Overview
overview
10Static
static
10SolarisBET...ain.js
windows10-2004-x64
3SolarisBET....de.js
windows10-2004-x64
3SolarisBET....es.js
windows10-2004-x64
3SolarisBET....fr.js
windows10-2004-x64
3SolarisBET....it.js
windows10-2004-x64
3SolarisBET....ja.js
windows10-2004-x64
3SolarisBET...nls.js
windows10-2004-x64
3SolarisBET....ko.js
windows10-2004-x64
3SolarisBET....ru.js
windows10-2004-x64
3SolarisBET...-cn.js
windows10-2004-x64
3SolarisBET...-tw.js
windows10-2004-x64
3SolarisBET...ode.js
windows10-2004-x64
3SolarisBET...ker.js
windows10-2004-x64
3SolarisBET...ode.js
windows10-2004-x64
3SolarisBET...ker.js
windows10-2004-x64
3SolarisBET...ode.js
windows10-2004-x64
3SolarisBET...ker.js
windows10-2004-x64
3SolarisBET...ces.js
windows10-2004-x64
3SolarisBET...ode.js
windows10-2004-x64
3SolarisBET...ker.js
windows10-2004-x64
3SolarisBET...der.js
windows10-2004-x64
3SolarisBET...lox.js
windows10-2004-x64
3SolarisBET...on.dll
windows10-2004-x64
1SolarisBET...it.dll
windows10-2004-x64
1SolarisBET...is.exe
windows10-2004-x64
10SolarisBET...rs.dll
windows10-2004-x64
1SolarisBET...le.dll
windows10-2004-x64
1SolarisBET...nc.dll
windows10-2004-x64
1SolarisBET...-0.dll
windows10-2004-x64
1SolarisBET...-0.dll
windows10-2004-x64
1SolarisBET...-0.dll
windows10-2004-x64
1SolarisBET...lf.dll
windows10-2004-x64
1Analysis
-
max time kernel
10s -
max time network
20s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2024, 15:51
Behavioral task
behavioral1
Sample
SolarisBETA/Monaco/vs/editor/editor.main.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
SolarisBETA/Monaco/vs/editor/editor.main.nls.de.js
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
SolarisBETA/Monaco/vs/editor/editor.main.nls.es.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
SolarisBETA/Monaco/vs/editor/editor.main.nls.fr.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
SolarisBETA/Monaco/vs/editor/editor.main.nls.it.js
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
SolarisBETA/Monaco/vs/editor/editor.main.nls.ja.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
SolarisBETA/Monaco/vs/editor/editor.main.nls.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
SolarisBETA/Monaco/vs/editor/editor.main.nls.ko.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
SolarisBETA/Monaco/vs/editor/editor.main.nls.ru.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
SolarisBETA/Monaco/vs/editor/editor.main.nls.zh-cn.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
SolarisBETA/Monaco/vs/editor/editor.main.nls.zh-tw.js
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
SolarisBETA/Monaco/vs/language/css/cssmode.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
SolarisBETA/Monaco/vs/language/css/cssworker.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
SolarisBETA/Monaco/vs/language/html/htmlmode.js
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
SolarisBETA/Monaco/vs/language/html/htmlworker.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
SolarisBETA/Monaco/vs/language/json/jsonmode.js
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
SolarisBETA/Monaco/vs/language/json/jsonworker.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
SolarisBETA/Monaco/vs/language/typescript/lib/typescriptservices.js
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
SolarisBETA/Monaco/vs/language/typescript/tsmode.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
SolarisBETA/Monaco/vs/language/typescript/tsworker.js
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
SolarisBETA/Monaco/vs/loader.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral22
Sample
SolarisBETA/Monaco/vs/scriptblox.js
Resource
win10v2004-20240426-en
Behavioral task
behavioral23
Sample
SolarisBETA/Newtonsoft.Json.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral24
