Windows Analysis Report
Solara-3.0.exe

Overview

General Information

Sample name: Solara-3.0.exe
Analysis ID: 1579341
MD5: 4ae32f4d7b7d72738797fa1533962135
SHA1: de2b314913be445b83a502db7a9eca17463bfcd0
SHA256: 6a6a26172d67b47810cc4088daed7fc1d77a45d7ebc998cfa1bb13c988fc9e4b
Tags: exeuser-aachum
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Found malware configuration
Source: 00000000.00000002.2476830515.000000000578C000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: LummaC {"C2 url": ["aspecteirs.lat", "necklacebudi.lat", "rapeflowwj.lat", "energyaffai.lat", "discokeyus.lat", "sustainskelet.lat", "grannyejh.lat", "crosshuaht.lat", "sweepyribs.lat"], "Build id": "yau6Na--899083440"}
Multi AV Scanner detection for submitted file
Source: Solara-3.0.exe ReversingLabs: Detection: 39%
Source: Solara-3.0.exe Virustotal: Detection: 48% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 97.4% probability
Machine Learning detection for sample
Source: Solara-3.0.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: rapeflowwj.lat
Source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: crosshuaht.lat
Source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: sustainskelet.lat
Source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: aspecteirs.lat
Source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: energyaffai.lat
Source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: necklacebudi.lat
Source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: discokeyus.lat
Source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: grannyejh.lat
Source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: sweepyribs.lat
Source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: yau6Na--899083440
Uses 32bit PE files
Source: Solara-3.0.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: Solara-3.0.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 0_2_00485D48 FindFirstFileExW, 0_2_00485D48
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 0_2_00485DF9 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00485DF9
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00485D48 FindFirstFileExW, 3_2_00485D48
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00485DF9 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 3_2_00485DF9
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then mov esi, dword ptr [ebp-20h] 3_2_0040B922
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then jmp ecx 3_2_00439A00
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx+20CBA957h] 3_2_00418857
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then mov byte ptr [edx], al 3_2_0041E870
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then mov esi, edx 3_2_0041E870
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx-39h] 3_2_0041E870
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then mov edi, ebx 3_2_0043E820
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax-04AB3DE7h] 3_2_00429030
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then cmp dword ptr [ebx+esi*8], E785F9BAh 3_2_004270E0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then movzx edi, byte ptr [esp+ecx+2FDC4307h] 3_2_004160F8
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then movzx ebx, byte ptr [esp+eax+000002A3h] 3_2_004160F8
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then jmp edx 3_2_0042309E
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax+00000098h] 3_2_0042E145
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then movzx edx, byte ptr [ecx] 3_2_0042E145
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h 3_2_0042B950
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then mov ebx, eax 3_2_00405910
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then mov ebp, eax 3_2_00405910
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh 3_2_00428912
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then movzx edi, byte ptr [esp+ecx] 3_2_00424120
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then movzx ebx, bx 3_2_00424120
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh 3_2_00428938
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_004159D0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+69CAA957h] 3_2_004159D0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then movzx edx, byte ptr [ecx] 3_2_0042C981
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then movzx edx, byte ptr [ecx] 3_2_0042C981
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax] 3_2_00439A70
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax] 3_2_00423A00
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 3_2_004342E0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh 3_2_00429AF0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then mov byte ptr [esi], al 3_2_0042DAB4
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then mov byte ptr [esi], al 3_2_0042DAB4
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then add edx, eax 3_2_00408B50
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then cmp byte ptr [eax+ebx+09h], 00000000h 3_2_00436B50
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx+0Eh] 3_2_0041D360
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then mov word ptr [ebx], ax 3_2_0041D360
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_0040C377
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then mov word ptr [ecx], dx 3_2_0040C377
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then mov eax, dword ptr [edi+10h] 3_2_0043D330
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then mov word ptr [edi], ax 3_2_0040D338
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then mov esi, edx 3_2_0043C33D
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then mov edx, ecx 3_2_004093C0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then cmp dword ptr [ebp+esi*8+00h], E785F9BAh 3_2_0042ABF8
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then cmp dword ptr [ebp+esi*8+00h], E785F9BAh 3_2_0042ABF8
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 3_2_0042B380
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 5E874B5Fh 3_2_00427380
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then mov eax, ebx 3_2_00427380
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 3_2_00402B90
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then movzx edi, byte ptr [esp+ecx] 3_2_004243B0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then mov byte ptr [esi], al 3_2_0042DAAF
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], E785F9BAh 3_2_00437450
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then mov ecx, edi 3_2_00407460
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then mov eax, dword ptr [edi+10h] 3_2_0043CC70
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then movzx edi, byte ptr [esp+ecx-00000091h] 3_2_0041CC00
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then movzx edi, byte ptr [esp+eax-4653A5D2h] 3_2_0043EC00
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-1795116Dh] 3_2_0043EC00
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax-46B5D6C4h] 3_2_0043E490
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then mov byte ptr [edi], bl 3_2_00408D50
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then movzx edi, byte ptr [esp+ecx] 3_2_00424550
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then mov eax, dword ptr [edi+10h] 3_2_0043CD60
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx-46B5D6C4h] 3_2_0043D570
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+69CAA75Bh] 3_2_00417D1A
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh 3_2_00429D1E
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then mov eax, dword ptr [00444118h] 3_2_00424DC0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh 3_2_00428DC5
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then movzx edi, byte ptr [esp+ecx] 3_2_004245F7
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then add ebp, dword ptr [esp+0Ch] 3_2_0042BE10
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h] 3_2_00402ED0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then movzx edx, byte ptr [esp+edi+69CAA6A7h] 3_2_004376E0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then mov eax, dword ptr [edi+10h] 3_2_0043CEA0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then cmp dword ptr [ebx+esi*8], E785F9BAh 3_2_0042AEB3
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then mov eax, dword ptr [edi+10h] 3_2_0043CF50
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then cmp dword ptr [ebx+esi*8], E785F9BAh 3_2_0042AFDB
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then mov eax, dword ptr [edi+10h] 3_2_0043CFE0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 4x nop then mov byte ptr [esi], cl 3_2_0042E784

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2058378 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sweepyribs .lat) : 192.168.2.5:63394 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058364 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat) : 192.168.2.5:55666 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058360 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat) : 192.168.2.5:58809 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.5:49704 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.5:49754 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49704 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49704 -> 172.67.197.170:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: aspecteirs.lat
Source: Malware configuration extractor URLs: necklacebudi.lat
Source: Malware configuration extractor URLs: rapeflowwj.lat
Source: Malware configuration extractor URLs: energyaffai.lat
Source: Malware configuration extractor URLs: discokeyus.lat
Source: Malware configuration extractor URLs: sustainskelet.lat
Source: Malware configuration extractor URLs: grannyejh.lat
Source: Malware configuration extractor URLs: crosshuaht.lat
Source: Malware configuration extractor URLs: sweepyribs.lat
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.67.197.170 172.67.197.170
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49754 -> 172.67.197.170:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: discokeyus.lat
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: sweepyribs.lat
Source: global traffic DNS traffic detected: DNS query: grannyejh.lat
Source: global traffic DNS traffic detected: DNS query: discokeyus.lat
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: discokeyus.lat
Source: Amcache.hve.6.dr String found in binary or memory: http://upx.sf.net
Source: Solara-3.0.exe, 00000003.00000002.2425276295.00000000048A0000.00000004.00000020.00020000.00000000.sdmp, Solara-3.0.exe, 00000003.00000003.2424663031.00000000048A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/
Source: Solara-3.0.exe, 00000003.00000003.2424541946.00000000048DF000.00000004.00000020.00020000.00000000.sdmp, Solara-3.0.exe, 00000003.00000002.2425368925.00000000048E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/H
Source: Solara-3.0.exe, 00000003.00000002.2425368925.00000000048E0000.00000004.00000020.00020000.00000000.sdmp, Solara-3.0.exe, 00000003.00000002.2425276295.00000000048B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/api
Source: Solara-3.0.exe, 00000003.00000003.2424541946.00000000048DF000.00000004.00000020.00020000.00000000.sdmp, Solara-3.0.exe, 00000003.00000002.2425368925.00000000048E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/apic
Source: Solara-3.0.exe, 00000003.00000003.2424541946.00000000048DF000.00000004.00000020.00020000.00000000.sdmp, Solara-3.0.exe, 00000003.00000002.2425368925.00000000048E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/m
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49704 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_004327A0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard, 3_2_004327A0
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_004327A0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard, 3_2_004327A0
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00432950 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt, 3_2_00432950
Detected potential crypto function
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 0_2_00461000 0_2_00461000
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 0_2_004741DF 0_2_004741DF
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 0_2_0047E2D0 0_2_0047E2D0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 0_2_0048B4A2 0_2_0048B4A2
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 0_2_004896BB 0_2_004896BB
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 0_2_00478BE2 0_2_00478BE2
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0040C9FC 3_2_0040C9FC
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00408670 3_2_00408670
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0040A710 3_2_0040A710
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00418857 3_2_00418857
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0041E870 3_2_0041E870
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00422820 3_2_00422820
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0043E820 3_2_0043E820
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_004038E0 3_2_004038E0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_004270E0 3_2_004270E0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_004160F8 3_2_004160F8
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0042309E 3_2_0042309E
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0042E145 3_2_0042E145
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00415152 3_2_00415152
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0041790C 3_2_0041790C
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00405910 3_2_00405910
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0043E110 3_2_0043E110
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00419F86 3_2_00419F86
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00424120 3_2_00424120
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00428938 3_2_00428938
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_004361C0 3_2_004361C0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_004159D0 3_2_004159D0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0042C981 3_2_0042C981
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0042C981 3_2_0042C981
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0042C190 3_2_0042C190
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0041B9B0 3_2_0041B9B0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_004281B9 3_2_004281B9
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0042D244 3_2_0042D244
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0043A260 3_2_0043A260
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00439A70 3_2_00439A70
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00406200 3_2_00406200
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0041FA00 3_2_0041FA00
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00423A00 3_2_00423A00
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0042D2CF 3_2_0042D2CF
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00419ADE 3_2_00419ADE
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0041E2E0 3_2_0041E2E0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00429AF0 3_2_00429AF0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00404290 3_2_00404290
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0042DAB4 3_2_0042DAB4
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00436B50 3_2_00436B50
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0041D360 3_2_0041D360
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00432300 3_2_00432300
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0042D333 3_2_0042D333
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0040D338 3_2_0040D338
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0043C33D 3_2_0043C33D
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00404BC0 3_2_00404BC0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_004093C0 3_2_004093C0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0040ABD0 3_2_0040ABD0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00421BE0 3_2_00421BE0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_004233EA 3_2_004233EA
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0041DBF0 3_2_0041DBF0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00427380 3_2_00427380
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00434B94 3_2_00434B94
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_004243B0 3_2_004243B0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0042DAAF 3_2_0042DAAF
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00422440 3_2_00422440
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00407460 3_2_00407460
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0043CC70 3_2_0043CC70
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0041CC00 3_2_0041CC00
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0043EC00 3_2_0043EC00
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00417409 3_2_00417409
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00430CC0 3_2_00430CC0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0043E490 3_2_0043E490
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00424550 3_2_00424550
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0043CD60 3_2_0043CD60
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00414D70 3_2_00414D70
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0041657A 3_2_0041657A
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0042950C 3_2_0042950C
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00417D1A 3_2_00417D1A
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00411DE0 3_2_00411DE0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0041E5F0 3_2_0041E5F0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_004245F7 3_2_004245F7
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00432580 3_2_00432580
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00428592 3_2_00428592
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00405E60 3_2_00405E60
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00427670 3_2_00427670
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00424636 3_2_00424636
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00402ED0 3_2_00402ED0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00416ED1 3_2_00416ED1
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0041DED0 3_2_0041DED0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_004376E0 3_2_004376E0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_004206F0 3_2_004206F0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00406690 3_2_00406690
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00427690 3_2_00427690
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0043CEA0 3_2_0043CEA0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0043CF50 3_2_0043CF50
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00435F60 3_2_00435F60
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00439F70 3_2_00439F70
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00437F77 3_2_00437F77
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00420FC0 3_2_00420FC0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_004367D0 3_2_004367D0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00408FE0 3_2_00408FE0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0043CFE0 3_2_0043CFE0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0040DF82 3_2_0040DF82
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00419F86 3_2_00419F86
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0042D791 3_2_0042D791
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_004357BC 3_2_004357BC
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00461000 3_2_00461000
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_004741DF 3_2_004741DF
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0047E2D0 3_2_0047E2D0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0048B4A2 3_2_0048B4A2
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_004896BB 3_2_004896BB
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00478BE2 3_2_00478BE2
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: String function: 00480E8D appears 34 times
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: String function: 00407FA0 appears 41 times
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: String function: 004746F0 appears 92 times
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: String function: 00414D60 appears 55 times
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: String function: 0047CB28 appears 42 times
One or more processes crash
Source: C:\Users\user\Desktop\Solara-3.0.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 292
Sample file is different than original file name gathered from version info
Source: Solara-3.0.exe, 00000000.00000002.2476830515.000000000578C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRpcPing.exej% vs Solara-3.0.exe
Source: Solara-3.0.exe, 00000000.00000000.2093405656.00000000004A3000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameRpcPing.exej% vs Solara-3.0.exe
Source: Solara-3.0.exe, 00000003.00000003.2104002709.000000000479B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRpcPing.exej% vs Solara-3.0.exe
Source: Solara-3.0.exe, 00000003.00000002.2424995401.00000000004A3000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameRpcPing.exej% vs Solara-3.0.exe
Source: Solara-3.0.exe Binary or memory string: OriginalFilenameRpcPing.exej% vs Solara-3.0.exe
Uses 32bit PE files
Source: Solara-3.0.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Solara-3.0.exe Static PE information: Section: .bss ZLIB complexity 1.0003389443728523
Source: classification engine Classification label: mal100.troj.evad.winEXE@5/5@3/1
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0042E9E0 CoCreateInstance, 3_2_0042E9E0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1076:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6464
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\636f6bd6-0806-4c8d-8158-96602ad23db1 Jump to behavior
Source: Solara-3.0.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Solara-3.0.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Solara-3.0.exe ReversingLabs: Detection: 39%
Source: Solara-3.0.exe Virustotal: Detection: 48%
Source: C:\Users\user\Desktop\Solara-3.0.exe File read: C:\Users\user\Desktop\Solara-3.0.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Solara-3.0.exe "C:\Users\user\Desktop\Solara-3.0.exe"
Source: C:\Users\user\Desktop\Solara-3.0.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Solara-3.0.exe Process created: C:\Users\user\Desktop\Solara-3.0.exe "C:\Users\user\Desktop\Solara-3.0.exe"
Source: C:\Users\user\Desktop\Solara-3.0.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 292
Source: C:\Users\user\Desktop\Solara-3.0.exe Process created: C:\Users\user\Desktop\Solara-3.0.exe "C:\Users\user\Desktop\Solara-3.0.exe" Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: Solara-3.0.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Solara-3.0.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Solara-3.0.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Solara-3.0.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Solara-3.0.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Solara-3.0.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 0_2_00474813 push ecx; ret 0_2_00474826
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00443813 pushfd ; ret 3_2_00443814
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00442991 push ecx; retf 3_2_004429A3
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00443B60 pushfd ; iretd 3_2_00443B61
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0043CC30 push eax; mov dword ptr [esp], 959493C2h 3_2_0043CC31
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_004454B9 push esp; iretd 3_2_004454BF
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00439EB0 push eax; mov dword ptr [esp], 9B9C9D9Eh 3_2_00439EBE
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00474813 push ecx; ret 3_2_00474826
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Solara-3.0.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\Solara-3.0.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Solara-3.0.exe API coverage: 4.4 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Solara-3.0.exe TID: 3136 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe TID: 5456 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 0_2_00485D48 FindFirstFileExW, 0_2_00485D48
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 0_2_00485DF9 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00485DF9
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00485D48 FindFirstFileExW, 3_2_00485D48
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00485DF9 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 3_2_00485DF9
Source: Amcache.hve.6.dr Binary or memory string: VMware
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Solara-3.0.exe, 00000003.00000003.2424541946.00000000048CC000.00000004.00000020.00020000.00000000.sdmp, Solara-3.0.exe, 00000003.00000002.2425337234.00000000048CC000.00000004.00000020.00020000.00000000.sdmp, Solara-3.0.exe, 00000003.00000002.2425209758.000000000488C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Solara-3.0.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Solara-3.0.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 0_2_0046FAE0 LdrInitializeThunk, 0_2_0046FAE0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 0_2_00474573 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00474573
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 0_2_0049E19E mov edi, dword ptr fs:[00000030h] 0_2_0049E19E
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 0_2_00461EB0 mov edi, dword ptr fs:[00000030h] 0_2_00461EB0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00461EB0 mov edi, dword ptr fs:[00000030h] 3_2_00461EB0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 0_2_004817A0 GetProcessHeap, 0_2_004817A0
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 0_2_004741B7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_004741B7
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 0_2_00474567 SetUnhandledExceptionFilter, 0_2_00474567
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 0_2_00474573 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00474573
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 0_2_0047C860 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0047C860
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_004741B7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_004741B7
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00474567 SetUnhandledExceptionFilter, 3_2_00474567
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_00474573 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00474573
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 3_2_0047C860 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0047C860

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 0_2_0049E19E GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread, 0_2_0049E19E
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Solara-3.0.exe Memory written: C:\Users\user\Desktop\Solara-3.0.exe base: 400000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: Solara-3.0.exe, 00000000.00000002.2476830515.000000000578C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: rapeflowwj.lat
Source: Solara-3.0.exe, 00000000.00000002.2476830515.000000000578C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: crosshuaht.lat
Source: Solara-3.0.exe, 00000000.00000002.2476830515.000000000578C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: sustainskelet.lat
Source: Solara-3.0.exe, 00000000.00000002.2476830515.000000000578C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: aspecteirs.lat
Source: Solara-3.0.exe, 00000000.00000002.2476830515.000000000578C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: energyaffai.lat
Source: Solara-3.0.exe, 00000000.00000002.2476830515.000000000578C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: necklacebudi.lat
Source: Solara-3.0.exe, 00000000.00000002.2476830515.000000000578C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: discokeyus.lat
Source: Solara-3.0.exe, 00000000.00000002.2476830515.000000000578C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: grannyejh.lat
Source: Solara-3.0.exe, 00000000.00000002.2476830515.000000000578C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: sweepyribs.lat
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Solara-3.0.exe Process created: C:\Users\user\Desktop\Solara-3.0.exe "C:\Users\user\Desktop\Solara-3.0.exe" Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: EnumSystemLocalesW, 0_2_0048107D
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00485097
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: EnumSystemLocalesW, 0_2_004852E8
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00485390
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: EnumSystemLocalesW, 0_2_004855E3
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: GetLocaleInfoW, 0_2_00485650
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: GetLocaleInfoW, 0_2_00485770
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: EnumSystemLocalesW, 0_2_00485725
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00485817
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: GetLocaleInfoW, 0_2_0048591D
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: GetLocaleInfoW, 0_2_00480B75
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: EnumSystemLocalesW, 3_2_0048107D
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_00485097
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: EnumSystemLocalesW, 3_2_004852E8
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 3_2_00485390
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: EnumSystemLocalesW, 3_2_004855E3
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: GetLocaleInfoW, 3_2_00485650
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: GetLocaleInfoW, 3_2_00485770
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: EnumSystemLocalesW, 3_2_00485725
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_00485817
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: GetLocaleInfoW, 3_2_0048591D
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: GetLocaleInfoW, 3_2_00480B75
Source: C:\Users\user\Desktop\Solara-3.0.exe Code function: 0_2_00475145 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00475145
Source: C:\Users\user\Desktop\Solara-3.0.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: 3.2.Solara-3.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Solara-3.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2476830515.000000000578C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: 3.2.Solara-3.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Solara-3.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2424848904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2476830515.000000000578C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579341 Sample: Solara-3.0.exe Startdate: 21/12/2024 Architecture: WINDOWS Score: 100 20 sweepyribs.lat 2->20 22 grannyejh.lat 2->22 24 discokeyus.lat 2->24 28 Suricata IDS alerts for network traffic 2->28 30 Found malware configuration 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 5 other signatures 2->34 7 Solara-3.0.exe 1 2->7         started        signatures3 process4 signatures5 36 Contains functionality to inject code into remote processes 7->36 38 Injects a PE file into a foreign processes 7->38 40 LummaC encrypted strings found 7->40 10 WerFault.exe 19 16 7->10         started        13 Solara-3.0.exe 7->13         started        16 conhost.exe 7->16         started        process6 dnsIp7 18 C:\ProgramData\Microsoft\...\Report.wer, Unicode 10->18 dropped 26 discokeyus.lat 172.67.197.170, 443, 49704, 49754 CLOUDFLARENETUS United States 13->26 file8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.197.170
 discokeyus.lat United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
discokeyus.lat 172.67.197.170 true
grannyejh.lat unknown unknown
sweepyribs.lat unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
sweepyribs.lat false
    		high
    necklacebudi.lat false
      		high
      sustainskelet.lat false
        		high
        crosshuaht.lat false
          		high
          rapeflowwj.lat false
            		high
            https://discokeyus.lat/api false
              		high
              aspecteirs.lat false
                		high
                grannyejh.lat false
                  		high
                  energyaffai.lat false
                    		high
                    discokeyus.lat false
                      		high