Analysis Overview
SHA256
a83f40624d7d8f6f769e672c41a72785bb623fa6f87640aac16cd7300599b21e
Threat Level: Known bad
The file Solara Executor V2.rar was found to be: Known bad.
Malicious Activity Summary
Quasar family
Quasar payload
Quasar RAT
Deletes itself
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-02 17:06
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-02 17:06
Reported
2024-08-02 17:13
Platform
win11-20240802-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Downloader.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\Download (RUN FIRST).exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Downloader.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Downloader.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3080 wrote to memory of 4884 | N/A | C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\Download (RUN FIRST).exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 3080 wrote to memory of 4884 | N/A | C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\Download (RUN FIRST).exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 3080 wrote to memory of 1304 | N/A | C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\Download (RUN FIRST).exe | C:\Users\Admin\AppData\Roaming\SubDir\Downloader.exe |
| PID 3080 wrote to memory of 1304 | N/A | C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\Download (RUN FIRST).exe | C:\Users\Admin\AppData\Roaming\SubDir\Downloader.exe |
| PID 1304 wrote to memory of 1340 | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Downloader.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 1304 wrote to memory of 1340 | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Downloader.exe | C:\Windows\SYSTEM32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\Download (RUN FIRST).exe
"C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\Download (RUN FIRST).exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "SolaraExecutor" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Downloader.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Downloader.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Downloader.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "SolaraExecutor" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Downloader.exe" /rl HIGHEST /f
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.68.119:4782 | tcp | |
| US | 8.8.8.8:53 | realwz-34142.portmap.host | udp |
| DE | 193.161.193.99:34142 | realwz-34142.portmap.host | tcp |
| N/A | 192.168.68.119:4782 | tcp | |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| DE | 193.161.193.99:34142 | realwz-34142.portmap.host | tcp |
| N/A | 192.168.68.119:4782 | tcp | |
| DE | 193.161.193.99:34142 | realwz-34142.portmap.host | tcp |
| N/A | 192.168.68.119:4782 | tcp | |
| DE | 193.161.193.99:34142 | realwz-34142.portmap.host | tcp |
| N/A | 192.168.68.119:4782 | tcp | |
| DE | 193.161.193.99:34142 | realwz-34142.portmap.host | tcp |
Files
memory/3080-0-0x00007FFECF253000-0x00007FFECF255000-memory.dmp
memory/3080-1-0x00000000007D0000-0x0000000000AF4000-memory.dmp
memory/3080-2-0x00007FFECF250000-0x00007FFECFD12000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Downloader.exe
| MD5 | c23404d4606f1e49bfc9efff359ed317 |
| SHA1 | da2904b0f8e16119576e389c0d77c2b4c96baf9e |
| SHA256 | 00345f840ce5cc3045c67e63e93f2fb438963eeb13a8d8587e2b196d4bc79591 |
| SHA512 | 30bb2f181342ab8e9c8bd851d554bedb6f87a91021b2a521ed02313ec146083920b33cc3a28135fb4b45f6103dc0c8fb01ba61096ece3ad23e2e5d3cd5720407 |
memory/3080-10-0x00007FFECF250000-0x00007FFECFD12000-memory.dmp
memory/1304-9-0x00007FFECF250000-0x00007FFECFD12000-memory.dmp
memory/1304-11-0x00007FFECF250000-0x00007FFECFD12000-memory.dmp
memory/1304-12-0x000000001C0F0000-0x000000001C140000-memory.dmp
memory/1304-13-0x000000001C200000-0x000000001C2B2000-memory.dmp
memory/1304-14-0x00007FFECF250000-0x00007FFECFD12000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-02 17:06
Reported
2024-08-02 17:12
Platform
win11-20240802-en
Max time kernel
61s
Max time network
64s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\BootstrapperV1.11.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\BootstrapperV1.11.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\BootstrapperV1.11.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\Solara Executor.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\Solara Executor.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\BootstrapperV1.11.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4648 wrote to memory of 3148 | N/A | C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\Solara Executor.exe | C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\BootstrapperV1.11.exe |
| PID 4648 wrote to memory of 3148 | N/A | C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\Solara Executor.exe | C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\BootstrapperV1.11.exe |
| PID 4648 wrote to memory of 3148 | N/A | C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\Solara Executor.exe | C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\BootstrapperV1.11.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\Solara Executor.exe
"C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\Solara Executor.exe"
C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\BootstrapperV1.11.exe
"C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\BootstrapperV1.11.exe" --oldBootstrapper "C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\Solara Executor.exe" --isUpdate true
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| GB | 128.116.119.4:443 | clientsettings.roblox.com | tcp |
Files
memory/4648-0-0x00000000742DE000-0x00000000742DF000-memory.dmp
memory/4648-1-0x0000000000290000-0x000000000035E000-memory.dmp
memory/4648-2-0x00000000742D0000-0x0000000074A81000-memory.dmp
memory/4648-3-0x00000000057F0000-0x0000000005812000-memory.dmp
memory/4648-4-0x0000000005820000-0x0000000005B77000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\BootstrapperV1.11.exe
| MD5 | 365971e549352a15e150b60294ec2e57 |
| SHA1 | 2932242b427e81b1b4ac8c11fb17793eae0939f7 |
| SHA256 | faad2bc8e61b75e595a80ff2b6d150ff8b27187a8ba426cc1e5e38e193ab6d42 |
| SHA512 | f7ba1353e880213a6bdf5bd1dfdfd42a0acf4066a540a502e8df8fec8eac7fb80b75aa52e68eca98be3f7701da48eb90758e5b94d72013d3dff05e0aaf27e938 |
memory/4648-16-0x00000000742D0000-0x0000000074A81000-memory.dmp
memory/3148-18-0x00000000005D0000-0x000000000069E000-memory.dmp
memory/3148-19-0x00000000742D0000-0x0000000074A81000-memory.dmp
memory/3148-20-0x00000000742D0000-0x0000000074A81000-memory.dmp
memory/3148-21-0x00000000742D0000-0x0000000074A81000-memory.dmp