Analysis
-
max time kernel
140s -
max time network
146s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-09-2024 18:16
Static task
static1
Behavioral task
behavioral1
Sample
Solara.zip
Resource
win11-20240802-en
Behavioral task
behavioral2
Sample
Password - github.txt
Resource
win11-20240802-en
General
-
Target
Solara.zip
-
Size
13.4MB
-
MD5
6fe0bb4598fba38e1c2dc25b084ae38e
-
SHA1
7514257cc85b0a2d4b218f43f9a8f4dd61c545cf
-
SHA256
ceaed51bfaf0862e89a1790376ff6969bcc7c266e2c7b73cf67f57ad3ca7a397
-
SHA512
232b90973680eadbf11851fa20dc1e0ffbcae86f14bd8b605964a593775705cdc69dcb3cd9a5ab66ce18785c2a098df75f58392b1c3d6a04f28c57541fdc632b
-
SSDEEP
393216:+H7gx90ywmq3gvGQ1HUPri1xktbsUjOBo+mt:u7e92v+PRUDi1QvaoTt
Malware Config
Extracted
rhadamanthys
https://144.76.133.166:8034/5502b8a765a7d7349/k5851jfq.guti6
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 776 created 692 776 Solara.exe 50 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3780 set thread context of 776 3780 Solara.exe 90 -
Program crash 2 IoCs
pid pid_target Process procid_target 1532 776 WerFault.exe 90 904 776 WerFault.exe 90 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Solara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Solara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language openwith.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 776 Solara.exe 776 Solara.exe 1452 openwith.exe 1452 openwith.exe 1452 openwith.exe 1452 openwith.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3780 wrote to memory of 776 3780 Solara.exe 90 PID 3780 wrote to memory of 776 3780 Solara.exe 90 PID 3780 wrote to memory of 776 3780 Solara.exe 90 PID 3780 wrote to memory of 776 3780 Solara.exe 90 PID 3780 wrote to memory of 776 3780 Solara.exe 90 PID 3780 wrote to memory of 776 3780 Solara.exe 90 PID 3780 wrote to memory of 776 3780 Solara.exe 90 PID 3780 wrote to memory of 776 3780 Solara.exe 90 PID 3780 wrote to memory of 776 3780 Solara.exe 90 PID 3780 wrote to memory of 776 3780 Solara.exe 90 PID 776 wrote to memory of 1452 776 Solara.exe 91 PID 776 wrote to memory of 1452 776 Solara.exe 91 PID 776 wrote to memory of 1452 776 Solara.exe 91 PID 776 wrote to memory of 1452 776 Solara.exe 91 PID 776 wrote to memory of 1452 776 Solara.exe 91
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:692
-
C:\Windows\SysWOW64\openwith.exe"C:\Windows\system32\openwith.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1452
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Solara.zip1⤵PID:4712
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3004
-
C:\Users\Admin\Desktop\Solara\Solara\Solara.exe"C:\Users\Admin\Desktop\Solara\Solara\Solara.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Users\Admin\Desktop\Solara\Solara\Solara.exe"C:\Users\Admin\Desktop\Solara\Solara\Solara.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 4723⤵
- Program crash
PID:1532
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 4923⤵
- Program crash
PID:904
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 776 -ip 7761⤵PID:2748
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 776 -ip 7761⤵PID:3096
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:3380