Bootstrapper.zip

  • Size

    742KB

  • Sample

    240823-s4bz3ssgnf

  • MD5

    ffd916c97f9beb802fe37163752a09bd

  • SHA1

    28154d784310c178e6af33f5e0198efa2803f381

  • SHA256

    2c1952990fa3431219bab7428c907dc2c67f214944a22da6a320411ad21b2e59

  • SHA512

    dde58c13deea57c4877aa8efd5db3717f14188853a4e37bece12f41098db0c9d7912039a3c5714cfff2be254f9689b389507c1c42ae40362184abaccae0bc13b

  • SSDEEP

    12288:fzrTSUfXJjTtuSsWHPDHD0vG7umPHdN9bZjF482Cg88d4C1nJRoBHDyhhQE:fHfXJjTt1sUPDHDsG6mL9tJ4B1+De1

Score
10/10
defense_evasiondiscoveryevasionexecutionpersistence

Malware Config

Targets

    • Target

      Bootstrapper/MegaApiClient.dll

    • Size

      111KB

    • MD5

      aa23071161f9ce2e4d9a8c5c467b802a

    • SHA1

      da453f728cb481c1ff4314ea7f6e05d3b551aa52

    • SHA256

      d36662c1878323d631b9b41fc5d1bebdc48e5ccb9f9d642beb4020ba4f5945f1

    • SHA512

      209988102e861c12a13df837cab9e03f728dc96e7a0e8013867b0ce28beb5f24c419a97782017e24c0d3c98642278276fcff65356fecb307afeee117592491ce

    • SSDEEP

      1536:gO21vLbfCuYUrjGALzlzr/xMPIn9K67UtSlYinItaL/L:R2JfCN4jbZ/xMAV7vljItaH

    Score
    1/10
    behavioral1behavioral2

    • Target

      Bootstrapper/Newtonsoft.Json.dll

    • Size

      621KB

    • MD5

      9ddd2a3660758d3e07a96c48cbccf6de

    • SHA1

      9ed2db5211e5b38939f85613e2d2ea3e6bba027c

    • SHA256

      195883567010b80f05329c3007ff6e6aca5c41e7ce494d61a5f2b86c2d3b11db

    • SHA512

      01fa4f8653898315c2a3017efebb5e389676e1ebcc478caa896a7cb9aaf14d4df1aa14abad09337a01679c271680662a2b5f8661a182d81a8201c650edb2fb12

    • SSDEEP

      12288:VJUIOzzn7rOYamu7hSXqqPLExdkoq4Qu:yz7qYaZSXbPYxdRQu

    Score
    1/10
    behavioral3behavioral4

    • Target

      Bootstrapper/SharpCompress.dll

    • Size

      580KB

    • MD5

      30b5c4d9a654dd291b7ea435211f60c5

    • SHA1

      374071d9c244eccd998eeb8aa4eb5969043f8a3d

    • SHA256

      0a5a8c3607938a65873251693cd752b05f6f34370ad2fe82f1210e4d925b1675

    • SHA512

      8952cc715e79a36948584084a51fe3d297d03c4d801daeb2af10fc1cdae67fd07401315fac7da591394a1448f7d5d847e424d89c20bdd4d7cc2ec7c31bcff73a

    • SSDEEP

      6144:hSojDxWjfP9lU3AS2agAuStn7+ixIaJPXbEm4XjgRx8c9Xrfkfam5swjCu1MDvM:hSos7w3DpgAYVaJA8R+k9YsOlU

    Score
    1/10
    behavioral5behavioral6

    • Target

      Bootstrapper/SolaraDownloader.dll

    • Size

      7KB

    • MD5

      59a8846ad2d9eadca2837c8ccd865a08

    • SHA1

      3dc898b7065141b5c7b943eeae4f4caf6e99fa90

    • SHA256

      c8fab61c9bbdbb318884150d10d3369bd9b0daacd517a53e447aea1d7f481c28

    • SHA512

      dd0665d79ec7b8c9d03519902afdcdf5064103915474ac2195605440184fcf436413d09374441f43518e0c3fbfa8a5865cebe37b305a16cf071130b66e767810

    • SSDEEP

      96:h/JXZt42I3GeM0Lqf32f5CllufugW0UUsLz40wdzNt:h5Z5I2Kqf32f5CjUs0X

    Score
    1/10
    behavioral7behavioral8

    • Target

      Bootstrapper/SolaraDownloader.exe

    • Size

      139KB

    • MD5

      55d6478689c01c567a35e717c5a12e24

    • SHA1

      c1c0f82203d01d2db74c2a61b1263aac2042cf36

    • SHA256

      1b1600ef1aa80e31c8f5def6efbd296d4aa7a3cdd1d57e10ed2e71d197ebac72

    • SHA512

      c5fb4e5f584a7cf791d2bf2e7c183ecd27128eeee1b4974d50c4cce01683b6887c00a35e4c3f66f69d4aa2a463d526619ef6a832c1de4ae73dd12d876a8c17b9

    • SSDEEP

      3072:wu/4Fqqdnmh9RDNmCXLRiAIrmDSg78INuC31RbPdLnY7eC5l1L3:wu/4FqqImCXLRiAIrmP78INx70LN

    Score
    10/10
    defense_evasiondiscoveryevasionexecutionpersistence

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Downloads MZ/PE file

    • Stops running service(s)

      evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

      defense_evasion

    • Loads dropped DLL

    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

    • Target

      Bootstrapper/ZstdSharp.dll

    • Size

      401KB

    • MD5

      09f6ded9375793bfd5a931faf164762a

    • SHA1

      413a1538da849ff4f5037582c4828b6bd444544c

    • SHA256

      abb3a24a17a41e5a7b7f6a7784e55ffad17ba1ccc5f18f3369ead1f126c4e120

    • SHA512

      2d80e2ff6ff70f6e49d29d5f422f09148002e0a084c9248d3e3a628b9180792442c9f85c9a8fb7c996f520a1a653bd4710d8b0ab09a6c0816e0c6401892547c7

    • SSDEEP

      6144:VTwjPLjGfYUfNYbwnTIDifsJIoTgIxLDqMP545CCEnipnV:VTo3YYgpnTtUJm5CC

    Score
    1/10
    behavioral11behavioral12

MITRE ATT&CK Enterprise v15

Tasks