Edit tour

Windows Analysis Report
solara-executor.exe

Overview

General Information

Sample name:	solara-executor.exe
Analysis ID:	1577819
MD5:	6107673fe6de87ac938d8d45ceee771b
SHA1:	0ebf97d44da9ce419102f2407e4b92ccc75677dd
SHA256:	1d820e33b6818f08161dbd3766b37e971b7531ee018dee1eb21822edb1eaa545
Tags:	exeuser-aachum
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Contain functionality to detect virtual machines

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

PE file contains section with special chars

Tries to harvest and steal browser information (history, passwords, etc)

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Detected potential crypto function

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

solara-executor.exe (PID: 7316 cmdline: "C:\Users\user\Desktop\solara-executor.exe" MD5: 6107673FE6DE87AC938D8D45CEEE771B)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.4005142779.000001984BFF0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: solara-executor.exe PID: 7316	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.solara-executor.exe.1984c1381d0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T19:37:15.832886+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49714	172.67.75.163	443	TCP

Joe Sandbox Signatures

• AV Detection
• Cryptography
• Compliance
• Spreading
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection
• Stealing of Sensitive Information

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: solara-executor.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: solara-executor.exe

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: solara-executor.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\solara-executor.exe

Code function: 0_2_000001984C0B7740 Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,CryptUnprotectData,

Source: unknown

HTTPS traffic detected: 172.67.75.163:443 -> 192.168.2.6:49714 version: TLS 1.2

Source: solara-executor.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\55yar\Desktop\imgui-master\examples\imgui_loader\Release\example_win32_directx9.pdb source: solara-executor.exe, solara-executor.exe, 00000000.00000002.4009987562.00007FF6341B1000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Users\55yar\Desktop\imgui-master\examples\imgui_loader\Release\example_win32_directx9.pdb/''GCTL source: solara-executor.exe, 00000000.00000002.4009987562.00007FF6341B1000.00000040.00000001.01000000.00000003.sdmp

Source: C:\Users\user\Desktop\solara-executor.exe

Code function: 0_2_000001984C01F46A Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileA,type_info::_name_internal_method,type_info::_name_internal_method,type_info::_name_internal_method,

Source: Joe Sandbox View

IP Address: 172.67.75.163 172.67.75.163

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49714 -> 172.67.75.163:443

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.74 Safari/537.36 Edg/79.0.309.43Host: api.myip.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.74 Safari/537.36 Edg/79.0.309.43Host: api.myip.com

Source: global traffic

DNS traffic detected: DNS query: api.myip.com

Source: solara-executor.exe, 00000000.00000002.4005142779.000001984BFF0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://https://https/:://websocketpp.processorGeneric
Source: solara-executor.exe, 00000000.00000003.2239000405.000001984C787000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000003.2224404179.000001984C836000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000002.4005978558.000001984C6AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: solara-executor.exe, 00000000.00000003.2211474780.000001984C44F000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000003.2246199496.000001984BF94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.myip.com/
Source: solara-executor.exe, 00000000.00000002.4005142779.000001984BFF0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.myip.com/Russia
Source: solara-executor.exe, 00000000.00000003.2202318264.000001984C79C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: solara-executor.exe, 00000000.00000003.2202318264.000001984C79C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: solara-executor.exe, 00000000.00000003.2239000405.000001984C787000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000003.2224404179.000001984C836000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000002.4005978558.000001984C6AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: solara-executor.exe, 00000000.00000003.2239000405.000001984C787000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000003.2224404179.000001984C836000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000002.4005978558.000001984C6AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: solara-executor.exe, 00000000.00000003.2239000405.000001984C787000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000003.2224404179.000001984C836000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000002.4005978558.000001984C6AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: solara-executor.exe, 00000000.00000003.2202318264.000001984C79C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: solara-executor.exe, 00000000.00000003.2202318264.000001984C79C000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000003.2212662127.000001984C79C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: solara-executor.exe, 00000000.00000003.2239000405.000001984C787000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000003.2224404179.000001984C836000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000002.4005978558.000001984C6AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: solara-executor.exe, 00000000.00000003.2239000405.000001984C787000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000003.2224404179.000001984C836000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000002.4005978558.000001984C6AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: solara-executor.exe, 00000000.00000003.2239000405.000001984C787000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000003.2224404179.000001984C836000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000002.4005978558.000001984C6AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: solara-executor.exe, solara-executor.exe, 00000000.00000002.4009987562.00007FF6341B1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/ocornut/imgui/blob/master/docs/FAQ.md#qa-usage
Source: solara-executor.exe, 00000000.00000002.4009987562.00007FF6341B1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/ocornut/imgui/blob/master/docs/FAQ.md#qa-usage(Hold
Source: solara-executor.exe, 00000000.00000003.2202318264.000001984C79C000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000003.2212662127.000001984C79C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: solara-executor.exe, 00000000.00000003.2202318264.000001984C79C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: solara-executor.exe, 00000000.00000003.2239000405.000001984C787000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000003.2224404179.000001984C836000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000002.4005978558.000001984C6AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: solara-executor.exe, 00000000.00000003.2239000405.000001984C787000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000003.2224404179.000001984C836000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000002.4005978558.000001984C6AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: solara-executor.exe, 00000000.00000003.2202318264.000001984C79C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_

Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

Source: unknown

HTTPS traffic detected: 172.67.75.163:443 -> 192.168.2.6:49714 version: TLS 1.2

Source: C:\Users\user\Desktop\solara-executor.exe

Code function: 0_2_00007FF6341D1D70 OpenClipboard,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

Source: C:\Users\user\Desktop\solara-executor.exe

Code function: 0_2_00007FF6341D1D70 OpenClipboard,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

Source: C:\Users\user\Desktop\solara-executor.exe

Code function: 0_2_00007FF6341D1C20 OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,

Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF634200330 GetClientRect,QueryPerformanceCounter,GetForegroundWindow,ClientToScreen,SetCursorPos,GetCursorPos,ScreenToClient,GetKeyState,GetKeyState,GetKeyState,GetKeyState,
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF634200D02 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,

System Summary

PE file contains section with special chars

Source: solara-executor.exe

Static PE information: section name: "/hR

Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF634203F90 PostQuitMessage,GetWindowRect,SetWindowPos,NtdllDefWindowProc_A,
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF63420E278 NtdllDefWindowProc_A,

Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF634204720
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341FEA60
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341FF2F0
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF634200330
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341FFCE0
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341DAD40
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341FE5B0
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341B5D90
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341F0DE0
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341E25F0
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341ECDD0
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341C4620
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341CD620
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341B9E10
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341D96B0
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341C46F0
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341D7EF0
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341C6EC0
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341B9730
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341BDFB0
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341E97F0
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341DBFC0
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341F6090
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341EF9E0
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341E59E0
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341DB1E0
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341CE1C0
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341C5A30
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341F2A00
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341CFA00
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341DC270
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341CC250
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341CF250
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341FBA80
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341FC310
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341FA370
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341FCB40
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341DDB50
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341BFBB0
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341B7390
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341E6BC0
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341B6CB0
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341D6C90
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341E7CE0
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341D54F0
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341ED530
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF634200D02
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF6341DBD10
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_000001984C0E0FF0
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_000001984C043841
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_000001984C00BA30

Source: C:\Users\user\Desktop\solara-executor.exe	Code function: String function: 00007FF6341D1F40 appears 40 times
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: String function: 00007FF6341C85B0 appears 36 times
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: String function: 00007FF63420E460 appears 867 times

Source: solara-executor.exe

Static PE information: Section: bbbb ZLIB complexity 0.9988679984861591

Source: classification engine

Classification label: mal88.spyw.evad.winEXE@1/1@1/1

Source: C:\Users\user\Desktop\solara-executor.exe

Code function: 0_2_000001984BFF6FE0 std::_Fac_node::_Fac_node,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,

Source: C:\Users\user\Desktop\solara-executor.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\HJWXIAQ3.htm

Jump to behavior

Source: C:\Users\user\Desktop\solara-executor.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: solara-executor.exe, 00000000.00000002.4005978558.000001984C5BA000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000002.4005978558.000001984C5DE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: solara-executor.exe

ReversingLabs: Detection: 18%

Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: d3d9.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: dxcore.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: winmm.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: xinput1_4.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: devobj.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: inputhost.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: schannel.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Desktop\solara-executor.exe	Section loaded: ncryptsslp.dll

Source: C:\Users\user\Desktop\solara-executor.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: solara-executor.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: solara-executor.exe

Static file information: File size 1248295 > 1048576

Source: solara-executor.exe

Static PE information: Raw size of bbbb is bigger than: 0x100000 < 0x121000

Source: solara-executor.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\55yar\Desktop\imgui-master\examples\imgui_loader\Release\example_win32_directx9.pdb source: solara-executor.exe, solara-executor.exe, 00000000.00000002.4009987562.00007FF6341B1000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Users\55yar\Desktop\imgui-master\examples\imgui_loader\Release\example_win32_directx9.pdb/''GCTL source: solara-executor.exe, 00000000.00000002.4009987562.00007FF6341B1000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\solara-executor.exe

Unpacked PE file: 0.2.solara-executor.exe.7ff6341b0000.1.unpack "/hR:EW;bbbb:EW;Unknown_Section2:W; vs "/hR:ER;bbbb:ER;Unknown_Section2:W;

Source: C:\Users\user\Desktop\solara-executor.exe

Code function: 0_2_00007FF6341FF7A0 QueryPerformanceFrequency,QueryPerformanceCounter,GetKeyboardLayout,GetLocaleInfoA,LoadLibraryA,GetProcAddress,GetProcAddress,

Source: initial sample

Static PE information: section where entry point is pointing to: bbbb

Source: solara-executor.exe	Static PE information: section name: "/hR
Source: solara-executor.exe	Static PE information: section name: bbbb
Source: solara-executor.exe	Static PE information: section name: bNbF

Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF63420E578 push rax; retf
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_000001984C16D632 pushfd ; retf BD37h

Source: solara-executor.exe

Static PE information: section name: bbbb entropy: 7.999761627141752

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\solara-executor.exe	Code function: SOFTWARE\VMware, Inc.\VMware Tools SOFTWARE\VMware, Inc.\VMware Tools SOFTWARE\VMware, Inc.\VMware Tools
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: \\.\VBoxMiniRdrDN \\.\VBoxMiniRdrDN \\.\VBoxMiniRdrDN

Source: C:\Users\user\Desktop\solara-executor.exe

File opened / queried: VBoxMiniRdrDN

Source: C:\Users\user\Desktop\solara-executor.exe	Window / User API: threadDelayed 5529
Source: C:\Users\user\Desktop\solara-executor.exe	Window / User API: foregroundWindowGot 1664

Source: C:\Users\user\Desktop\solara-executor.exe

Source: solara-executor.exe, 00000000.00000002.4009987562.00007FF6344D1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware ToolsNOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm0123456789+/LoadLibraryA
Source: solara-executor.exe, 00000000.00000003.2183482801.000001984C5E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: solara-executor.exe, 00000000.00000003.2183482801.000001984C5E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: solara-executor.exe, 00000000.00000003.2183482801.000001984C5E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: solara-executor.exe, 00000000.00000002.4005142779.000001984BFF0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: vmtoolsdvboxserviceu
Source: solara-executor.exe, 00000000.00000002.4005142779.000001984BFF0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: solara-executor.exe, 00000000.00000002.4009987562.00007FF6344D1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Kernel32.dllKernel32.dll\\.\VBoxMiniRdrDN
Source: solara-executor.exe, 00000000.00000002.4005142779.000001984BFF0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: vboxtrayx64dbgh
Source: solara-executor.exe, 00000000.00000003.2183482801.000001984C5E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: solara-executor.exe, 00000000.00000003.2183482801.000001984C5E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: solara-executor.exe, 00000000.00000002.4005142779.000001984BFF0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareuser
Source: solara-executor.exe, solara-executor.exe, 00000000.00000002.4009987562.00007FF6344D1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: \\.\VBoxMiniRdrDN
Source: solara-executor.exe, 00000000.00000003.2183482801.000001984C5E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: solara-executor.exe, 00000000.00000003.2183482801.000001984C5E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: solara-executor.exe, 00000000.00000003.2211474780.000001984C45E000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000003.2208261026.000001984C45E000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000002.4005708630.000001984C45E000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000002.4004385732.000001984BF2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: solara-executor.exe, 00000000.00000003.2183482801.000001984C5E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: solara-executor.exe, 00000000.00000003.2183482801.000001984C5E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: solara-executor.exe, 00000000.00000003.2183482801.000001984C5E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: solara-executor.exe, 00000000.00000003.2183482801.000001984C5E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: solara-executor.exe, 00000000.00000002.4005142779.000001984BFF0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: vmwaretray
Source: solara-executor.exe, 00000000.00000002.4004385732.000001984BF2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: solara-executor.exe, 00000000.00000003.2183482801.000001984C5E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: solara-executor.exe, 00000000.00000002.4005142779.000001984BFF0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: qemu-gaVGAuthServicevmwaretrayv
Source: solara-executor.exe, 00000000.00000003.2183482801.000001984C5E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: solara-executor.exe, 00000000.00000003.2183482801.000001984C5E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: solara-executor.exe, 00000000.00000003.2183482801.000001984C5E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: solara-executor.exe, 00000000.00000003.2183482801.000001984C5E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: solara-executor.exe, 00000000.00000003.2183482801.000001984C5E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: solara-executor.exe, solara-executor.exe, 00000000.00000002.4005142779.000001984BFF0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: solara-executor.exe, solara-executor.exe, 00000000.00000002.4005142779.000001984BFF0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: solara-executor.exe, 00000000.00000003.2183482801.000001984C5E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: solara-executor.exe, 00000000.00000003.2183482801.000001984C5E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: solara-executor.exe, 00000000.00000002.4009987562.00007FF6344D1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: solara-executor.exe, 00000000.00000003.2183482801.000001984C5E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: solara-executor.exe, 00000000.00000003.2183482801.000001984C5E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: solara-executor.exe, 00000000.00000003.2183482801.000001984C5E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: solara-executor.exe, 00000000.00000003.2183482801.000001984C5E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: solara-executor.exe, 00000000.00000002.4005142779.000001984BFF0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: wiresharkvmwareuseri
Source: solara-executor.exe, 00000000.00000003.2183482801.000001984C5E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: solara-executor.exe, 00000000.00000003.2183482801.000001984C5E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: solara-executor.exe, 00000000.00000002.4005142779.000001984BFF0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: vmtoolsd
Source: solara-executor.exe, 00000000.00000003.2183482801.000001984C5E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: solara-executor.exe, 00000000.00000003.2183482801.000001984C5E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: solara-executor.exe, 00000000.00000003.2183482801.000001984C5E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: solara-executor.exe, 00000000.00000003.2183482801.000001984C5E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: solara-executor.exe, 00000000.00000003.2183482801.000001984C5E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: solara-executor.exe, 00000000.00000003.2183482801.000001984C5E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\solara-executor.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\solara-executor.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\solara-executor.exe

Code function: 0_2_00007FF63420C628 IsProcessorFeaturePresent,00007FFDA46F19C0,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFDA46F19C0,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\solara-executor.exe

Code function: 0_2_00007FF6341FF7A0 QueryPerformanceFrequency,QueryPerformanceCounter,GetKeyboardLayout,GetLocaleInfoA,LoadLibraryA,GetProcAddress,GetProcAddress,

Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF63420C628 IsProcessorFeaturePresent,00007FFDA46F19C0,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFDA46F19C0,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF63420C80C SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF63420E0B0 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF63420E0D0 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: 0_2_00007FF63420E0C0 SetUnhandledExceptionFilter,

Source: C:\Users\user\Desktop\solara-executor.exe	Code function: QueryPerformanceFrequency,QueryPerformanceCounter,GetKeyboardLayout,GetLocaleInfoA,LoadLibraryA,GetProcAddress,GetProcAddress,
Source: C:\Users\user\Desktop\solara-executor.exe	Code function: GetKeyboardLayout,GetLocaleInfoA,

Source: C:\Users\user\Desktop\solara-executor.exe

Code function: 0_2_00007FF63420C8B8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Stealing of Sensitive Information

Found many strings related to Crypto-Wallets (likely being stolen)

Source: solara-executor.exe	String found in binary or memory: Electrum-LTC
Source: solara-executor.exe	String found in binary or memory: \ElectronCash\wallets
Source: solara-executor.exe	String found in binary or memory: \com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: solara-executor.exe	String found in binary or memory: \Exodus\exodus.wallet
Source: solara-executor.exe	String found in binary or memory: \Ethereum\keystore
Source: solara-executor.exe	String found in binary or memory: Exodus Web
Source: solara-executor.exe	String found in binary or memory: Ethereum
Source: solara-executor.exe	String found in binary or memory: \Coinomi\Coinomi\wallets
Source: solara-executor.exe	String found in binary or memory: \Ethereum\keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\solara-executor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\solara-executor.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js
Source: C:\Users\user\Desktop\solara-executor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Desktop\solara-executor.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\cookies.sqlite
Source: C:\Users\user\Desktop\solara-executor.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\prefs.js
Source: C:\Users\user\Desktop\solara-executor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\Desktop\solara-executor.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
Source: C:\Users\user\Desktop\solara-executor.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db
Source: C:\Users\user\Desktop\solara-executor.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\Desktop\solara-executor.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\solara-executor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\Desktop\solara-executor.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History

Source: Yara match	File source: 0.2.solara-executor.exe.1984c1381d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4005142779.000001984BFF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: solara-executor.exe PID: 7316, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Input Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Virtualization/Sandbox Evasion	1 Input Capture	121 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	3 Clipboard Data	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

No bigger version

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
solara-executor.exe	18%	ReversingLabs
solara-executor.exe	100%	Avira	HEUR/AGEN.1314582
solara-executor.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://https://https/:://websocketpp.processorGeneric	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.myip.com	172.67.75.163	true	false		high
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.myip.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://https://https/:://websocketpp.processorGeneric	solara-executor.exe, 00000000.00000002.4005142779.000001984BFF0000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	solara-executor.exe, 00000000.00000003.2239000405.000001984C787000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000003.2224404179.000001984C836000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000002.4005978558.000001984C6AF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	solara-executor.exe, 00000000.00000003.2239000405.000001984C787000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000003.2224404179.000001984C836000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000002.4005978558.000001984C6AF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	solara-executor.exe, 00000000.00000003.2239000405.000001984C787000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000003.2224404179.000001984C836000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000002.4005978558.000001984C6AF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	solara-executor.exe, 00000000.00000003.2239000405.000001984C787000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000003.2224404179.000001984C836000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000002.4005978558.000001984C6AF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	solara-executor.exe, 00000000.00000003.2202318264.000001984C79C000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000003.2212662127.000001984C79C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.	solara-executor.exe, 00000000.00000003.2202318264.000001984C79C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/ocornut/imgui/blob/master/docs/FAQ.md#qa-usage	solara-executor.exe, solara-executor.exe, 00000000.00000002.4009987562.00007FF6341B1000.00000040.00000001.01000000.00000003.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	solara-executor.exe, 00000000.00000003.2239000405.000001984C787000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000003.2224404179.000001984C836000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000002.4005978558.000001984C6AF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	solara-executor.exe, 00000000.00000003.2202318264.000001984C79C000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000003.2212662127.000001984C79C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3	solara-executor.exe, 00000000.00000003.2202318264.000001984C79C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	solara-executor.exe, 00000000.00000003.2239000405.000001984C787000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000003.2224404179.000001984C836000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000002.4005978558.000001984C6AF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	solara-executor.exe, 00000000.00000003.2239000405.000001984C787000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000003.2224404179.000001984C836000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000002.4005978558.000001984C6AF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.myip.com/Russia	solara-executor.exe, 00000000.00000002.4005142779.000001984BFF0000.00000040.00001000.00020000.00000000.sdmp	false		high
https://github.com/ocornut/imgui/blob/master/docs/FAQ.md#qa-usage(Hold	solara-executor.exe, 00000000.00000002.4009987562.00007FF6341B1000.00000040.00000001.01000000.00000003.sdmp	false		high
https://www.ecosia.org/newtab/	solara-executor.exe, 00000000.00000003.2239000405.000001984C787000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000003.2224404179.000001984C836000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000002.4005978558.000001984C6AF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg	solara-executor.exe, 00000000.00000003.2202318264.000001984C79C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	solara-executor.exe, 00000000.00000003.2239000405.000001984C787000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000003.2224404179.000001984C836000.00000004.00000020.00020000.00000000.sdmp, solara-executor.exe, 00000000.00000002.4005978558.000001984C6AF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_	solara-executor.exe, 00000000.00000003.2202318264.000001984C79C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta	solara-executor.exe, 00000000.00000003.2202318264.000001984C79C000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.75.163	api.myip.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577819
Start date and time:	2024-12-18 19:36:18 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 47s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	solara-executor.exe
Detection:	MAL
Classification:	mal88.spyw.evad.winEXE@1/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 88% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.126.53.6, 20.223.36.55, 13.107.246.63, 20.109.210.53, 20.223.35.26, 2.18.40.157, 150.171.28.10, 2.18.40.144, 23.218.208.109
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, tse1.mm.bing.net, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, ocsp.edge.digicert.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: solara-executor.exe

Process:	C:\Users\user\Desktop\solara-executor.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.406851198109578
Encrypted:	false
SSDEEP:	3:YMb1gXME2OMfQxaNmGGL4:YMeX32uxaNmRL4
MD5:	720F698997A1D19594ED650E32E02974
SHA1:	A4F89E711434820EAA2250F0421904468ED9D13F
SHA-256:	0949A3EF0FE90F28780ADDE31202E2DC9C5FA57123355DF9C9FAA89A6EECCC04
SHA-512:	32D94C8297E64041F851F62D168A7AB8418ABEFB97B1AD0B33D2D801DDF204AF2228D29470AEF18F3A9309FF3E9A8C78CC657D7D5DFC40F70F27EE34100812FA
Malicious:	false
Reputation:	low
Preview:	{"ip":"8.46.123.189","country":"United States","cc":"US"}

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.941670398228598
TrID:	Win64 Executable GUI (202006/5) 93.51% Win64 Executable (generic) (12005/4) 5.56% DOS Executable Generic (2002/1) 0.93% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	solara-executor.exe
File size:	1'248'295 bytes
MD5:	6107673fe6de87ac938d8d45ceee771b
SHA1:	0ebf97d44da9ce419102f2407e4b92ccc75677dd
SHA256:	1d820e33b6818f08161dbd3766b37e971b7531ee018dee1eb21822edb1eaa545
SHA512:	798affa3cabc3537d226ebdffa458309b0fa81a21939990eebdf121971e870d70d96f8b75ff6746b5d397e28015beb81f8af35df51f10adbf91c378d4dce74d2
SSDEEP:	24576:PDnqyaenIySWhuUSC/i/dH9ONOznpY4sEkm30TEhibtyuk5mj5dRvgRnFpt:PGy5LSwUdbznqfEZ3RGN2Fpt
TLSH:	DE45122BB7E46771D934D473CB9BC71AB330A262D0768B5B05C28B1F665A00A774BF18
File Content Preview:	MZ......................@.2.92.UPX!._0x001818c..........................!..L.!This program cannot be run in DOS mode....$.......4=..p\..p\..p\..y$P.`\..`...v\..`...r\..`...y\..`...n\..;$..`\..W...s\..p\...\..;...x\..;.<.q\..;...q\..Richp\.................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x140631280
Entrypoint Section:	bbbb
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6761A24F [Tue Dec 17 16:09:51 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	b20f1daac672151d282f9ffd530ca36b

Entrypoint Preview

Instruction
push ebx
push esi
push edi
push ebp
dec eax
lea esi, dword ptr [FFEDFD75h]
dec eax
lea edi, dword ptr [esi-00510000h]
push edi
mov eax, 0062FDCFh
push eax
dec eax
mov ecx, esp
dec eax
mov edx, edi
dec eax
mov edi, esi
mov esi, 00120274h
push ebp
dec eax
mov ebp, esp
inc esp
mov ecx, dword ptr [ecx]
dec ecx
mov eax, edx
dec eax
mov edx, esi
dec eax
lea esi, dword ptr [edi+02h]
push esi
mov al, byte ptr [edi]
dec edx
mov cl, al
and al, 07h
shr cl, 00000003h
dec eax
mov ebx, FFFFFD00h
dec eax
shl ebx, cl
mov cl, al
dec eax
lea ebx, dword ptr [esp+ebx*2-00000E78h]
dec eax
and ebx, FFFFFFC0h
push 00000000h
dec eax
cmp esp, ebx
jne 00007FE4B148D8CBh
push ebx
dec eax
lea edi, dword ptr [ebx+08h]
mov cl, byte ptr [esi-01h]
dec edx
mov byte ptr [edi+02h], al
mov al, cl
shr cl, 00000004h
mov byte ptr [edi+01h], cl
and al, 0Fh
mov byte ptr [edi], al
dec eax
lea ecx, dword ptr [edi-04h]
push eax
inc ecx
push edi
dec eax
lea eax, dword ptr [edi+04h]
inc ebp
xor edi, edi
inc ecx
push esi
inc ecx
mov esi, 00000001h
inc ecx
push ebp
inc ebp
xor ebp, ebp
inc ecx
push esp
push ebp
push ebx
dec eax
sub esp, 48h
dec eax
mov dword ptr [esp+38h], ecx
dec eax
mov dword ptr [esp+20h], eax
mov eax, 00000001h
dec eax
mov dword ptr [esp+40h], esi
dec esp
mov dword ptr [esp+30h], eax
mov ebx, eax
inc esp
mov dword ptr [esp+2Ch], ecx
movzx ecx, byte ptr [edi+02h]
shl ebx, cl
mov ecx, ebx

