Overview

overview

10

Static

static

3

Solara Executor.exe

windows11-21h2-x64

10

Resubmissions

05-02-2025 21:20

250205-z6wktssmcv 10

05-02-2025 21:19

250205-z6a9wsvkfj 10

Analysis

  • max time kernel
    22s
  • max time network
    30s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    05-02-2025 21:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Solara Executor.exe

  • Size

    18.7MB

  • MD5

    20f922eb17efc661c32b9af7123cc2e3

  • SHA1

    cc225ff5794975e66fcbd7f6a6a0cf3c780fd488

  • SHA256

    8d7559b7b2641f0eddca0905f3ebd59dbe93ebf5d44603227480fbcbe69ed82c

  • SHA512

    6c332727ff87f432bd7b8f862e6155ff748d687a2da55726c1055f4b655d6ec43a4d3475a7f8be39302efe5905b5a8164bd8113598c1a0af5b85aa47071153fd

  • SSDEEP

    192:8yihNYoCYedOzbD/kyL7F9DKCvzlKHmCYOF6Qb/:8hmoCJdOzbrkyF1RKGCLAk

Score
10/10
quasarsvhost32discoveryexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

svhost32

C2

87.228.57.81:4782

Mutex

47b71fc0-b2c4-4112-b97a-39385a5399c1

Attributes
  • encryption_key

    19A0FAF8459F69650B5965C225752D425C429EEC

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svhost32

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Solara Executor.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara Executor.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1692
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\rlsamymhp'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2544
    • C:\rlsamymhp\judsep.exe
      "C:\rlsamymhp\judsep.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2424
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "svhost32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1052
      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3124
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks" /create /tn "svhost32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1516

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rv0lyvor.4tj.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\rlsamymhp\judsep.exe
    Filesize

    3.1MB

    MD5

    fbb44da2d0860af30fc45116529832df

    SHA1

    44377732b9959172cdb261d366069801adafd52a

    SHA256

    3dc3c88ce100a2f6d16e8c0fbd096b622810bb62dd6dcf5719c657254129ec31

    SHA512

    b1cdda7f3b67f1bedfbf896a4e7e8af0d12aa78a8709604d1262cc68ff0b0bdb3a326e7325075210f4d4e22e43fd7a7fa4bfbc90fc4c032bc3f3304f79157909

    Download Submit

  • memory/1692-1-0x00000000004E0000-0x00000000004E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1692-61-0x0000000075090000-0x0000000075841000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1692-48-0x0000000075090000-0x0000000075841000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1692-38-0x000000007509E000-0x000000007509F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1692-0-0x000000007509E000-0x000000007509F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2424-62-0x0000000000AE0000-0x0000000000E04000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2544-33-0x0000000075090000-0x0000000075841000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2544-6-0x0000000004EF0000-0x0000000004F12000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2544-17-0x0000000005910000-0x0000000005C67000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2544-18-0x0000000005EE0000-0x0000000005EFE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2544-19-0x0000000005F70000-0x0000000005FBC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2544-21-0x0000000071260000-0x00000000712AC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2544-20-0x0000000007040000-0x0000000007074000-memory.dmp

    Filesize

    208KB

    Download

  • memory/2544-30-0x00000000070A0000-0x00000000070BE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2544-31-0x00000000070D0000-0x0000000007174000-memory.dmp

    Filesize

    656KB

    Download

  • memory/2544-32-0x0000000075090000-0x0000000075841000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2544-8-0x00000000058A0000-0x0000000005906000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2544-34-0x0000000075090000-0x0000000075841000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2544-36-0x0000000007210000-0x000000000722A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2544-35-0x0000000007850000-0x0000000007ECA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2544-37-0x0000000007290000-0x000000000729A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2544-7-0x0000000005090000-0x00000000050F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2544-39-0x00000000074A0000-0x0000000007536000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2544-40-0x0000000007420000-0x0000000007431000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2544-41-0x0000000007450000-0x000000000745E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2544-42-0x0000000007460000-0x0000000007475000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2544-43-0x0000000007560000-0x000000000757A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2544-44-0x0000000007550000-0x0000000007558000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2544-47-0x0000000075090000-0x0000000075841000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2544-5-0x0000000005100000-0x000000000572A000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2544-4-0x0000000075090000-0x0000000075841000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2544-3-0x0000000075090000-0x0000000075841000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2544-2-0x0000000004A00000-0x0000000004A36000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3124-69-0x000000001B1A0000-0x000000001B1F0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3124-70-0x000000001BDB0000-0x000000001BE62000-memory.dmp

    Filesize

    712KB

    Download