Sample
SolarisBETA/Octokit.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
SolarisBETA/Solaris.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral26
Sample
SolarisBETA/System.Buffers.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral27
Sample
SolarisBETA/System.Collections.Immutable.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral28
Sample
SolarisBETA/System.Interactive.Async.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral29
Sample
SolarisBETA/api-ms-win-crt-convert-l1-1-0.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral30
Sample
SolarisBETA/api-ms-win-crt-filesystem-l1-1-0.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral31
Sample
SolarisBETA/api-ms-win-crt-locale-l1-1-0.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral32
Sample
SolarisBETA/chrome_elf.dll
Resource
win10v2004-20240426-en
General
-
Target
SolarisBETA/Solaris.exe
-
Size
143KB
-
MD5
f8cc2b58cec9e31bf803fae2e4f46bfa
-
SHA1
b2ffd2d4288b141e35e732f85e4949b4ed7b4820
-
SHA256
365dc0f2d75a3468ba97b0e4f262b34b3e42c0f8085c0cf6c4745abd1cab2b75
-
SHA512
d243e216bde8a8265b21923a1268de8b7665cbc6b547edcfc96b3d5883475980d9a870c6c9e3de523bd42dd8815648a43c739157cad3aa3f205555252e6e72a9
-
SSDEEP
3072:ErHyYbtwcPYv4DlyzCk/2WlguRdLDhwHeL7nxZUvXvtaIA2XP7XXADPG:ErHRbtwcPYv4DlyzCk/zguRvL7xwcIA7
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
resource yara_rule behavioral25/memory/692-2-0x00000206ADC80000-0x00000206ADE94000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Solaris.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Solaris.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Solaris.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Solaris.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2504 CefSharp.BrowserSubprocess.exe 2504 CefSharp.BrowserSubprocess.exe 1364 CefSharp.BrowserSubprocess.exe 1364 CefSharp.BrowserSubprocess.exe 904 CefSharp.BrowserSubprocess.exe 904 CefSharp.BrowserSubprocess.exe 540 CefSharp.BrowserSubprocess.exe 540 CefSharp.BrowserSubprocess.exe 3276 CefSharp.BrowserSubprocess.exe 3276 CefSharp.BrowserSubprocess.exe 1500 CefSharp.BrowserSubprocess.exe 1500 CefSharp.BrowserSubprocess.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 692 Solaris.exe Token: SeDebugPrivilege 2504 CefSharp.BrowserSubprocess.exe Token: SeDebugPrivilege 1364 CefSharp.BrowserSubprocess.exe Token: SeDebugPrivilege 904 CefSharp.BrowserSubprocess.exe Token: SeDebugPrivilege 540 CefSharp.BrowserSubprocess.exe Token: SeDebugPrivilege 3276 CefSharp.BrowserSubprocess.exe Token: SeShutdownPrivilege 692 Solaris.exe Token: SeCreatePagefilePrivilege 692 Solaris.exe Token: SeShutdownPrivilege 692 Solaris.exe Token: SeCreatePagefilePrivilege 692 Solaris.exe Token: SeDebugPrivilege 1500 CefSharp.BrowserSubprocess.exe Token: SeShutdownPrivilege 692 Solaris.exe Token: SeCreatePagefilePrivilege 692 Solaris.exe Token: SeShutdownPrivilege 692 Solaris.exe Token: SeCreatePagefilePrivilege 692 Solaris.exe Token: SeShutdownPrivilege 692 Solaris.exe Token: SeCreatePagefilePrivilege 692 Solaris.exe Token: SeShutdownPrivilege 692 Solaris.exe Token: SeCreatePagefilePrivilege 692 Solaris.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 692 wrote to memory of 2504 692 Solaris.exe 88 PID 692 wrote to memory of 2504 692 Solaris.exe 88 PID 692 wrote to memory of 1364 692 Solaris.exe 89 PID 692 wrote to memory of 1364 692 Solaris.exe 89 PID 692 wrote to memory of 904 692 Solaris.exe 90 PID 692 wrote to memory of 904 692 Solaris.exe 90 PID 692 wrote to memory of 3276 692 Solaris.exe 91 PID 692 wrote to memory of 3276 692 Solaris.exe 91 PID 692 wrote to memory of 540 692 Solaris.exe 92 PID 692 wrote to memory of 540 692 Solaris.exe 92 PID 692 wrote to memory of 1500 692 Solaris.exe 93 PID 692 wrote to memory of 1500 692 Solaris.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\SolarisBETA\Solaris.exe"C:\Users\Admin\AppData\Local\Temp\SolarisBETA\Solaris.exe"1⤵
- Checks computer location settings
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Users\Admin\AppData\Local\Temp\SolarisBETA\CefSharp.BrowserSubprocess.exe"C:\Users\Admin\AppData\Local\Temp\SolarisBETA\CefSharp.BrowserSubprocess.exe" --type=gpu-process --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Local\Temp\SolarisBETA\debug.log" --mojo-platform-channel-handle=2220 --field-trial-handle=2252,i,15428082323580238118,7950626216133277469,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version /prefetch:2 --host-process-id=6922⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504
-
-
C:\Users\Admin\AppData\Local\Temp\SolarisBETA\CefSharp.BrowserSubprocess.exe"C:\Users\Admin\AppData\Local\Temp\SolarisBETA\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --log-file="C:\Users\Admin\AppData\Local\Temp\SolarisBETA\debug.log" --mojo-platform-channel-handle=2872 --field-trial-handle=2252,i,15428082323580238118,7950626216133277469,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version /prefetch:8 --host-process-id=6922⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364
-
-
C:\Users\Admin\AppData\Local\Temp\SolarisBETA\CefSharp.BrowserSubprocess.exe"C:\Users\Admin\AppData\Local\Temp\SolarisBETA\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --log-file="C:\Users\Admin\AppData\Local\Temp\SolarisBETA\debug.log" --mojo-platform-channel-handle=3124 --field-trial-handle=2252,i,15428082323580238118,7950626216133277469,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version /prefetch:8 --host-process-id=6922⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904
-
-
C:\Users\Admin\AppData\Local\Temp\SolarisBETA\CefSharp.BrowserSubprocess.exe"C:\Users\Admin\AppData\Local\Temp\SolarisBETA\CefSharp.BrowserSubprocess.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\SolarisBETA\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3140 --field-trial-handle=2252,i,15428082323580238118,7950626216133277469,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --host-process-id=692 /prefetch:12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3276
-
-
C:\Users\Admin\AppData\Local\Temp\SolarisBETA\CefSharp.BrowserSubprocess.exe"C:\Users\Admin\AppData\Local\Temp\SolarisBETA\CefSharp.BrowserSubprocess.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\SolarisBETA\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3148 --field-trial-handle=2252,i,15428082323580238118,7950626216133277469,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --host-process-id=692 /prefetch:12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540
-
-
C:\Users\Admin\AppData\Local\Temp\SolarisBETA\CefSharp.BrowserSubprocess.exe"C:\Users\Admin\AppData\Local\Temp\SolarisBETA\CefSharp.BrowserSubprocess.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\SolarisBETA\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3536 --field-trial-handle=2252,i,15428082323580238118,7950626216133277469,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --host-process-id=692 /prefetch:12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD559767cc760f74eb15ad772793761b411
SHA17e6830208855f2e6e906a6cac558015300281d75
SHA2569c52c9945a696b05ebfcb21ee3215e7169dc88f7bb636dc62389c2009dd2c623
SHA512712945a4149c79235799a4e871b762ced4f034c322552e2b806e9bb0092303b5661f53fc3dae239fa084a0f9f7048a34dfe300c2df2d1762a584fb4a5b427450
-
Filesize
23KB
MD51f53a8701353680b43843487c56662c2
SHA11a26adbecd066ad9b8fb8478ef311f58a30e3c9d
SHA256f9a59b2f6f18bbea5690dcbbe233a185936275ca409540193d624bc902201f45
SHA5120ad36f9eec8b0246bb0a17485d490f0e5fa68dda7aa5debd8b0db4881ffbb0559408885433f8d059fe0accb04c29abf55944bd532b9439e3bdedba2ceefffeeb