Overview

overview

8

Static

static

3

SolaraB V3...23.exe

windows11-21h2-x64

8

SolaraB V3...ASL.js

windows11-21h2-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SolaraB V3.131.rar

  • Size

    400KB

  • Sample

    241210-dbpyxawnbm

  • MD5

    bf2419a8779a2e418368e059d7afbac2

  • SHA1

    f2c8042e7f176016078ac6b8f396b5936cb18bef

  • SHA256

    1a9f40fdac5720f057a6581a18a08ca815b525f4cb10b41271fa46fb3631c7f7

  • SHA512

    3d3c14ad42313ca625a3c04ad3fa554e2e38395f8e9e335ae2cd62c60f70400bb87f7039edfc45a2c89f989d68b373998f1c74d6441056538c57cd07ed97e48d

  • SSDEEP

    12288:dJrDd1RJhYZxebiWhHyGuKgNJZmvbk/DQ:jrp1zMxCi+x3gjZmKQ

Score
8/10
adwaredefense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationstealertrojan

Malware Config

Targets

    • Target

      SolaraB V3.131/BootstrapperV1.23.exe

    • Size

      800KB

    • MD5

      02c70d9d6696950c198db93b7f6a835e

    • SHA1

      30231a467a49cc37768eea0f55f4bea1cbfb48e2

    • SHA256

      8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

    • SHA512

      431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb

    • SSDEEP

      12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz

    Score
    8/10
    adwaredefense_evasiondiscoveryevasionpersistenceprivilege_escalationstealertrojan

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Blocklisted process makes network request

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Legitimate hosting services abused for malware hosting/C2

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

    • Target

      SolaraB V3.131/workspace/VASL.lua

    • Size

      406KB

    • MD5

      e968ea0877cb597fe5bac88a880dc0c1

    • SHA1

      ae26bac0cd13d694d34e170beb17a7a6b7c0e7db

    • SHA256

      0001b9a7af128c7a7cad0ec933a838efcde8dafa02120ea208d1dac03571f736

    • SHA512

      772803219f21aeb4937460feb6b212cf930c27b9130d0c19a387550799d8c7132d14656b2ba12e5046e341407ace2d179f82932d6d65a27299ed633b2e65d12c

    • SSDEEP

      6144:0NJhMAdnIAuu++JYoU2XH7rtWY7/CFtoxvCNi1QIC5Hbh6K0JyaBhVNPYNxMG/A3:0NJGMr5rrtN7QtoxCh0JybAQi

    Score
    3/10
    execution
    behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

JavaScript

1
T1059.007

Persistence

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Browser Extensions

1
T1176

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

5
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks