C:\Users\Ashtin\Desktop\WTF\SolaraBootstrapper\SolaraBootstrapper\bin\Release\Bootstrapper.pdb
Behavioral task
behavioral1
Sample
Solara Executor V2/Download (RUN FIRST).exe
Resource
win11-20240802-en
Behavioral task
behavioral2
Sample
Solara Executor V2/Solara Executor.exe
Resource
win11-20240802-en
General
-
Target
Solara Executor V2.rar
-
Size
1.2MB
-
MD5
51e6735ce2042e2ba0c187a3c47ff2df
-
SHA1
0902722a7e18a5a90c81dc786ab3b5ec616f2d70
-
SHA256
a83f40624d7d8f6f769e672c41a72785bb623fa6f87640aac16cd7300599b21e
-
SHA512
bcd27ec0ef174fd44e8295d84196ea4da9f9f7d15dd9fb814b9a8608c7585e723eb6ad415317648654e3b97a15e35d4b9c9d5702c2e4b55a2f78203fa8d7be72
-
SSDEEP
24576:w2TfBF51vJNv35DAcR3VXXslc7lHR+tOJyZkZN0z1qCA8G2gA7bprFarC1RuQBrn:w2bBb1vucnnGc7lHRPIyMhA8pgAHpJUY
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.68.119:4782
realwz-34142.portmap.host:34142
6eb5c908-87fa-4e33-a3b3-a6eaa2455bad
-
encryption_key
458FF650B9D9D277FD5A8DC74175331B7B2FC1B9
-
install_name
Downloader.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
SolaraExecutor
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
Processes:
resource yara_rule static1/unpack001/Solara Executor V2/Download (RUN FIRST).exe family_quasar -
Unsigned PE 2 IoCs
Checks for missing Authenticode signature.
Processes:
resource unpack001/Solara Executor V2/Download (RUN FIRST).exe unpack001/Solara Executor V2/Solara Executor.exe
Files
-
Solara Executor V2.rar.rar
Password: infected
-
Solara Executor V2/Download (RUN FIRST).exe.exe windows:4 windows x86 arch:x86
Password: infected
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 3.1MB - Virtual size: 3.1MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 3KB - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
-
Solara Executor V2/Solara Executor.exe.exe windows:4 windows x86 arch:x86
Password: infected
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
PDB Paths
Imports
mscoree
_CorExeMain
Sections
.text Size: 792KB - Virtual size: 792KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