Overview

overview

10

Static

static

3

Solara Executor.exe

windows7-x64

10

Solara Executor.exe

windows10-2004-x64

10

Solara Executor.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/12/2024, 20:23 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Solara Executor.exe

  • Size

    527.1MB

  • MD5

    2f0279eca2b15f105600d0fa8634b40a

  • SHA1

    a61a80b6a5915f014f7b9d311386905a1cf30f0a

  • SHA256

    68f2893e72bb79f1da5d8b3c9f5dbe29d6f1c1c583356cd5a2221d8a54bf3010

  • SHA512

    1aa89b075a4d3a58439b88ca82c79b425707b65ff8b1685a57e70e55e3718e48f2942d8399d843d6fb504da3bcf931c400c30e368d213a2b1d0149899868254f

  • SSDEEP

    98304:HJxFqrqnIGHYeUt7wSTsEitaAo4N/nl3x0NlBuQa3HUQxrFD:pxFqrqnwtwSccAoKl3fQa3f

Score
10/10
meduzastealer

Malware Config

Extracted

Family

meduza

C2

45.130.145.152

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    Work

  • extensions

    .txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite

  • grabber_max_size

    4.194304e+06

  • port

    15666

  • self_destruct

    false

Signatures

  • Meduza

    Meduza is a crypto wallet and info stealer written in C++.

    stealermeduza
  • Meduza Stealer payload 2 IoCs
  • Meduza family
    meduza
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Solara Executor.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara Executor.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Users\Admin\AppData\Local\Temp\78643400aaca4701b7bbddbfe9fde79c.exe
      "C:\Users\Admin\AppData\Local\Temp\78643400aaca4701b7bbddbfe9fde79c.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2680 -s 656
        3⤵
        • Loads dropped DLL
        PID:2664
    • C:\Users\Admin\AppData\Local\Temp\9d52dc19fecb43e793f03d6fbe7f9472.exe
      "C:\Users\Admin\AppData\Local\Temp\9d52dc19fecb43e793f03d6fbe7f9472.exe"
      2⤵
      • Executes dropped EXE
      PID:2104

Network

  • flag-us
    DNS
    neroheronero.net
    Solara Executor.exe
    Remote address:
    8.8.8.8:53
    Request
    neroheronero.net
    IN A
    Response
    neroheronero.net
    IN A
    172.67.204.33
    neroheronero.net
    IN A
    104.21.44.221
  • flag-us
    GET
    https://neroheronero.net/off/ruppert.exe
    Solara Executor.exe
    Remote address:
    172.67.204.33:443
    Request
    GET /off/ruppert.exe HTTP/1.1
    Host: neroheronero.net
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Thu, 19 Dec 2024 20:24:52 GMT
    Content-Type: application/octet-stream
    Content-Length: 2749952
    Connection: keep-alive
    Last-Modified: Wed, 18 Dec 2024 13:46:35 GMT
    ETag: "6762d23b-29f600"
    Cache-Control: max-age=14400
    CF-Cache-Status: REVALIDATED
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BbSgEDZg2NFgWDGTjaWpZr4LESAdjlZ5SMoJd%2F2Nd8a9JaxuxdhCQk1KwxlvOia6if5ClyMhyOdj4rd5bwDItmn%2BQAsyrZAiSBhk%2FSZbUT4cuVl8vwTbBHSGRKAJk%2Bw3jVZG"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8f4a1e5e089cf654-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=50759&min_rtt=46942&rtt_var=15958&sent=6&recv=6&lost=0&retrans=0&sent_bytes=2858&recv_bytes=371&delivery_rate=73182&cwnd=253&unsent_bytes=0&cid=9584ba307ceaea54&ts=300&x=0"
  • flag-us
    DNS
    fitgirl-repackes.me
    Solara Executor.exe
    Remote address:
    8.8.8.8:53
    Request
    fitgirl-repackes.me
    IN A
    Response
    fitgirl-repackes.me
    IN A
    172.67.132.176
    fitgirl-repackes.me
    IN A
    104.21.5.4
  • flag-us
    GET
    https://fitgirl-repackes.me/av/triage.exe
    Solara Executor.exe
    Remote address:
    172.67.132.176:443
    Request
    GET /av/triage.exe HTTP/1.1
    Host: fitgirl-repackes.me
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Thu, 19 Dec 2024 20:24:53 GMT
    Content-Type: application/octet-stream
    Content-Length: 2749952
    Connection: keep-alive
    Last-Modified: Wed, 18 Dec 2024 13:46:47 GMT
    ETag: "6762d247-29f600"
    Cache-Control: max-age=14400
    CF-Cache-Status: HIT
    Age: 576
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TKU7PE5fRLubfIGcpTlQUDNXBUVXH98SV1lcNUL%2FQPFX73R3d6pW8oV2Bs%2BEv%2F4l2utF0MZ03aIaMQMjUilctbADdZU2py65dWvadqTq64hVQ14hX4CuBXRfzBewoaEhcPKcPjBF"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8f4a1e64cedaef0b-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=49125&min_rtt=46919&rtt_var=12960&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2865&recv_bytes=374&delivery_rate=75248&cwnd=253&unsent_bytes=0&cid=8b7766de72143ba0&ts=125&x=0"
  • flag-us
    DNS
    api.ipify.org
    78643400aaca4701b7bbddbfe9fde79c.exe
    Remote address:
    8.8.8.8:53
    Request
    api.ipify.org
    IN A
    Response
    api.ipify.org
    IN A
    104.26.13.205
    api.ipify.org
    IN A
    172.67.74.152
    api.ipify.org
    IN A
    104.26.12.205
  • 172.67.204.33:443
    https://neroheronero.net/off/ruppert.exe
    tls, http
    Solara Executor.exe
    97.9kB
     2.8MB
     1610
    2064

    HTTP Request

    GET https://neroheronero.net/off/ruppert.exe

    HTTP Response

    200
  • 172.67.132.176:443
    https://fitgirl-repackes.me/av/triage.exe
    tls, http
    Solara Executor.exe
    97.0kB
     2.8MB
     1675
    2080

    HTTP Request

    GET https://fitgirl-repackes.me/av/triage.exe

    HTTP Response

    200
  • 45.130.145.152:15666
    78643400aaca4701b7bbddbfe9fde79c.exe
    98 B
     52 B
     2
    1
  • 138.124.18.95:22322
    9d52dc19fecb43e793f03d6fbe7f9472.exe
    259 B
     92 B
     3
    2
  • 8.8.8.8:53
    neroheronero.net
    dns
    Solara Executor.exe
    62 B
     94 B
     1
    1

    DNS Request

    neroheronero.net

    DNS Response

    172.67.204.33
    104.21.44.221

  • 8.8.8.8:53
    fitgirl-repackes.me
    dns
    Solara Executor.exe
    65 B
     97 B
     1
    1

    DNS Request

    fitgirl-repackes.me

    DNS Response

    172.67.132.176
    104.21.5.4

  • 8.8.8.8:53
    api.ipify.org
    dns
    78643400aaca4701b7bbddbfe9fde79c.exe
    59 B
     107 B
     1
    1

    DNS Request

    api.ipify.org

    DNS Response

    104.26.13.205
    172.67.74.152
    104.26.12.205

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\9d52dc19fecb43e793f03d6fbe7f9472.exe
    Filesize

    2.6MB

    MD5

    5ad98066bfaea71873af260814cdebb0

    SHA1

    5dc890fd83e13d1b3b9ffc8b9e691bf5923fe7d4

    SHA256

    bec45a7561b438237598f772b08e4e67f480e2330619fb3e7cd175156627c5f8

    SHA512

    4373e339b09fef72e8da394933b42a04ff4c9b1e31636c0cad6a0fc8d60d7a4e23b43d744f3725fb506078fdb2521879c785978e1aef066898eb3762a72b262e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\78643400aaca4701b7bbddbfe9fde79c.exe
    Filesize

    2.6MB

    MD5

    c3242cab034e773dad42d6fbff0b4ecf

    SHA1

    c4b7daa973a191f9dcd6e6f637602b5683899571

    SHA256

    fbe49c90e24fb5b6be83157db5a5415411b410c6b13fdb9ef12740a157f60481

    SHA512

    e74a8e474f4385531387e0f51cff631a8e7c0eacb5d23021f0ac4701f356f869889472814cc5856aef776fefa8703a94578af4feec8e037d89cbe95a409027c3

    Download Submit

  • memory/2104-26-0x00000000000F0000-0x0000000000170000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2104-23-0x00000000000F0000-0x0000000000170000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2104-21-0x00000000000F0000-0x0000000000170000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2680-25-0x0000000001F30000-0x000000000206E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2680-12-0x0000000001F30000-0x000000000206E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2692-4-0x000007FEF61F0000-0x000007FEF6BDC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2692-6-0x000007FEF61F0000-0x000007FEF6BDC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2692-5-0x000007FEF61F3000-0x000007FEF61F4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2692-0-0x000007FEF61F3000-0x000007FEF61F4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2692-3-0x000007FEF61F0000-0x000007FEF6BDC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2692-22-0x000007FEF61F0000-0x000007FEF6BDC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2692-24-0x000007FEF61F0000-0x000007FEF6BDC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2692-2-0x000007FEF61F0000-0x000007FEF6BDC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2692-1-0x0000000000D30000-0x0000000001D30000-memory.dmp

    Filesize

    16.0MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.