| Variant | SHA-256 | |---------|---------| | Miner variant | a1b2c3d4e5f6... (64 chars) | | RAT variant | b2c3d4e5f6a1... | | Downloader variant | c3d4e5f6a1b2... |
rule Solaris_Malware meta: description = "Detects solaris.exe malware" strings: $s1 = "SolarisClient" wide ascii $s2 = "C2_Domain_Check" ascii $s3 = 8B 45 08 83 F8 02 74 1C // anti-debug stub condition: uint16(0) == 0x5A4D and (any of ($s*)) and filesize < 2MB solaris.exe
| Vector | Description | |--------|-------------| | | Attached ZIP file with solaris.exe disguised as invoice or document. | | Cracked software / keygens | Downloaded from torrent sites; runs silently in background. | | Drive-by download | Exploit kits (RIG, Fallout) dropping the binary via fake browser updates. | | Malicious Office macros | Word document macro downloads and executes solaris.exe . | 4. Technical Indicators (IOCs) Below are observed hashes (SHA-256) for distinct variants (sanitized examples — real hashes should be searched in threat intel platforms): | Variant | SHA-256 | |---------|---------| | Miner