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729
[IMP] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6411b0	0x504	bNbF
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x632000	0xf1b0	bNbF
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x322000	0x4410	"/hR
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6416b4	0x20	bNbF
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x631e60	0x28	bbbb
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x631e90	0x140	bbbb
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
"/hR	0x1000	0x510000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
bbbb	0x511000	0x121000	0x121000	fb76c604981fcb6c4067a2c5117730c7	False	0.9988679984861591	data	7.999761627141752	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
bNbF	0x632000	0x10000	0xf800	0c5ce6f0a1e32589f6d634730baa9e50	False	0.2612462197580645	data	3.9453169926813554	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
None	0x640ff4	0x2e	data			1.108695652173913
RT_RCDATA	0x336020	0x3201	empty			0
RT_RCDATA	0x339224	0x3201	empty			0
RT_RCDATA	0x33c428	0x3201	empty			0
RT_RCDATA	0x33f62c	0x3201	empty			0
RT_RCDATA	0x342830	0x3201	empty			0
RT_RCDATA	0x345a34	0x3201	empty			0
RT_RCDATA	0x348c38	0x3201	empty			0
RT_RCDATA	0x34be3c	0x3201	empty			0
RT_RCDATA	0x34f040	0x3201	empty			0
RT_RCDATA	0x352244	0x3201	empty			0
RT_RCDATA	0x355448	0x3201	empty			0
RT_RCDATA	0x35864c	0x3201	empty			0
RT_RCDATA	0x35b850	0x3201	empty			0
RT_RCDATA	0x35ea54	0x3201	empty			0
RT_RCDATA	0x361c58	0x3201	empty			0
RT_RCDATA	0x364e5c	0x3201	empty			0
RT_RCDATA	0x368060	0x3201	empty			0
RT_RCDATA	0x36b264	0x3201	empty			0
RT_RCDATA	0x36e468	0x3201	empty			0
RT_RCDATA	0x37166c	0x3201	empty			0
RT_RCDATA	0x374870	0x3201	empty			0
RT_RCDATA	0x377a74	0x3201	empty			0
RT_RCDATA	0x37ac78	0x3201	empty			0
RT_RCDATA	0x37de7c	0x3201	empty			0
RT_RCDATA	0x381080	0x3201	empty			0
RT_RCDATA	0x384284	0x3201	empty			0
RT_RCDATA	0x387488	0x3201	empty			0
RT_RCDATA	0x38a68c	0x3201	empty			0
RT_RCDATA	0x38d890	0x76	empty			0
RT_RCDATA	0x38d908	0x22	empty			0
RT_RCDATA	0x38d92c	0x3201	empty			0
RT_RCDATA	0x390b30	0x3201	empty			0
RT_RCDATA	0x393d34	0x3201	empty			0
RT_RCDATA	0x396f38	0x3201	empty			0
RT_RCDATA	0x39a13c	0x3201	empty			0
RT_RCDATA	0x39d340	0x796	empty			0
RT_RCDATA	0x39dad8	0xf	empty			0
RT_RCDATA	0x39dae8	0x3201	empty			0
RT_RCDATA	0x3a0cec	0x3201	empty			0
RT_RCDATA	0x3a3ef0	0xedcf4	empty			0
RT_RCDATA	0x491be4	0x3201	empty			0
RT_RCDATA	0x494de8	0x9418	empty			0
RT_RCDATA	0x49e200	0x3201	empty			0
RT_RCDATA	0x4a1404	0x3201	empty			0
RT_RCDATA	0x4a4608	0x55	empty			0
RT_RCDATA	0x4a4660	0x3201	empty			0
RT_RCDATA	0x4a7864	0x3201	empty			0
RT_RCDATA	0x4aaa68	0x3201	empty			0
RT_RCDATA	0x4adc6c	0x3201	empty			0
RT_RCDATA	0x4b0e70	0x3201	empty			0
RT_RCDATA	0x4b4074	0x3201	empty			0
RT_RCDATA	0x4b7278	0x9e	empty			0
RT_RCDATA	0x4b7318	0x1f2	empty			0
RT_RCDATA	0x4b750c	0x3201	empty			0
RT_RCDATA	0x4ba710	0x3201	empty			0
RT_RCDATA	0x4bd914	0x3201	empty			0
RT_RCDATA	0x4c0b18	0x3201	empty			0
RT_RCDATA	0x4c3d1c	0x7d	empty			0
RT_RCDATA	0x4c3d9c	0x7d	empty			0
RT_RCDATA	0x4c3e1c	0x7d	empty			0
RT_RCDATA	0x4c3e9c	0x7d	empty			0
RT_RCDATA	0x4c3f1c	0x7d	empty			0
RT_RCDATA	0x4c3f9c	0x7d	empty			0
RT_RCDATA	0x4c401c	0x7d	empty			0
RT_RCDATA	0x4c409c	0x7d	empty			0
RT_RCDATA	0x4c411c	0x7d	empty			0
RT_RCDATA	0x4c419c	0x7d	empty			0
RT_RCDATA	0x4c421c	0x7d	empty			0
RT_RCDATA	0x4c429c	0x7d	empty			0
RT_RCDATA	0x4c431c	0x7d	empty			0
RT_RCDATA	0x4c439c	0x7d	empty			0
RT_RCDATA	0x4c441c	0x7d	empty			0
RT_RCDATA	0x4c449c	0x7d	empty			0
RT_RCDATA	0x4c451c	0x7d	empty			0
RT_RCDATA	0x4c459c	0x7d	empty			0
RT_RCDATA	0x4c461c	0x3201	empty			0
RT_RCDATA	0x4c7820	0x3201	empty			0
RT_RCDATA	0x4caa24	0x3201	empty			0
RT_RCDATA	0x4cdc28	0x3201	empty			0
RT_RCDATA	0x4d0e2c	0x3201	empty			0
RT_RCDATA	0x4d4030	0x3201	empty			0
RT_RCDATA	0x4d7234	0x3201	empty			0
RT_RCDATA	0x4da438	0x3201	empty			0
RT_RCDATA	0x4dd63c	0x3201	empty			0
RT_RCDATA	0x4e0840	0x3201	empty			0
RT_RCDATA	0x4e3a44	0x3201	empty			0
RT_RCDATA	0x4e6c48	0x3201	empty			0
RT_RCDATA	0x4e9e4c	0x3201	empty			0
RT_RCDATA	0x4ed050	0x3201	empty			0
RT_RCDATA	0x4f0254	0x3201	empty			0
RT_RCDATA	0x4f3458	0x3201	empty			0
RT_RCDATA	0x4f665c	0x3201	empty			0
RT_RCDATA	0x4f9860	0x3201	empty			0
RT_RCDATA	0x4fca64	0x3201	empty			0
RT_RCDATA	0x4ffc68	0x3201	empty			0
RT_RCDATA	0x502e6c	0x3201	empty			0
RT_RCDATA	0x506070	0x3201	empty			0
RT_RCDATA	0x509274	0x3201	empty			0
RT_RCDATA	0x50c478	0x3201	empty			0
RT_RCDATA	0x50f67c	0x3201	empty			0
RT_RCDATA	0x512880	0x3201	data			1.0008593078665728
RT_RCDATA	0x515a84	0x3201	data			1.0008593078665728
