Exploring the Depths of SolarMarker's Multi-tiered Infrastructure
Common Information
| Type | Value |
|---|---|
| UUID | 2e90b123-0bb9-4005-8227-106fa9d5e60b |
| Fingerprint | 4f89cfb171bc58e9edced305c87b7e892e257935dc8e8ca125df66e6fd2951fc |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | May 10, 2024, 4:55 p.m. |
| Added to db | May 16, 2024, 7:58 a.m. |
| Last updated | Aug. 31, 2024, 1:46 a.m. |
| Headline | Exploring the Depths of SolarMarker's Multi-tiered Infrastructure |
| Title | Exploring the Depths of SolarMarker's Multi-tiered Infrastructure |
| Detected Hints/Tags/Attributes | 184/4/67 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://go.recordedfuture.com/hubfs/reports/cta-2024-0513.pdf |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 546 | www.recordedfuture.com |
|
| Details | Domain | 75 | tria.ge |
|
| Details | Domain | 265 | recordedfuture.com |
|
| Details | File | 2 | solarmarker.dat |
|
| Details | sha256 | 1 | ace82e39c0c7bba7b66f589ae8523aeffb1b34aeafe6d2f1f5ed873a0b980936 |
|
| Details | sha256 | 1 | 2de324d57bb96154e70958eea97713553f59025ca39220aec5d53c908cbf4645 |
|
| Details | sha256 | 1 | 814a9e7720ea8f283e779a43ee72bb215aa6d27a07adfadd45d5c710fb86ee3a |
|
| Details | sha256 | 1 | 837e7a67db612b25bfd0f94d37cdbe8b2dc1a298fe5641f27a233ea6daa73bf0 |
|
| Details | sha256 | 1 | 10fc8f8cf1b45a6a6b2b929414a84fc513f80d31b988c3d70f9a21968e943bf2 |
|
| Details | sha256 | 1 | 870f691ec9a83e9c4acce142e0acbf110260e6c8e707410c23c02076244f3973 |
|
| Details | sha256 | 1 | e7d165f3728b96921b43984733a92a51148ec87aec900c519a547c470e2a12d9 |
|
| Details | sha256 | 1 | 056f373077ca5b6a070975b22839d6f427cbcaeaec4dc31df86231cd3757f7e3 |
|
| Details | IPv4 | 1 | 2.58.14.183 |
|
| Details | IPv4 | 1 | 2.58.14.246 |
|
| Details | IPv4 | 3 | 2.58.15.58 |
|
| Details | IPv4 | 1 | 2.58.15.214 |
|
| Details | IPv4 | 1 | 23.29.115.186 |
|
| Details | IPv4 | 1 | 37.120.198.226 |
|
| Details | IPv4 | 1 | 45.86.163.163 |
|
| Details | IPv4 | 1 | 78.135.73.152 |
|
| Details | IPv4 | 1 | 84.252.94.184 |
|
| Details | IPv4 | 1 | 91.206.178.133 |
|
| Details | IPv4 | 1 | 146.0.79.21 |
|
| Details | IPv4 | 1 | 146.70.40.228 |
|
| Details | IPv4 | 1 | 146.70.71.135 |
|
| Details | IPv4 | 1 | 146.70.80.66 |
|
| Details | IPv4 | 2 | 146.70.80.79 |
|
| Details | IPv4 | 1 | 146.70.80.83 |
|
| Details | IPv4 | 1 | 146.70.92.187 |
|
| Details | IPv4 | 2 | 146.70.101.83 |
|
| Details | IPv4 | 1 | 146.70.104.176 |
|
| Details | IPv4 | 1 | 146.70.106.174 |
|
| Details | IPv4 | 2 | 146.70.121.88 |
|
| Details | IPv4 | 1 | 146.70.125.68 |
|
| Details | IPv4 | 1 | 146.70.125.119 |
|
| Details | IPv4 | 1 | 146.70.145.242 |
|
| Details | IPv4 | 1 | 146.70.160.62 |
