General

  • Target

    solara+roblox.zip

  • Size

    5.7MB

  • Sample

    250127-zl27wavrgn

  • MD5

    7534f958832de3d978be3f9faabd19bb

  • SHA1

    b40f04e5b4571584db612f9e3fbb2ac2f8aca38a

  • SHA256

    831ae91a683d8b7e0c7b1464a363832a4a513b365a107b148842a47e8197eb88

  • SHA512

    72a668e0acba7c3b8e91ccc42513bf16cc2a053a188ab0a7e8acbcf7daff704fc1635e75b98e6ec06fdfb099e3748dd5e8da2ba51bb026666a77af9769a3fc5a

  • SSDEEP

    98304:a2s8WVQrNO3zHqt5Uein5TJhLTyKK/G1pI7DNGDItOWXY4+mOyW:a2tVU3zH0Uein5LeKtg7rOWtOyW

Malware Config

Targets

    • Target

      solara+roblox/BootstrapperNew.exe

    • Size

      2.9MB

    • MD5

      4d207914ab7b161d4a8e6bf45cd27de4

    • SHA1

      accd340b49754a770fd8debc10a379fe587336f6

    • SHA256

      3c4dcf944e748c91df983422349e3a10f8271d3ef77ceee73d071b3d5e764f1b

    • SHA512

      7df470c7c3b1f695289202363826d86af5e878138aa7c50a5d678df1ee95c0e9e2e87dc913be007e212519b05ab56146766768fbe00c583f5b57b905fbbf3f19

    • SSDEEP

      49152:alcyXfHnaBTof9ePCjkIAm1skqXfd+/9A9ByClY1v/a/ehH7pNLLn2:4ZXfHaFoCIvqkqXf0FglY1XOe97vLn

    Score
    1/10
    • Target

      solara+roblox/RobloxPlayerInstaller (1).exe

    • Size

      7.3MB

    • MD5

      027183c8f1be3ad3b30d3c8cf7332988

    • SHA1

      a7de0320e768d2f737c30e77be4ca5043c3dbe55

    • SHA256

      5f02e34dc5d7a478675fef3b4bfa9ed321bf6b6f8d6804aef7b243e360fba2fd

    • SHA512

      66aefb4f2295d66da768ada2849e498145ef0f8d1e2e4c4bb7daa1745b6937742451c2f1eaf3dad35833096179e4b9d123487d744106a709f34c6a7bc8f589ac

    • SSDEEP

      98304:lvvXbqLcfF4SNvJ7JuDjjCD2W8zhFxXTWgjY5z8D7PGPZs44bMHES3yFkwOY:5XbqLc26ijWGhFxXIz8D7PGPT4IhySc

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks