Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Solara.exe

"C:\Users\user\Desktop\Solara.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6744
Target ID:	0
Parent PID:	2580
Name:	Solara.exe
Path:	C:\Users\user\Desktop\Solara.exe
Commandline:	"C:\Users\user\Desktop\Solara.exe"
Size:	1003008
MD5:	25E61FD473A4A437C052FE60E4A76E0A
Time:	19:33:00
Date:	12/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xc20000
Modulesize:	1019904
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected LummaC Stealer	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Users\user\Desktop\Solara.exe

"C:\Users\user\Desktop\Solara.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6812
Target ID:	1
Parent PID:	6744
Name:	Solara.exe
Path:	C:\Users\user\Desktop\Solara.exe
Commandline:	"C:\Users\user\Desktop\Solara.exe"
Size:	1003008
MD5:	25E61FD473A4A437C052FE60E4A76E0A
Time:	19:33:01
Date:	12/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xc20000
Modulesize:	1019904
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected LummaC Stealer	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

URLs

Name

Malicious

enlargkiw.sbs

allocatinow.sbs

drawwyobstacw.sbs

mathcucom.sbs

https://steamcommunity.com/profiles/76561199724331900

104.102.49.254

https://steamcommunity.com:443/profiles/76561199724331900

unknown

https://vennurviot.sbs/api

172.67.140.193

https://steamcommunity.com/profiles/76561199724331900/inventory/

unknown

ehticsprocw.sbs

condifendteu.sbs

https://drawwyobstacw.sbs/api

188.114.96.3

https://www.cloudflare.com/learning/access-management/phishing-attack/

unknown

https://player.vimeo.com

unknown

https://sergei-esenin.com:443/apiU

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp

unknown

https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f

unknown

https://steamcommunity.com/?subsection=broadcasts

unknown

https://sergei-esenin.com/

unknown

https://vennurviot.sbs/

unknown

https://store.steampowered.com/subscriber_agreement/

unknown

https://www.gstatic.cn/recaptcha/

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6

unknown

https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PA

unknown

http://www.valvesoftware.com/legal.htm

unknown

https://www.youtube.com

unknown

https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png

unknown

https://www.google.com

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png

unknown

https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&

unknown

https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

unknown

https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi

unknown

https://s.ytimg.com;

unknown

https://drawwyobstacw.sbs/api9et

unknown

https://steam.tv/

unknown

https://avatars.akamai.steamstatic2~

unknown

https://resinedyw.sbs/2

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english

unknown

http://store.steampowered.com/privacy_agreement/

unknown

https://store.steampowered.com/points/shop/

unknown

https://enlargkiw.sbs/

unknown

https://sketchfab.com

unknown

https://lv.queniujq.cn

unknown

https://sergei-esenin.com/m

unknown

https://www.cloudflare.com/learning/access-man

unknown

https://www.youtube.com/

unknown

https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg

unknown

https://store.steampowered.com/privacy_agreement/

unknown

https://drawwyobstacw.sbs/T

unknown

https://www.cloudflare.com/5xx-error-landing

unknown

https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en

unknown

https://www.cloudflare.com/learning/access-manHY

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0

unknown

https://sergei-esenin.com:443/api

unknown

https://condifendteu.sbs/1

unknown

https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am

unknown

https://www.google.com/recaptcha/

unknown

https://checkout.steampowered.com/

unknown

https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english

unknown

https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english

unknown

https://sergei-esenin.com/apit

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png

unknown

https://drawwyobstacw.sbs/apiKtJ

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=engliO

unknown

https://resinedyw.sbs/apitrf

unknown

https://ehticsprocw.sbs/

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis

unknown

https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC

unknown

https://store.steampowered.com/;

unknown

https://store.steampowered.com/about/

unknown

https://steamcommunity.com/my/wishlist/

unknown

https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english

unknown

https://help.steampowered.com/en/

unknown

https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/

unknown

https://steamcommunity.com/market/

unknown

https://store.steampowered.com/news/

unknown

https://community.akamai.steamstatic.com/

unknown

https://drawwyobstacw.sbs/apioe

unknown

https://condifendteu.sbs/apiNtM

unknown

https://www.cloudflare.com/learning/access-m

unknown

https://www.cloudflare.com/learning/access-mY

unknown

https://community.akamai.steamstatic.com/pu

unknown

http://store.steampowered.com/subscriber_agreement/

unknown

https://community.akamai.steamstatic.com/public/shared/css/

unknown

https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1

unknown

https://recaptcha.net/recaptcha/;

unknown

https://sergei-esenin.com/0

unknown

https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en

unknown

https://steamcommunity.com/discussions/

unknown

https://store.steampowered.com/stats/

unknown

https://medal.tv

unknown

https://broadcast.st.dl.eccdnx.com

unknown

https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1

unknown

https://store.steampowered.com/steam_refunds/

unknown

https://resinedyw.sbs/

unknown

https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900

unknown

https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e

unknown

There are 90 hidden URLs, click here to show them.

Domains

Name

Malicious

condifendteu.sbs

172.67.141.136

steamcommunity.com

104.102.49.254

vennurviot.sbs

172.67.140.193

drawwyobstacw.sbs

188.114.96.3

mathcucom.sbs

188.114.97.3

sergei-esenin.com

104.21.53.8

ehticsprocw.sbs

104.21.30.221

resinedyw.sbs

104.21.77.78

enlargkiw.sbs

104.21.33.249

allocatinow.sbs

unknown

explorationmsn.store

unknown

fp2e7a.wpc.phicdn.net

192.229.221.95

There are 2 hidden domains, click here to show them.

IPs

Domain

Country

Malicious

104.21.53.8

sergei-esenin.com

United States

Details

IP:	104.21.53.8
TargetID:	1
Current Path:	C:\Users\user\Desktop\Solara.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	sergei-esenin.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

188.114.97.3

mathcucom.sbs

European Union

Details

IP:	188.114.97.3
TargetID:	1
Current Path:	C:\Users\user\Desktop\Solara.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	mathcucom.sbs

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

104.21.33.249

enlargkiw.sbs

United States

Details

IP:	104.21.33.249
TargetID:	1
Current Path:	C:\Users\user\Desktop\Solara.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	enlargkiw.sbs

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

104.21.30.221

ehticsprocw.sbs

United States

Details

IP:	104.21.30.221
TargetID:	1
Current Path:	C:\Users\user\Desktop\Solara.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	ehticsprocw.sbs

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

188.114.96.3

drawwyobstacw.sbs

European Union

Details

IP:	188.114.96.3
TargetID:	1
Current Path:	C:\Users\user\Desktop\Solara.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	drawwyobstacw.sbs

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

172.67.141.136

condifendteu.sbs

United States

Details

IP:	172.67.141.136
TargetID:	1
Current Path:	C:\Users\user\Desktop\Solara.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	condifendteu.sbs

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

104.102.49.254

steamcommunity.com

United States

Details

IP:	104.102.49.254
TargetID:	1
Current Path:	C:\Users\user\Desktop\Solara.exe
Country:	United States
Countrycode:	USA
ASN number:	16625
ASN name:	AKAMAI-ASUS
Private:	false
Domain:	steamcommunity.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

172.67.140.193

vennurviot.sbs

United States

Details

IP:	172.67.140.193
TargetID:	1
Current Path:	C:\Users\user\Desktop\Solara.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	vennurviot.sbs

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

104.21.77.78

resinedyw.sbs

United States

Details

IP:	104.21.77.78
TargetID:	1
Current Path:	C:\Users\user\Desktop\Solara.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	resinedyw.sbs

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

CBA000

unkown

page read and write

FFD000

heap

page read and write

29F0000

remote allocation

page read and write

F4D000

heap

page read and write

F9D000

heap

page read and write

1005000

heap

page read and write

77E000

heap

page read and write

FC2000

heap

page read and write

3588000

trusted library allocation

page read and write

FEC000

heap

page read and write

35B2000

trusted library allocation

page read and write

770000

heap

page read and write

1002000

heap

page read and write

1009000

heap

page read and write

FC2000

heap

page read and write

B00000

heap

page read and write

356A000

trusted library allocation

page read and write

FFE000

heap

page read and write

29F0000

remote allocation

page read and write

1006000

heap

page read and write

356A000

trusted library allocation

page read and write

FE6000

heap

page read and write

1005000

heap

page read and write

D13000

unkown

page readonly

FE6000

heap

page read and write

1005000

heap

page read and write

CA9000

unkown

page readonly

FE0000

heap

page read and write

3531000

trusted library allocation

page read and write

3569000

trusted library allocation

page read and write

A6F000

stack

page read and write

FDE000

heap

page read and write

D13000

unkown

page readonly

F84000

heap

page read and write

CA9000

unkown

page readonly

FD3000

heap

page read and write

C20000

unkown

page readonly

FC2000

heap

page read and write

FF9000

heap

page read and write

FDE000

heap

page read and write

C1E000

stack

page read and write

3599000

trusted library allocation

page read and write

D13000

unkown

page readonly

3534000

trusted library allocation

page read and write

2A00000

heap

page read and write

FFB000

heap

page read and write

C21000

unkown

page execute read

E90000

heap

page read and write

FE6000

heap

page read and write

29CD000

stack

page read and write

FEC000

heap

page read and write

3548000

trusted library allocation

page read and write

3579000

trusted library allocation

page read and write

FF9000

heap

page read and write

F8E000

heap

page read and write

100C000

heap

page read and write

F77000

heap

page read and write

312E000

stack

page read and write

F30000

heap

page read and write

EED000

stack

page read and write

1008000

heap

page read and write

E1F000

stack

page read and write

C20000

unkown

page readonly

F2E000

stack

page read and write

3580000

trusted library allocation

page read and write

356F000

trusted library allocation

page read and write

45B000

remote allocation

page execute and read and write

CBA000

unkown

page write copy

2C8E000

stack

page read and write

FE0000

heap

page read and write

FD8000

heap

page read and write

77A000

heap

page read and write

FD8000

heap

page read and write

3571000

trusted library allocation

page read and write

CBA000

unkown

page write copy

3631000

heap

page read and write

FC2000

heap

page read and write

55D000

stack

page read and write

1000000

heap

page read and write

FDE000

heap

page read and write

FDE000

heap

page read and write

1002000

heap

page read and write

FC2000

heap

page read and write

FE6000

heap

page read and write

D10000

unkown

page read and write

F8E000

heap

page read and write

FE7000

heap

page read and write

326E000

stack

page read and write

CBA000

unkown

page write copy

400000

remote allocation

page execute and read and write

1006000

heap

page read and write

D0F000

unkown

page execute and read and write

5C0000

heap

page read and write

356B000

trusted library allocation

page read and write

F5D000

heap

page read and write

FE0000

heap

page read and write

3630000

heap

page read and write

FE6000

heap

page read and write

3538000

trusted library allocation

page read and write

F48000

heap

page read and write

74E000

stack

page read and write

F84000

heap

page read and write

28DB000

trusted library allocation

page read and write

FC2000

heap

page read and write

3536000

trusted library allocation

page read and write

E87000

heap

page read and write

F37000

heap

page read and write

F84000

heap

page read and write

2B0F000

stack

page read and write

BAF000

stack

page read and write

1003000

heap

page read and write

F5D000

heap

page read and write

352F000

stack

page read and write

FE9000

heap

page read and write

FD2000

heap

page read and write

E20000

heap

page read and write

AFA000

stack

page read and write

FF3000

heap

page read and write

FE0000

heap

page read and write

F84000

heap

page read and write

FE2000

heap

page read and write

FE0000

heap

page read and write

1008000

heap

page read and write

1009000

heap

page read and write

FE8000

heap

page read and write

FE0000

heap

page read and write

1000000

heap

page read and write

45D000

stack

page read and write

1002000

heap

page read and write

C21000

unkown

page execute read

2C4E000

stack

page read and write

E6E000

stack

page read and write

29F0000

remote allocation

page read and write

C20000

unkown

page readonly

33DE000

stack

page read and write

CA9000

unkown

page readonly

FD2000

heap

page read and write

F79000

heap

page read and write

FD6000

heap

page read and write

3559000

trusted library allocation

page read and write

F8E000

heap

page read and write

CA9000

unkown

page readonly

5F0000

heap

page read and write

322F000

stack

page read and write

D13000

unkown

page readonly

FE6000

heap

page read and write

3530000

trusted library allocation

page read and write

FC2000

heap

page read and write

79B000

stack

page read and write

AAE000

stack

page read and write

336E000

stack

page read and write

E85000

heap

page read and write

8F0000

heap

page read and write

1009000

heap

page read and write

C21000

unkown

page execute read

F77000

heap

page read and write

F81000

heap

page read and write

5B0000

heap

page read and write

2D8F000

stack

page read and write

F4D000

heap

page read and write

FE2000

heap

page read and write

FFD000

heap

page read and write

1000000

heap

page read and write

C21000

unkown

page execute read

E80000

heap

page read and write

3420000

heap

page read and write

2B4D000

stack

page read and write

1000000

heap

page read and write

3540000

trusted library allocation

page read and write

100A000

heap

page read and write

35B9000

trusted library allocation

page read and write

112F000

stack

page read and write

C20000

unkown

page readonly

3531000

trusted library allocation

page read and write

FEC000

heap

page read and write

1007000

heap

page read and write

There are 166 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Solara.exe

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSolara.exe

Processes

URLs

Domains

IPs

Memdumps

IOC Report
Solara.exe