|
| Details | IPv4 | 1 | 146.70.161.15 |
|
| Details | IPv4 | 1 | 185.236.203.159 |
|
| Details | IPv4 | 1 | 185.243.113.47 |
|
| Details | IPv4 | 1 | 185.243.115.88 |
|
| Details | IPv4 | 1 | 193.29.104.25 |
|
| Details | IPv4 | 1 | 194.15.216.237 |
|
| Details | IPv4 | 1 | 212.237.217.133 |
|
| Details | IPv4 | 1 | 212.237.217.136 |
|
| Details | IPv4 | 1 | 212.237.217.156 |
|
| Details | IPv4 | 1 | 217.138.215.79 |
|
| Details | IPv4 | 1 | 217.138.215.85 |
|
| Details | IPv4 | 1 | 217.138.215.105 |
|
| Details | MITRE ATT&CK Techniques | 442 | T1071.001 |
|
| Details | MITRE ATT&CK Techniques | 74 | T1573.002 |
|
| Details | MITRE ATT&CK Techniques | 130 | T1573.001 |
|
| Details | MITRE ATT&CK Techniques | 492 | T1105 |
|
| Details | MITRE ATT&CK Techniques | 550 | T1112 |
|
| Details | MITRE ATT&CK Techniques | 1006 | T1082 |
|
| Details | MITRE ATT&CK Techniques | 501 | T1012 |
|
| Details | MITRE ATT&CK Techniques | 460 | T1059.001 |
|
| Details | MITRE ATT&CK Techniques | 183 | T1566.002 |
|
| Details | MITRE ATT&CK Techniques | 183 | T1189 |
|
| Details | MITRE ATT&CK Techniques | 380 | T1547.001 |
|
| Details | MITRE ATT&CK Techniques | 82 | T1583.001 |
|
| Details | MITRE ATT&CK Techniques | 62 | T1583.003 |
|
| Details | MITRE ATT&CK Techniques | 32 | T1583.004 |
|
| Details | MITRE ATT&CK Techniques | 22 | T1583.008 |
|
| Details | MITRE ATT&CK Techniques | 21 | T1584.004 |
|
| Details | Url | 1 | https://tria.ge/240220-28414agg46/behavioral2 |
|
| Details | Yara rule | 1 | rule MAL_SolarMarker {
meta:
author = "JEBSTEIN, Insikt Group, Recorded Future"
date = "2021-12-14"
description = "Rule to detect SolarMarker Jupyter/Mars DLL"
version = "1.0"
reference = "SolarMarker"
hash = "10fc8f8cf1b45a6a6b2b929414a84fc513f80d31b988c3d70f9a21968e943bf2"
hash = "870f691ec9a83e9c4acce142e0acbf110260e6c8e707410c23c02076244f3973"
hash = "e7d165f3728b96921b43984733a92a51148ec87aec900c519a547c470e2a12d9"
hash = "056f373077ca5b6a070975b22839d6f427cbcaeaec4dc31df86231cd3757f7e3"
RF_MALWARE = "SolarMarker RAT"
RF_MALWARE_ID = "h-tpcZ"
RF_THREATACTOR = "Solarmarker Threat Group"
RF_THREATACTOR_ID = "mYbecu"
strings:
$s1 = "change_status" wide
$s2 = "is_success" wide
$s3 = "-ep byp" wide
$s4 = "Deimos"
$s5 = "Mars"
$h1 = { 7B 00 22 00 61 00 63 00 74 00 69 00 6F 00 6E 00 22 00 3A 00 22 00 70 00 69 00 6E 00 67 00 22 00 2C 00 22 }
$h2 = { 27 00 3B 00 24 00 63 00 3D 00 67 00 65 00 74 00 2D 00 63 00 6F 00 6E 00 74 00 65 00 6E 00 74 00 20 00 24 00 70 00 3B 00 72 00 65 00 6D 00 6F 00 76 00 65 00 2D 00 69 00 74 00 65 00 6D 00 20 00 24 00 70 00 3B 00 69 00 65 00 78 00 20 00 24 00 63 00 22 }
condition:
uint16(0) == 0x5a4d and filesize > 200KB and (5 of them)
} |