download:	/bow16nelson/Solara-Executor-Roblox/releases/download/Enjoy!/RobloxInjector.zip
Full analysis:	https://app.any.run/tasks/9a2d490b-4952-4ace-a4ac-253ab4d06dd0
Verdict:	Malicious activity
Threats:	Meduza Stealer is an information-stealing malware primarily targeting Windows systems, designed to harvest sensitive data such as login credentials, browsing histories, cookies, cryptocurrency wallets, and password manager data. It has advanced anti-detection mechanisms, allowing it to evade many antivirus programs. The malware is distributed through various means, including phishing emails and malicious links. It’s marketed on underground forums and Telegram channels. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 30, 2024, 19:39:05
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec evasion meduza stealer exfiltration
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract, compression method=store
MD5:	5A2CDBCC82C80A5181618C40844F0766
SHA1:	E8F8439D49EF5AF776271685191B665F20554A30
SHA256:	8FAD9CED8EEF4B980C51ECA9F5B2B1095B69DE9DFE204592CA99782102169C37
SSDEEP:	196608:NslLlXJl2geFA3NIg0gjWKQyLIwdk4wUfU0X+IJ28q2jK/NoEmy9p87B:WkgCgzKwiJUf9+mJqkSSy9O7B

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2024:11:30 22:28:28
ZipCRC:	0x0e373d89
ZipCompressedSize:	26843465
ZipUncompressedSize:	26843465
ZipFileName:	Solara.zip


(PID) Process:	(6812) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(6812) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(6812) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(6812) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\RobloxInjector.zip
(PID) Process:	(6812) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6812) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6812) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6812) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(7012) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(7012) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip

PID	Process	Filename		Type
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\Solara.exe		—
		MD5:—	SHA256:—
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\bin\reports\filesystem_stdio.dll		executable
		MD5:35B2AD0E8F6F73AE8808B3B92D9E176E	SHA256:2D86739D202C4803559C19FC6F5F8B6B44A3DF5181A1075F994A4C1279C8D111
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\bin\reports\animationsystem.dll		executable
		MD5:0E1BF601BFFC4B5E4CDD6DEB75D59B83	SHA256:9697E7F265210559B0CB5AA023CD0B1CFBBB50CAD06D8C38905ABA012BCDB229
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\bin\reports\engine2.dll		executable
		MD5:002869AF9A2CACB11010BA04EBAD84F5	SHA256:A288AA28F68225C5AF0AEA2DBFCB9E13EEA04D41383D2EE7FDC06B9A0F8BB8F6
6812	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6812.38887\Solara.zip		compressed
		MD5:389175BA8E4954158576889837EC7B39	SHA256:6604CA9D094C607A49D23F0B75A66BF6DFBEC4C1C82FA50B449326A4D0B9F953
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\bin\reports\csgo.signatures		text
		MD5:A6E1D199F3ABEF3582951A235F6B266C	SHA256:4C4FFB1A2002C05CD2CD85712C801F1A0C75A9E6B7F20CA021C7BF4FE252DD70
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\bin\reports\d3dcompiler_47.dll		executable
		MD5:222D020BD33C90170A8296ADC1B7036A	SHA256:4432BBD1A390874F3F0A503D45CC48D346ABC3A8C0213C289F4B615BF0EE84F3
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\bin\reports\cs2.exe		executable
		MD5:6C4BEC50E1F595CAA7F308FBE1DE3C4A	SHA256:96FB21E9E74F9C1B1BAC42D0553EE9EBA93E55BB6FD32A18165DC4C3D75CCD24
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\bin\reports\dbghelp.dll		executable
		MD5:A5E4B3FF51CF5B7926D9651908FEB666	SHA256:13F0C74845318B52B76E6000564B1A99C37DE48422B44AC74D034FA222C65A23
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\bin\reports\assetpreview.dll		executable
		MD5:92791E8FE8F475B0F10525A93AFDA182	SHA256:386B8145F1DB7797D659CDDDA75A4CAB8EBD930D2E9C9E83474B768AD5A87E2F

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6508	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
3620	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
3620	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6332	installer.exe	GET	200	142.250.186.35:80	http://c.pki.goog/r/r4.crl	unknown	—	—	whitelisted
6332	installer.exe	GET	200	142.250.186.35:80	http://c.pki.goog/r/gsr1.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
440	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	104.126.37.128:443	www.bing.com	Akamai International B.V.	DE	whitelisted
1176	svchost.exe	40.126.32.134:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 4.231.128.59 40.127.240.158	whitelisted
crl.microsoft.com	23.48.23.143 23.48.23.156	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
google.com	142.250.186.46	whitelisted
www.bing.com	104.126.37.128 104.126.37.123 104.126.37.176 104.126.37.130 104.126.37.185 104.126.37.136 104.126.37.154 104.126.37.129 104.126.37.163	whitelisted
login.live.com	40.126.32.134 40.126.32.76 20.190.160.20 20.190.160.17 40.126.32.136 40.126.32.72 40.126.32.140 40.126.32.138	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
go.microsoft.com	23.213.170.81 23.213.166.81	whitelisted
arc.msn.com	20.223.36.55	whitelisted
fd.api.iris.microsoft.com	20.223.36.55	whitelisted

PID	Process	Class	Message
6332	installer.exe	Misc activity	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
2192	svchost.exe	Misc activity	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
6332	installer.exe	A Network Trojan was detected	ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)
6332	installer.exe	A Network Trojan was detected	ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M1
6332	installer.exe	A Network Trojan was detected	ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M1
6332	installer.exe	Successful Credential Theft Detected	STEALER [ANY.RUN] Meduza Stealer
6332	installer.exe	Successful Credential Theft Detected	STEALER [ANY.RUN] Meduza Stealer
6332	installer.exe	Successful Credential Theft Detected	STEALER [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)
6332	installer.exe	A Network Trojan was detected	ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)
6332	installer.exe	Successful Credential Theft Detected	STEALER [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)

General Info

/bow16nelson/Solara-Executor-Roblox/releases/download/Enjoy!/RobloxInjector.zip

5A2CDBCC82C80A5181618C40844F0766

E8F8439D49EF5AF776271685191B665F20554A30

8FAD9CED8EEF4B980C51ECA9F5B2B1095B69DE9DFE204592CA99782102169C37

196608:NslLlXJl2geFA3NIg0gjWKQyLIwdk4wUfU0X+IJ28q2jK/NoEmy9p87B:WkgCgzKwiJUf9+mJqkSSy9O7B

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

Steals credentials from Web Browsers

MEDUZASTEALER has been detected (SURICATA)

SUSPICIOUS

Process drops legitimate windows executable

Reads security settings of Internet Explorer

Application launched itself

Checks Windows Trust Settings

Executable content was dropped or overwritten

Reads the date of Windows installation

Searches for installed software

Checks for external IP

Connects to unusual port

The process connected to a server suspected of theft

The process creates files with name similar to system file names

INFO

The process uses the downloaded file

Manual execution by a user

Reads the machine GUID from the registry

Reads the software policy settings

Create files in a temporary directory

Reads Environment values

Disables trace logs

Checks proxy server information

Process checks computer location settings

Reads the computer name

Reads product name

Checks supported languages

Creates files or folders in the user directory

Reads the time zone

Executable content was dropped or overwritten

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections