download:	/bow16nelson/Solara-Executor-Roblox/releases/download/Enjoy!/RobloxInjector.zip
Full analysis:	https://app.any.run/tasks/9a2d490b-4952-4ace-a4ac-253ab4d06dd0
Verdict:	Malicious activity
Threats:	Meduza Stealer is an information-stealing malware primarily targeting Windows systems, designed to harvest sensitive data such as login credentials, browsing histories, cookies, cryptocurrency wallets, and password manager data. It has advanced anti-detection mechanisms, allowing it to evade many antivirus programs. The malware is distributed through various means, including phishing emails and malicious links. It’s marketed on underground forums and Telegram channels. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 30, 2024, 19:39:05
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec evasion meduza stealer exfiltration
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract, compression method=store
MD5:	5A2CDBCC82C80A5181618C40844F0766
SHA1:	E8F8439D49EF5AF776271685191B665F20554A30
SHA256:	8FAD9CED8EEF4B980C51ECA9F5B2B1095B69DE9DFE204592CA99782102169C37
SSDEEP:	196608:NslLlXJl2geFA3NIg0gjWKQyLIwdk4wUfU0X+IJ28q2jK/NoEmy9p87B:WkgCgzKwiJUf9+mJqkSSy9O7B

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2024:11:30 22:28:28
ZipCRC:	0x0e373d89
ZipCompressedSize:	26843465
ZipUncompressedSize:	26843465
ZipFileName:	Solara.zip


(PID) Process:	(6812) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(6812) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(6812) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(6812) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\RobloxInjector.zip
(PID) Process:	(6812) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6812) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6812) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6812) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(7012) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(7012) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip

PID	Process	Filename		Type
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\Solara.exe		—
		MD5:—	SHA256:—
6812	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6812.38887\Solara.zip		compressed
		MD5:389175BA8E4954158576889837EC7B39	SHA256:6604CA9D094C607A49D23F0B75A66BF6DFBEC4C1C82FA50B449326A4D0B9F953
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\bin\d3dcompiler_43.dll		executable
		MD5:1C9B45E87528B8BB8CFA884EA0099A85	SHA256:2F23182EC6F4889397AC4BF03D62536136C5BDBA825C7D2C4EF08C827F3A8A1C
6812	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIa6812.37929\Solara.zip		compressed
		MD5:389175BA8E4954158576889837EC7B39	SHA256:6604CA9D094C607A49D23F0B75A66BF6DFBEC4C1C82FA50B449326A4D0B9F953
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\bin\libGLESv2.dll		executable
		MD5:DD3F55559CA3EB1A89E7D696C8C5DE53	SHA256:99F261FA5A69DD2B3BD6192AAF72A0D9F88D769A311FAC87963658A7573EC669
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\bin\libcrypto-1_1-x64.dll		executable
		MD5:3390D76A13973BD46B512BF257C171C8	SHA256:DEB034588EF43DB62809CC2C599374894BF7FEF5DF990DA6EAAA0674FBEC0301
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\libSceGpuAddress.dll		executable
		MD5:E1F0BBDB0DEB8DFE138A8DC92227E00F	SHA256:E99F1F208AFCB5186C9B27CEE362A6525CF2808F1905CB306302AB2D97817357
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\bin\reports\cs2.exe		executable
		MD5:6C4BEC50E1F595CAA7F308FBE1DE3C4A	SHA256:96FB21E9E74F9C1B1BAC42D0553EE9EBA93E55BB6FD32A18165DC4C3D75CCD24
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\bin\reports\csgo.signatures		text
		MD5:A6E1D199F3ABEF3582951A235F6B266C	SHA256:4C4FFB1A2002C05CD2CD85712C801F1A0C75A9E6B7F20CA021C7BF4FE252DD70
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\bin\reports\engine2.dll		executable
		MD5:002869AF9A2CACB11010BA04EBAD84F5	SHA256:A288AA28F68225C5AF0AEA2DBFCB9E13EEA04D41383D2EE7FDC06B9A0F8BB8F6

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6508	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
3620	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
3620	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6332	installer.exe	GET	200	142.250.186.35:80	http://c.pki.goog/r/gsr1.crl	unknown	—	—	whitelisted
6332	installer.exe	GET	200	142.250.186.35:80	http://c.pki.goog/r/r4.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
440	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	104.126.37.128:443	www.bing.com	Akamai International B.V.	DE	whitelisted
1176	svchost.exe	40.126.32.134:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 4.231.128.59 40.127.240.158	whitelisted
crl.microsoft.com	23.48.23.143 23.48.23.156	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
google.com	142.250.186.46	whitelisted
www.bing.com	104.126.37.128 104.126.37.123 104.126.37.176 104.126.37.130 104.126.37.185 104.126.37.136 104.126.37.154 104.126.37.129 104.126.37.163	whitelisted
login.live.com	40.126.32.134 40.126.32.76 20.190.160.20 20.190.160.17 40.126.32.136 40.126.32.72 40.126.32.140 40.126.32.138	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
go.microsoft.com	23.213.170.81 23.213.166.81	whitelisted
arc.msn.com	20.223.36.55	whitelisted
fd.api.iris.microsoft.com	20.223.36.55	whitelisted

PID	Process	Class	Message
6332	installer.exe	Misc activity	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
2192	svchost.exe	Misc activity	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
6332	installer.exe	A Network Trojan was detected	ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)
6332	installer.exe	A Network Trojan was detected	ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M1
6332	installer.exe	A Network Trojan was detected	ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M1
6332	installer.exe	Successful Credential Theft Detected	STEALER [ANY.RUN] Meduza Stealer
6332	installer.exe	Successful Credential Theft Detected	STEALER [ANY.RUN] Meduza Stealer
6332	installer.exe	Successful Credential Theft Detected	STEALER [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)
6332	installer.exe	A Network Trojan was detected	ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)
6332	installer.exe	Successful Credential Theft Detected	STEALER [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)

General Info

/bow16nelson/Solara-Executor-Roblox/releases/download/Enjoy!/RobloxInjector.zip

5A2CDBCC82C80A5181618C40844F0766

E8F8439D49EF5AF776271685191B665F20554A30

8FAD9CED8EEF4B980C51ECA9F5B2B1095B69DE9DFE204592CA99782102169C37

196608:NslLlXJl2geFA3NIg0gjWKQyLIwdk4wUfU0X+IJ28q2jK/NoEmy9p87B:WkgCgzKwiJUf9+mJqkSSy9O7B

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

Steals credentials from Web Browsers

MEDUZASTEALER has been detected (SURICATA)

SUSPICIOUS

Reads security settings of Internet Explorer

Process drops legitimate windows executable

Application launched itself

The process creates files with name similar to system file names

Executable content was dropped or overwritten

Reads the date of Windows installation

Checks Windows Trust Settings

Connects to unusual port

The process connected to a server suspected of theft

Searches for installed software

Checks for external IP

INFO

The process uses the downloaded file

Executable content was dropped or overwritten

Manual execution by a user

Disables trace logs

Checks supported languages

Create files in a temporary directory

Checks proxy server information

Reads Environment values

Reads the computer name

Reads the software policy settings

Process checks computer location settings

Reads product name

Reads the machine GUID from the registry

Reads the time zone

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections