File name:

SolaraV3.zip

Full analysis: https://app.any.run/tasks/d80a138f-4d67-4ad7-b904-a68705ad7b75
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 01, 2025, 19:47:38
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
arch-doc
evasion
smartloader
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

0066985C29BFD1D15627D6386A79C96F

SHA1:

128FE277EB6ED30BE53ED78A770A3233E0002B0D

SHA256:

87FB36EFE5FAA6890C43041A39D548A8BFE2F94F6462E9870F1DD5F168C509AF

SSDEEP:

24576:nGRAXbJKMIEUlL+hWqg8V0F6ybKQmsXGeXagEk8/yIC8TB5ZGSjb301QO:GRIJKMIEUlL+hWqg8V0F6ymQmsXGeXam

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 6292)

    • Connects to the CnC server

      • lua.exe (PID: 7068)

    • SMARTLOADER has been detected (SURICATA)

      • lua.exe (PID: 7068)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • lua.exe (PID: 7068)

    • Checks Windows Trust Settings

      • lua.exe (PID: 7068)

    • Checks for external IP

      • lua.exe (PID: 7068)
      • svchost.exe (PID: 2192)

    • Connects to the server without a host name

      • lua.exe (PID: 7068)

  • INFO

    • Reads the computer name

      • lua.exe (PID: 7068)

    • Manual execution by a user

      • cmd.exe (PID: 7004)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 6292)

    • Checks supported languages

      • lua.exe (PID: 7068)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6292)

    • Checks proxy server information

      • lua.exe (PID: 7068)

    • Reads the software policy settings

      • lua.exe (PID: 7068)

    • Creates files or folders in the user directory

      • lua.exe (PID: 7068)

    • Reads the machine GUID from the registry

      • lua.exe (PID: 7068)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:12:29 02:12:34
ZipCRC: 0x5d317653
ZipCompressedSize: 225600
ZipUncompressedSize: 225600
ZipFileName: config.txt
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe cmd.exe no specs conhost.exe no specs #SMARTLOADER lua.exe conhost.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6292"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\SolaraV3.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7004C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\Launcher.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
7012\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7068lua.exe config.txtC:\Users\admin\Desktop\lua.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\lua.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\users\admin\desktop\lua51.dll
7076\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exelua.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
2 363
Read events
2 352
Write events
11
Delete events
0

Modification events

(PID) Process:(6292) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6292) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6292) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6292) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\SolaraV3.zip
(PID) Process:(6292) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6292) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6292) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6292) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7068) lua.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7068) lua.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
2
Suspicious files
3
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
7068lua.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64Abinary
MD5:6A0C5710A781D28D1380C91635B62D76
SHA256:7310721563C217FCFA06090AF855B2BB6F011E6341AA40B73E4B81AC3620D63E
7068lua.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64Abinary
MD5:451D6220080EDB68FBB082232EAD9A9A
SHA256:FC99EDFA705220EB64C32D615ED9B22BB878557968FDA3578CA5E616F6C11CDE
6292WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6292.18312\lua.exeexecutable
MD5:DD98A43CB27EFD5BCC29EFB23FDD6CA5
SHA256:1CF20B8449EA84C684822A5E8AB3672213072DB8267061537D1CE4EC2C30C42A
6292WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6292.18312\config.txttext
MD5:96C673C9E9DEDEFEC5FD5E27284E4F29
SHA256:D92B9E01E24935E1CC6144734C0B39379EDEF1E3C06AEDBD547DC304E7334D77
6292WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6292.18312\Launcher.battext
MD5:CD08C9B4DD0681B6DCA5285E42D41C22
SHA256:873642EAB8A05E8D32CF9FE4D421CDCCFD4EFBC7C185B922D4A75F056984AF72
6292WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6292.18312\lua51.dllexecutable
MD5:3DFF7448B43FCFB4DC65E0040B0FFB88
SHA256:FF976F6E965E3793E278FA9BF5E80B9B226A0B3932B9DA764BFFC8E41E6CDB60
7068lua.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\json[1].jsonbinary
MD5:D5D9CDA020C1B98B17577074418E3A3B
SHA256:45F370F8D6C9D71DAED7207F4B490985E9DE61430718D76AA139AF9D3D63475B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
37
DNS requests
20
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7068
lua.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/
unknown
shared
7068
lua.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6500
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7068
lua.exe
PUT
200
87.120.36.50:80
http://87.120.36.50/api/YTAsODYsODIsOWQsYTEsODgsOTAsOTUsNjUsN2Qs
unknown
malicious
5720
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5720
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
2220
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5064
SearchApp.exe
92.123.104.40:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
23.48.23.147:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1176
svchost.exe
20.190.159.23:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
  • 20.73.194.208
whitelisted
www.bing.com
  • 92.123.104.40
  • 92.123.104.49
  • 92.123.104.19
  • 92.123.104.32
  • 92.123.104.33
  • 92.123.104.67
  • 92.123.104.52
  • 92.123.104.11
  • 92.123.104.28
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 23.48.23.147
  • 23.48.23.173
  • 23.48.23.177
  • 23.48.23.143
  • 23.48.23.167
  • 23.48.23.156
  • 23.48.23.183
  • 23.48.23.194
  • 23.48.23.145
whitelisted
www.microsoft.com
  • 69.192.161.161
whitelisted
login.live.com
  • 20.190.159.23
  • 20.190.159.75
  • 40.126.31.67
  • 20.190.159.0
  • 20.190.159.68
  • 40.126.31.69
  • 20.190.159.73
  • 40.126.31.73
whitelisted
go.microsoft.com
  • 69.192.162.125
whitelisted
ip-api.com
  • 208.95.112.1
shared
arc.msn.com
  • 20.223.35.26
whitelisted

Threats

PID
Process
Class
Message
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
A Network Trojan was detected
LOADER [ANY.RUN] SmartLoader Check-in
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
SolaraV3.zip