RT_RCDATA	0x518c88	0x3201	data			1.0008593078665728
RT_RCDATA	0x51be8c	0x3201	data			1.0008593078665728
RT_RCDATA	0x51f090	0x3201	data			1.0008593078665728
RT_RCDATA	0x522294	0x3201	data			1.0008593078665728
RT_RCDATA	0x525498	0x3201	data			1.0008593078665728
RT_RCDATA	0x52869c	0x3201	data			1.0008593078665728
RT_RCDATA	0x52b8a0	0x3201	data			1.0008593078665728
RT_RCDATA	0x52eaa4	0x3201	data			1.0008593078665728
RT_RCDATA	0x531ca8	0x3201	data			1.0008593078665728
RT_RCDATA	0x534eac	0x3201	data			1.0008593078665728
RT_RCDATA	0x5380b0	0x3201	data			1.0008593078665728
RT_RCDATA	0x53b2b4	0x3201	data			1.0008593078665728
RT_RCDATA	0x53e4b8	0x3201	OpenPGP Public Key			1.0008593078665728
RT_RCDATA	0x5416bc	0x3201	data			1.0008593078665728
RT_RCDATA	0x5448c0	0x3201	data			1.0008593078665728
RT_RCDATA	0x547ac4	0x3201	data			1.0008593078665728
RT_RCDATA	0x54acc8	0x3201	data			1.0008593078665728
RT_RCDATA	0x54decc	0x3201	data			1.0008593078665728
RT_RCDATA	0x5510d0	0x3201	data			1.0008593078665728
RT_RCDATA	0x5542d4	0x3201	data			1.0008593078665728
RT_RCDATA	0x5574d8	0x3201	data			1.0008593078665728
RT_RCDATA	0x55a6dc	0x3201	data			1.0008593078665728
RT_RCDATA	0x55d8e0	0x3201	data			1.0008593078665728
RT_RCDATA	0x560ae4	0x3201	data			1.0008593078665728
RT_RCDATA	0x563ce8	0x3201	data			1.0008593078665728
RT_RCDATA	0x566eec	0x3201	data			1.0008593078665728
RT_RCDATA	0x56a0f0	0x3201	SysEx File -			1.0008593078665728
RT_RCDATA	0x56d2f4	0x3201	data			1.0008593078665728
RT_RCDATA	0x5704f8	0x3201	data			1.0008593078665728
RT_RCDATA	0x5736fc	0x3201	data			1.0008593078665728
RT_RCDATA	0x576900	0x3201	data			1.0008593078665728
RT_RCDATA	0x579b04	0x3201	data			1.0008593078665728
RT_RCDATA	0x57cd08	0x3201	data			1.0008593078665728
RT_RCDATA	0x57ff0c	0x3201	data			1.0008593078665728
RT_RCDATA	0x583110	0x3201	data			1.0008593078665728
RT_RCDATA	0x586314	0x3201	data			1.0008593078665728
RT_RCDATA	0x589518	0x3201	data			1.0008593078665728
RT_RCDATA	0x58c71c	0x3201	data			1.0008593078665728
RT_RCDATA	0x58f920	0x3201	data			1.0008593078665728
RT_RCDATA	0x592b24	0x3201	data			1.0008593078665728
RT_RCDATA	0x595d28	0x3201	data			1.0008593078665728
RT_RCDATA	0x598f2c	0x3201	data			1.0008593078665728
RT_RCDATA	0x59c130	0x3201	data			1.0008593078665728
RT_RCDATA	0x59f334	0x3201	data			1.0008593078665728
RT_RCDATA	0x5a2538	0x3201	OpenPGP Public Key			1.0008593078665728
RT_RCDATA	0x5a573c	0x3201	data			1.0008593078665728
RT_RCDATA	0x5a8940	0x3201	data			1.0008593078665728
RT_RCDATA	0x5abb44	0x3201	data			1.0008593078665728
RT_RCDATA	0x5aed48	0x3201	data			1.0008593078665728
RT_RCDATA	0x5b1f4c	0x3201	data			1.0008593078665728
RT_RCDATA	0x5b5150	0x3201	OpenPGP Public Key			1.0008593078665728
RT_RCDATA	0x5b8354	0x3201	data			1.0008593078665728
RT_RCDATA	0x5bb558	0x3201	data			1.0008593078665728
RT_RCDATA	0x5be75c	0x3201	data			1.0008593078665728
RT_RCDATA	0x5c1960	0x3201	data			1.0008593078665728
RT_RCDATA	0x5c4b64	0x3201	data			1.0008593078665728
RT_RCDATA	0x5c7d68	0x3201	data			1.0008593078665728
RT_RCDATA	0x5caf6c	0x3201	data			1.0008593078665728
RT_RCDATA	0x5ce170	0x3201	data			1.0008593078665728
RT_RCDATA	0x5d1374	0x3201	data			1.0008593078665728
RT_RCDATA	0x5d4578	0x3201	data			1.0008593078665728
RT_RCDATA	0x5d777c	0x3201	data			1.0008593078665728
RT_RCDATA	0x5da980	0x3201	data			1.0008593078665728
RT_RCDATA	0x5ddb84	0x3201	data			1.0008593078665728
RT_RCDATA	0x5e0d88	0x3201	data			1.0008593078665728
RT_RCDATA	0x5e3f8c	0x3201	data			1.0008593078665728
RT_RCDATA	0x5e7190	0x3201	data			1.0008593078665728
RT_RCDATA	0x5ea394	0x3201	data			1.0008593078665728
RT_RCDATA	0x5ed598	0x3201	data			1.0008593078665728
RT_RCDATA	0x5f079c	0x3201	data			1.0008593078665728
RT_RCDATA	0x5f39a0	0x3201	data			1.0008593078665728
RT_RCDATA	0x5f6ba4	0x3201	data			1.0008593078665728
RT_RCDATA	0x5f9da8	0x3201	data			1.0008593078665728
RT_RCDATA	0x5fcfac	0x3201	data			1.0008593078665728
RT_RCDATA	0x6001b0	0x3201	data			1.0008593078665728
RT_RCDATA	0x6033b4	0x3201	data			1.0008593078665728
RT_RCDATA	0x6065b8	0x3201	data			1.0008593078665728
RT_RCDATA	0x6097bc	0x3201	data			1.0008593078665728
RT_RCDATA	0x60c9c0	0x3201	data			1.0008593078665728
RT_RCDATA	0x60fbc4	0x3201	data			1.0008593078665728
RT_RCDATA	0x612dc8	0x3201	data			1.0008593078665728
RT_RCDATA	0x615fcc	0x3201	data			1.0008593078665728
RT_RCDATA	0x6191d0	0x3201	data			1.0008593078665728
RT_RCDATA	0x61c3d4	0x3201	data			1.0008593078665728
RT_RCDATA	0x61f5d8	0x3201	data			1.0008593078665728
RT_RCDATA	0x6227dc	0x3201	data			1.0008593078665728
RT_RCDATA	0x6259e0	0x3201	data			1.0008593078665728
RT_MANIFEST	0x641028	0x2	data			5.0
RT_MANIFEST	0x641030	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727
None	0x628d68	0x102	data			1.0426356589147288
None	0x628e6c	0xda	data			1.0504587155963303
None	0x628f48	0xba	data			1.0591397849462365
None	0x629004	0x12a	data			1.0369127516778522
None	0x629130	0x16e	data			1.030054644808743
None	0x6292a0	0x16c	data			1.0302197802197801
None	0x62940c	0xfa	data			1.044
None	0x629508	0x11a	data			1.0390070921985815
None	0x629624	0x178	data			1.0292553191489362
None	0x62979c	0xe0	data			1.0491071428571428
None	0x62987c	0xbc	data			1.0585106382978724
None	0x629938	0x124	data			1.0376712328767124
None	0x629a5c	0xb0	data			1.0625
None	0x629b0c	0xa6	data			1.0662650602409638
None	0x629bb4	0x7e	data			1.0873015873015872
None	0x629c34	0xd6	data			1.0514018691588785
None	0x629d0c	0xe6	data			1.0478260869565217
None	0x629df4	0xea	data			1.047008547008547
None	0x629ee0	0xca	data			1.0544554455445545
None	0x629fac	0xde	data			1.0495495495495495
None	0x62a08c	0x98	data			1.0723684210526316
None	0x62a124	0xe4	data			1.0482456140350878
None	0x62a208	0xc2	data			1.056701030927835
None	0x62a2cc	0xbe	data			1.0578947368421052
None	0x62a38c	0x11a	data			1.0390070921985815
None	0x62a4a8	0xa8	data			1.0654761904761905
None	0x62a550	0xda	data			1.0504587155963303
None	0x62a62c	0xa2	data			1.0679012345679013
None	0x62a6d0	0xea	data			1.047008547008547
None	0x62a7bc	0x88	data			1.0808823529411764
None	0x62a844	0xd8	data			1.0509259259259258
None	0x62a91c	0x152	data			1.032544378698225
None	0x62aa70	0x134	data			1.0357142857142858
None	0x62aba4	0xec	data			1.0466101694915255
None	0x62ac90	0x120	data			1.0381944444444444
None	0x62adb0	0x116	data			1.039568345323741
None	0x62aec8	0x7e	data			1.0873015873015872
None	0x62af48	0xf2	data			1.0454545454545454
None	0x62b03c	0x106	data			1.0419847328244274
None	0x62b144	0xdc	data			1.05
None	0x62b220	0xde	OpenPGP Secret Key			1.0495495495495495
None	0x62b300	0x152	data			1.032544378698225
None	0x62b454	0x154	data			1.0323529411764707
None	0x62b5a8	0xe4	data			1.0482456140350878
None	0x62b68c	0xc0	OpenPGP Secret Key			1.0572916666666667
None	0x62b74c	0xac	data			1.063953488372093
None	0x62b7f8	0xf2	data			1.0454545454545454
None	0x62b8ec	0xdc	data			1.05
None	0x62b9c8	0x126	data			1.0374149659863945
None	0x62baf0	0x9c	data			1.0705128205128205
None	0x62bb8c	0x8a	data			1.0797101449275361
None	0x62bc18	0x15a	data			1.0317919075144508
None	0x62bd74	0xf8	data			1.0443548387096775
None	0x62be6c	0xe2	data			1.0486725663716814
None	0x62bf50	0x5a	data			1.1222222222222222
None	0x62bfac	0x106	data			1.0419847328244274
None	0x62c0b4	0xc8	data			1.055
None	0x62c17c	0xcc	data			1.053921568627451
None	0x62c248	0xd6	data			1.0514018691588785
None	0x62c320	0x144	data			1.0339506172839505
None	0x62c464	0x138	data			1.0352564102564104
None	0x62c59c	0xf8	data			1.0443548387096775
None	0x62c694	0xe2	data			1.0486725663716814
None	0x62c778	0xd6	data			1.0514018691588785
None	0x62c850	0x140	data			1.034375
None	0x62c990	0x88	data			1.0808823529411764
None	0x62ca18	0x10c	data			1.041044776119403
None	0x62cb24	0x9a	data			1.0714285714285714
None	0x62cbc0	0x88	data			1.0808823529411764
None	0x62cc48	0xc4	data			1.0561224489795917
None	0x62cd0c	0xbc	data			1.0585106382978724
None	0x62cdc8	0xa2	data			1.0679012345679013
None	0x62ce6c	0x100	OpenPGP Secret Key			1.04296875
None	0x62cf6c	0x100	data			1.04296875
None	0x62d06c	0x126	data			1.0374149659863945
None	0x62d194	0x100	data			1.04296875
None	0x62d294	0x80	data			1.0859375
None	0x62d314	0xee	data			1.046218487394958
None	0x62d404	0x9e	data			1.0696202531645569
None	0x62d4a4	0x94	data			1.0743243243243243
None	0x62d538	0xf8	OpenPGP Public Key			1.0443548387096775
None	0x62d630	0xe0	data			1.0491071428571428
None	0x62d710	0x100	data			1.04296875
None	0x62d810	0x8a	data			1.0797101449275361
None	0x62d89c	0x5a	data			1.1222222222222222
None	0x62d8f8	0x100	data			1.04296875
None	0x62d9f8	0xac	data			1.063953488372093
None	0x62daa4	0x144	data			1.0339506172839505
None	0x62dbe8	0x14e	data			1.032934131736527
None	0x62dd38	0xa4	data			1.0670731707317074
None	0x62dddc	0xd0	data			1.0528846153846154
None	0x62deac	0xf8	data			1.0443548387096775
None	0x62dfa4	0x15a	data			1.0317919075144508
None	0x62e100	0xb2	data			1.0617977528089888
None	0x62e1b4	0xf2	data			1.0454545454545454
None	0x62e2a8	0xbc	data			1.0585106382978724
None	0x62e364	0xc2	data			1.056701030927835
None	0x62e428	0xe8	data			1.0474137931034482
None	0x62e510	0x164	data			1.0308988764044944
None	0x62e674	0x98	data			1.0723684210526316
None	0x62e70c	0xf4	OpenPGP Public Key			1.0450819672131149
None	0x62e800	0x158	data			1.0319767441860466
None	0x62e958	0xe0	data			1.0491071428571428
None	0x62ea38	0x82	data			1.0846153846153845
None	0x62eabc	0x126	data			1.0374149659863945

Imports

DLL	Import
ADVAPI32.dll	RegOpenKeyExA
api-ms-win-crt-heap-l1-1-0.dll	free
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
api-ms-win-crt-math-l1-1-0.dll	cosf
api-ms-win-crt-runtime-l1-1-0.dll	exit
api-ms-win-crt-stdio-l1-1-0.dll	fseek
api-ms-win-crt-string-l1-1-0.dll	strcmp
api-ms-win-crt-utility-l1-1-0.dll	qsort
d3d9.dll	Direct3DCreate9
IMM32.dll	ImmGetContext
kErneL32.DlL	LoadLibraryA, DeleteAtom, GetProcAddress, VirtualProtect
MSVCP140.dll	_Query_perf_counter
olE32.dll	CoTaskMemFree
SHELL32.dll	ShellExecuteA
USER32.dll	SetCursor
VCRUNTIME140.dll	memset
VCRUNTIME140_1.dll	__CxxFrameHandler4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-18T19:37:15.832886+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49714	172.67.75.163	443	TCP

Network Port Distribution

Total Packets: 12
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 19:37:13.628911018 CET	49714	443	192.168.2.6	172.67.75.163
Dec 18, 2024 19:37:13.628950119 CET	443	49714	172.67.75.163	192.168.2.6
Dec 18, 2024 19:37:13.629035950 CET	49714	443	192.168.2.6	172.67.75.163
Dec 18, 2024 19:37:13.642235041 CET	49714	443	192.168.2.6	172.67.75.163
Dec 18, 2024 19:37:13.642246962 CET	443	49714	172.67.75.163	192.168.2.6
Dec 18, 2024 19:37:14.875044107 CET	443	49714	172.67.75.163	192.168.2.6
Dec 18, 2024 19:37:14.877188921 CET	49714	443	192.168.2.6	172.67.75.163
Dec 18, 2024 19:37:15.349327087 CET	49714	443	192.168.2.6	172.67.75.163
Dec 18, 2024 19:37:15.349348068 CET	443	49714	172.67.75.163	192.168.2.6
Dec 18, 2024 19:37:15.349687099 CET	443	49714	172.67.75.163	192.168.2.6
Dec 18, 2024 19:37:15.349746943 CET	49714	443	192.168.2.6	172.67.75.163
Dec 18, 2024 19:37:15.364975929 CET	49714	443	192.168.2.6	172.67.75.163
Dec 18, 2024 19:37:15.411345005 CET	443	49714	172.67.75.163	192.168.2.6
Dec 18, 2024 19:37:15.832880020 CET	443	49714	172.67.75.163	192.168.2.6
Dec 18, 2024 19:37:15.832948923 CET	49714	443	192.168.2.6	172.67.75.163
Dec 18, 2024 19:37:15.832968950 CET	443	49714	172.67.75.163	192.168.2.6
Dec 18, 2024 19:37:15.832988977 CET	443	49714	172.67.75.163	192.168.2.6
Dec 18, 2024 19:37:15.833010912 CET	49714	443	192.168.2.6	172.67.75.163
Dec 18, 2024 19:37:15.833034039 CET	49714	443	192.168.2.6	172.67.75.163
Dec 18, 2024 19:37:15.834861040 CET	49714	443	192.168.2.6	172.67.75.163
Dec 18, 2024 19:37:15.834884882 CET	443	49714	172.67.75.163	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 19:37:13.482150078 CET	57797	53	192.168.2.6	1.1.1.1
Dec 18, 2024 19:37:13.622361898 CET	53	57797	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 18, 2024 19:37:13.482150078 CET	192.168.2.6	1.1.1.1	0x4496	Standard query (0)	api.myip.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 18, 2024 19:37:09.661267042 CET	1.1.1.1	192.168.2.6	0x25ae	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 18, 2024 19:37:09.661267042 CET	1.1.1.1	192.168.2.6	0x25ae	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Dec 18, 2024 19:37:13.622361898 CET	1.1.1.1	192.168.2.6	0x4496	No error (0)	api.myip.com		172.67.75.163	A (IP address)	IN (0x0001)	false
Dec 18, 2024 19:37:13.622361898 CET	1.1.1.1	192.168.2.6	0x4496	No error (0)	api.myip.com		104.26.9.59	A (IP address)	IN (0x0001)	false
Dec 18, 2024 19:37:13.622361898 CET	1.1.1.1	192.168.2.6	0x4496	No error (0)	api.myip.com		104.26.8.59	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.myip.com

Target ID:	0
Start time:	13:37:12
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\solara-executor.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\solara-executor.exe"
Imagebase:	0x7ff6341b0000
File size:	1'248'295 bytes
MD5 hash:	6107673FE6DE87AC938D8D45CEEE771B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.4005142779.000001984BFF0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report solara-executor.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\HJWXIAQ3.htm

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
solara-executor.exe