Overview

overview

10

Static

static

3

SolaraBoot...er.exe

windows10-ltsc 2021-x64

10

SolaraBoot...er.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SolaraBootstrapper.exe

  • Size

    2.1MB

  • Sample

    241111-n24vvssmap

  • MD5

    46ee914172c6a86f6545e8afdcbddb60

  • SHA1

    1e40ed9b6d1f8f24b9692c4b600a04a0fabac121

  • SHA256

    c2fc34d4e0c21d93bb27de86004031c5d6a7aa359f3b9c511d6a771df9d8bec0

  • SHA512

    55025faa2d309fc959d07573273559ea3007d8bcf4242417d81965678638ee27a3465be96ce21ee3398edc84dc2d385237a8a1845d037802ddab4be8421f28dd

  • SSDEEP

    24576:lTbBv5rUfSyHO85Zn6VSnaS/6fRkJ9v82URnpQKm+9nHjLJAWCNGQj1EHzpp4o5R:PBZ076i7v8ZjQ6PJAWCNFp0zpphFaF4

Score
10/10
dcratdiscoveryinfostealerpersistencerat

Malware Config

Targets

    • Target

      SolaraBootstrapper.exe

    • Size

      2.1MB

    • MD5

      46ee914172c6a86f6545e8afdcbddb60

    • SHA1

      1e40ed9b6d1f8f24b9692c4b600a04a0fabac121

    • SHA256

      c2fc34d4e0c21d93bb27de86004031c5d6a7aa359f3b9c511d6a771df9d8bec0

    • SHA512

      55025faa2d309fc959d07573273559ea3007d8bcf4242417d81965678638ee27a3465be96ce21ee3398edc84dc2d385237a8a1845d037802ddab4be8421f28dd

    • SSDEEP

      24576:lTbBv5rUfSyHO85Zn6VSnaS/6fRkJ9v82URnpQKm+9nHjLJAWCNGQj1EHzpp4o5R:PBZ076i7v8ZjQ6PJAWCNFp0zpphFaF4

    Score
    10/10
    dcratdiscoveryinfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

Remote System Discovery

1
T1018

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks