| File name: | Solara.exe |
| Full analysis: | https://app.any.run/tasks/b4c21f76-789d-4025-b456-da201e008315 |
| Verdict: | Malicious activity |
| Threats: | MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations. |
| Analysis date: | August 03, 2024, 02:15:45 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 235974B1DF44F0484D8210536DAB5D41 |
| SHA1: | DE52848EA0FEDF2F7491E81147139A2D80FE4A6C |
| SHA256: | 8B4ACF13AD30350ADABED9AA814134FE1065AAFFEB04B2403B400986859DC19D |
| SSDEEP: | 98304:cvlGwaW50mKPdx0e/sOKFVZuRWd8MGbwIZDPs:I |
MALICIOUS
Drops the executable file immediately after the start
- Solara.exe (PID: 6728)
- cmd.exe (PID: 6772)
- Statistical.pif (PID: 7076)
Antivirus name has been found in the command line (generic signature)
- findstr.exe (PID: 6848)
- findstr.exe (PID: 6960)
Stealers network behavior
- RegAsm.exe (PID: 7156)
Steals credentials from Web Browsers
- RegAsm.exe (PID: 7156)
METASTEALER has been detected (SURICATA)
- RegAsm.exe (PID: 7156)
Connects to the CnC server
- RegAsm.exe (PID: 7156)
REDLINE has been detected (SURICATA)
- RegAsm.exe (PID: 7156)
REDLINE has been detected (YARA)
- RegAsm.exe (PID: 7156)
Actions looks like stealing of personal data
- RegAsm.exe (PID: 7156)
SUSPICIOUS
Reads security settings of Internet Explorer
- Solara.exe (PID: 6728)
Reads the date of Windows installation
- Solara.exe (PID: 6728)
Executing commands from ".cmd" file
- Solara.exe (PID: 6728)
Starts CMD.EXE for commands execution
- Solara.exe (PID: 6728)
- cmd.exe (PID: 6772)
Get information on the list of running processes
- cmd.exe (PID: 6772)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 6772)
Application launched itself
- cmd.exe (PID: 6772)
Drops a file with a rarely used extension (PIF)
- cmd.exe (PID: 6772)
Executable content was dropped or overwritten
- cmd.exe (PID: 6772)
- Statistical.pif (PID: 7076)
Suspicious file concatenation
- cmd.exe (PID: 7056)
Starts application with an unusual extension
- cmd.exe (PID: 6772)
The executable file from the user directory is run by the CMD process
- Statistical.pif (PID: 7076)
The process creates files with name similar to system file names
- Statistical.pif (PID: 7076)
Starts a Microsoft application from unusual location
- RegAsm.exe (PID: 7156)
Process drops legitimate windows executable
- Statistical.pif (PID: 7076)
Searches for installed software
- RegAsm.exe (PID: 7156)
Connects to unusual port
- RegAsm.exe (PID: 7156)
INFO
Create files in a temporary directory
- Solara.exe (PID: 6728)
- Statistical.pif (PID: 7076)
Reads the computer name
- Solara.exe (PID: 6728)
- Statistical.pif (PID: 7076)
- RegAsm.exe (PID: 7156)
Checks supported languages
- Solara.exe (PID: 6728)
- RegAsm.exe (PID: 7156)
- Statistical.pif (PID: 7076)
Process checks computer location settings
- Solara.exe (PID: 6728)
Reads mouse settings
- Statistical.pif (PID: 7076)
Reads the machine GUID from the registry
- RegAsm.exe (PID: 7156)
Manual execution by a user
- RegAsm.exe (PID: 7156)
Creates files or folders in the user directory
- RegAsm.exe (PID: 7156)
Reads Environment values
- RegAsm.exe (PID: 7156)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
RedLine
(PID) Process(7156) RegAsm.exe
C2 (1)185.196.9.26:6302
Botnet@dxrkl0rd
Options
ErrorMessage
Keys
XorBepaint
TRiD
| .exe | | | Win64 Executable (generic) (76.4) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (12.4) |
| .exe | | | Generic Win/DOS Executable (5.5) |
| .exe | | | DOS Executable Generic (5.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2012:02:24 19:20:04+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 10 |
| CodeSize: | 29696 |
| InitializedDataSize: | 489984 |
| UninitializedDataSize: | 16896 |
| EntryPoint: | 0x38af |
| OSVersion: | 5 |
| ImageVersion: | 6 |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
Total processes
124
Monitored processes
13
Malicious processes
3
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 6728 | "C:\Users\admin\Desktop\Solara.exe" | C:\Users\admin\Desktop\Solara.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 6772 | "C:\Windows\System32\cmd.exe" /k move Sector Sector.cmd & Sector.cmd & exit | C:\Windows\SysWOW64\cmd.exe | Solara.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 9009 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6784 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6840 | tasklist | C:\Windows\SysWOW64\tasklist.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Lists the current running tasks Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6848 | findstr /I "wrsa.exe opssvc.exe" | C:\Windows\SysWOW64\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6952 | tasklist | C:\Windows\SysWOW64\tasklist.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Lists the current running tasks Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6960 | findstr /I "avastui.exe avgui.exe ekrn.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" | C:\Windows\SysWOW64\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7012 | cmd /c md 240488 | C:\Windows\SysWOW64\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7032 | findstr /V "DefiningUtilitySophisticatedPartition" Louis | C:\Windows\SysWOW64\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7056 | cmd /c copy /b Author + Blvd + Principles + Des + Legendary + Occurrence 240488\F | C:\Windows\SysWOW64\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
4 249
Read events
4 230
Write events
13
Delete events
6
Modification events
| (PID) Process: | (6728) Solara.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (6728) Solara.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (6728) Solara.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (6728) Solara.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (7156) RegAsm.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Owner |
Value: F41B0000D147A82D4BE5DA01 | |||
| (PID) Process: | (7156) RegAsm.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | SessionHash |
Value: 8CE0E04D293389516C770B14553E7461514F603DC917BBB4DAEE01199BD2BF47 | |||
| (PID) Process: | (7156) RegAsm.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (7156) RegAsm.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | RegFiles0000 |
Value: C:\Users\admin\AppData\Local\Google\Chrome\User Data\lockfile | |||
| (PID) Process: | (7156) RegAsm.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | RegFilesHash |
Value: FF22EF24EC17CCD2BC6F86BADF08E5E5771F8C0F8AB6B7C76F7DA25967188328 | |||
| (PID) Process: | (7156) RegAsm.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | RegFilesHash |
Value: ⋿⓯틌澼몆ࣟίྌ뚊잷絯妢ᡧ⢃ | |||
Executable files
2
Suspicious files
32
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6728 | Solara.exe | C:\Users\admin\AppData\Local\Temp\Pen | binary | |
MD5:3F370B903FB5CF7DEDC2FDD274BB443A | SHA256:24EE59DC4AFCDEF1546A8C1149FFAC9470C0257C9EC4B37E397FCF1742CE30A0 | |||
| 6728 | Solara.exe | C:\Users\admin\AppData\Local\Temp\Sector | text | |
MD5:EBD72DD73B8B2BDFDB42C9B126485F82 | SHA256:26CD65B6145E7ACA6E0D7E20EA73A6546D99705C2E26A506F26D2B1AD4823A3D | |||
| 6728 | Solara.exe | C:\Users\admin\AppData\Local\Temp\Aquatic | binary | |
MD5:9BDB4BDB710497DDF28C97EFA7C1B9B4 | SHA256:4582148400BBCEDA2EDE955687EF07D3753C8095A25A7B339556D250A5EF9ED7 | |||
| 6728 | Solara.exe | C:\Users\admin\AppData\Local\Temp\Pentium | binary | |
MD5:904434C8A49D5EA8433ED106444500B7 | SHA256:67FED69D699C7413E676D2C723A97F3F1F5CCD4909958B0FF99EDF66F100A93B | |||
| 6728 | Solara.exe | C:\Users\admin\AppData\Local\Temp\Principles | binary | |
MD5:C011C0CD74B074134E8AD50805D7871E | SHA256:25C693475D6D5A97F4892C79EFDC6428ED0DC5C869CCA55F5F90CB077F4CA2D3 | |||
| 6728 | Solara.exe | C:\Users\admin\AppData\Local\Temp\Ask | binary | |
MD5:50798CBCBDA0E7ED01A8CF9B0E8AF37A | SHA256:CD75F8FD52BA942212BF9DCEC1CF98019D6866AB7CAD420BCDCDFA3DE3B45D5D | |||
| 6728 | Solara.exe | C:\Users\admin\AppData\Local\Temp\Riding | binary | |
MD5:1D01C1F95FA0DB2F6D16C8ADA4E4FC22 | SHA256:29729EAED9895ADC76C35A78337C75A6C0BA440BCD4A9277737C88BAEA46B224 | |||
| 6728 | Solara.exe | C:\Users\admin\AppData\Local\Temp\Hydrogen | binary | |
MD5:513F1801C0B5455886191627BF6EFCB1 | SHA256:BD074649A4183530F8A983BB76E7E21266760EFC8416D97F4176FF9522F164D3 | |||
| 6728 | Solara.exe | C:\Users\admin\AppData\Local\Temp\Nearly | lgd | |
MD5:90490D4A9EDC29E26B0891A7AD0F532A | SHA256:FE297B02D7C4B80CA2FD401843E51B029DBC6F6EC69C7EF109E3B27FFE3F26DC | |||
| 6728 | Solara.exe | C:\Users\admin\AppData\Local\Temp\Blvd | binary | |
MD5:8195D63CD3FED768FF372461CC9DA1F3 | SHA256:9A1880C8EBA68ACFEE0FFEA6CCC55CBD5A13411821C77F81BA310F685607ECE0 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
15
DNS requests
5
Threats
9
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 239.255.255.250:1900 | — | — | — | whitelisted |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
7156 | RegAsm.exe | 185.196.9.26:6302 | — | Simple Carrier LLC | US | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
yGAlQxOpGcFgBz.yGAlQxOpGcFgBz |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 32 |
— | — | A Network Trojan was detected | ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) |
— | — | Potentially Bad Traffic | ET INFO Microsoft net.tcp Connection Initialization Activity |
— | — | A Network Trojan was detected | ET MALWARE Redline Stealer TCP CnC Activity |
— | — | A Network Trojan was detected | ET MALWARE Redline Stealer TCP CnC - Id1Response |
— | — | A Network Trojan was detected | ET MALWARE Redline Stealer TCP CnC Activity |
— | — | A Network Trojan was detected | ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) |
— | — | A Network Trojan was detected | ET MALWARE Redline Stealer TCP CnC Activity |
— | — | A Network Trojan was detected | ET MALWARE Redline Stealer TCP CnC Activity |