General
-
Target
солярка (воркает).rar
-
Size
2.6MB
-
Sample
241004-wp8x2ssfnd
-
MD5
45fd7de7a40563e71d6f2e8ab3accc10
-
SHA1
b3f77f34507850c890789cacb0ccd0bba87d6a3c
-
SHA256
3c74eb0e0e744bed1deab78229f53f571be042fe0bfbdb31df99dabbe1ec33a1
-
SHA512
4276a959de82f67309a0624401fa315c605af6f8be40b393473fda6fefb5b3cd5444c2f5bc16f1743685595cecb8bcdcaddaa5e1ad6385ef76f5034e735dc62a
-
SSDEEP
49152:NSIWLZd0Gb+987RBstRIwekxcbTB2BuVuyZi6YX2nLots1u3VonghLyQ:NfWLZd0Gai7RERIwPxC22j64LoRVYOr
Behavioral task
behavioral1
Sample
солярка (воркает)/BootstrapperV1.21.exe
Resource
win10v2004-20240802-en
Malware Config
Targets
-
-
Target
солярка (воркает)/BootstrapperV1.21.exe
-
Size
3.8MB
-
MD5
d83d803d2aa210c2ea165a6ba41d755a
-
SHA1
5e9f047412addd3a3a36dfd2890c3709a6b6840d
-
SHA256
c7becefe6c1a08698fe22edd47646657e9312acf4824c7435dd4b2af46e10072
-
SHA512
d510c369c589d39114556b46f0d333165a2d22e163776cd4eb5c13d993745279c3110815013fb4fe62c5015fc94b6527ebf029ac465d2b691a74a91cbf6e75d4
-
SSDEEP
49152:wbA3jjuzRg+fejWikp35V5nqe3jCtJaOEXt/kdK9decwoGH/jHc4U:wbGqyLpQz5qeTCtwOEkw9decKU
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
ModiLoader Second Stage
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Loads dropped DLL
-
Adds Run key to start application
-
Blocklisted process makes network request
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1