download:	/bow16nelson/Solara-Executor-Roblox/releases/download/Enjoy!/RobloxInjector.zip
Full analysis:	https://app.any.run/tasks/9a2d490b-4952-4ace-a4ac-253ab4d06dd0
Verdict:	Malicious activity
Threats:	Meduza Stealer is an information-stealing malware primarily targeting Windows systems, designed to harvest sensitive data such as login credentials, browsing histories, cookies, cryptocurrency wallets, and password manager data. It has advanced anti-detection mechanisms, allowing it to evade many antivirus programs. The malware is distributed through various means, including phishing emails and malicious links. It’s marketed on underground forums and Telegram channels. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 30, 2024, 19:39:05
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec evasion meduza stealer exfiltration
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract, compression method=store
MD5:	5A2CDBCC82C80A5181618C40844F0766
SHA1:	E8F8439D49EF5AF776271685191B665F20554A30
SHA256:	8FAD9CED8EEF4B980C51ECA9F5B2B1095B69DE9DFE204592CA99782102169C37
SSDEEP:	196608:NslLlXJl2geFA3NIg0gjWKQyLIwdk4wUfU0X+IJ28q2jK/NoEmy9p87B:WkgCgzKwiJUf9+mJqkSSy9O7B

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2024:11:30 22:28:28
ZipCRC:	0x0e373d89
ZipCompressedSize:	26843465
ZipUncompressedSize:	26843465
ZipFileName:	Solara.zip


(PID) Process:	(6812) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(6812) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(6812) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(6812) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\RobloxInjector.zip
(PID) Process:	(6812) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6812) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6812) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6812) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(7012) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(7012) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip

PID	Process	Filename		Type
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\Solara.exe		—
		MD5:—	SHA256:—
6812	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6812.38887\Solara.zip		compressed
		MD5:389175BA8E4954158576889837EC7B39	SHA256:6604CA9D094C607A49D23F0B75A66BF6DFBEC4C1C82FA50B449326A4D0B9F953
6812	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIa6812.37929\Solara.zip		compressed
		MD5:389175BA8E4954158576889837EC7B39	SHA256:6604CA9D094C607A49D23F0B75A66BF6DFBEC4C1C82FA50B449326A4D0B9F953
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\bin\d3dcompiler_43.dll		executable
		MD5:1C9B45E87528B8BB8CFA884EA0099A85	SHA256:2F23182EC6F4889397AC4BF03D62536136C5BDBA825C7D2C4EF08C827F3A8A1C
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\bin\libGLESv2.dll		executable
		MD5:DD3F55559CA3EB1A89E7D696C8C5DE53	SHA256:99F261FA5A69DD2B3BD6192AAF72A0D9F88D769A311FAC87963658A7573EC669
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\bin\libEGL.dll		executable
		MD5:50C717AB7624384B2B2D8A953263BEB2	SHA256:63580999B8210315B664E7742B6D4F59E587D20B4D0826072A5EF311C6F25B74
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\bin\libcrypto-1_1-x64.dll		executable
		MD5:3390D76A13973BD46B512BF257C171C8	SHA256:DEB034588EF43DB62809CC2C599374894BF7FEF5DF990DA6EAAA0674FBEC0301
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\bin\reports\foreign.signatures		text
		MD5:3E763A5B9164FA6B1764F86374171245	SHA256:21E11E00B7ED809BDF765AD1F334FD0BA3AB2DE94CCAAA358EFDC6D6FCC40AD4
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\bin\reports\assetpreview.dll		executable
		MD5:92791E8FE8F475B0F10525A93AFDA182	SHA256:386B8145F1DB7797D659CDDDA75A4CAB8EBD930D2E9C9E83474B768AD5A87E2F
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\bin\natives_blob.bin		binary
		MD5:94855C31F6C24656A6D67CEAE0B04CCA	SHA256:20210A0E530832A0267D584015EECB331C2AC0D841FAF7B36FEB9D326C32C113

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6508	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
3620	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
3620	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6332	installer.exe	GET	200	142.250.186.35:80	http://c.pki.goog/r/gsr1.crl	unknown	—	—	whitelisted
6332	installer.exe	GET	200	142.250.186.35:80	http://c.pki.goog/r/r4.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
440	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	104.126.37.128:443	www.bing.com	Akamai International B.V.	DE	whitelisted
1176	svchost.exe	40.126.32.134:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 4.231.128.59 40.127.240.158	whitelisted
crl.microsoft.com	23.48.23.143 23.48.23.156	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
google.com	142.250.186.46	whitelisted
www.bing.com	104.126.37.128 104.126.37.123 104.126.37.176 104.126.37.130 104.126.37.185 104.126.37.136 104.126.37.154 104.126.37.129 104.126.37.163	whitelisted
login.live.com	40.126.32.134 40.126.32.76 20.190.160.20 20.190.160.17 40.126.32.136 40.126.32.72 40.126.32.140 40.126.32.138	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
go.microsoft.com	23.213.170.81 23.213.166.81	whitelisted
arc.msn.com	20.223.36.55	whitelisted
fd.api.iris.microsoft.com	20.223.36.55	whitelisted

PID	Process	Class	Message
—	—	Misc activity	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
—	—	Misc activity	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
—	—	A Network Trojan was detected	ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)
—	—	A Network Trojan was detected	ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M1
—	—	A Network Trojan was detected	ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M1
—	—	Successful Credential Theft Detected	STEALER [ANY.RUN] Meduza Stealer
—	—	Successful Credential Theft Detected	STEALER [ANY.RUN] Meduza Stealer
—	—	Successful Credential Theft Detected	STEALER [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)
—	—	A Network Trojan was detected	ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)
—	—	Successful Credential Theft Detected	STEALER [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)

General Info

/bow16nelson/Solara-Executor-Roblox/releases/download/Enjoy!/RobloxInjector.zip

5A2CDBCC82C80A5181618C40844F0766

E8F8439D49EF5AF776271685191B665F20554A30

8FAD9CED8EEF4B980C51ECA9F5B2B1095B69DE9DFE204592CA99782102169C37

196608:NslLlXJl2geFA3NIg0gjWKQyLIwdk4wUfU0X+IJ28q2jK/NoEmy9p87B:WkgCgzKwiJUf9+mJqkSSy9O7B

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

Steals credentials from Web Browsers

MEDUZASTEALER has been detected (SURICATA)

SUSPICIOUS

Process drops legitimate windows executable

Application launched itself

The process creates files with name similar to system file names

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Reads the date of Windows installation

Checks Windows Trust Settings

Searches for installed software

Connects to unusual port

Checks for external IP

The process connected to a server suspected of theft

INFO

Executable content was dropped or overwritten

The process uses the downloaded file

Manual execution by a user

Checks supported languages

Create files in a temporary directory

Reads the computer name

Reads Environment values

Reads the software policy settings

Checks proxy server information

Reads product name

Process checks computer location settings

Disables trace logs

Reads the machine GUID from the registry

Creates files or folders in the user directory

Reads the time zone

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections