download:	/bow16nelson/Solara-Executor-Roblox/releases/download/Enjoy!/RobloxInjector.zip
Full analysis:	https://app.any.run/tasks/9a2d490b-4952-4ace-a4ac-253ab4d06dd0
Verdict:	Malicious activity
Threats:	Meduza Stealer is an information-stealing malware primarily targeting Windows systems, designed to harvest sensitive data such as login credentials, browsing histories, cookies, cryptocurrency wallets, and password manager data. It has advanced anti-detection mechanisms, allowing it to evade many antivirus programs. The malware is distributed through various means, including phishing emails and malicious links. It’s marketed on underground forums and Telegram channels. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 30, 2024, 19:39:05
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec evasion meduza stealer exfiltration
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract, compression method=store
MD5:	5A2CDBCC82C80A5181618C40844F0766
SHA1:	E8F8439D49EF5AF776271685191B665F20554A30
SHA256:	8FAD9CED8EEF4B980C51ECA9F5B2B1095B69DE9DFE204592CA99782102169C37
SSDEEP:	196608:NslLlXJl2geFA3NIg0gjWKQyLIwdk4wUfU0X+IJ28q2jK/NoEmy9p87B:WkgCgzKwiJUf9+mJqkSSy9O7B

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2024:11:30 22:28:28
ZipCRC:	0x0e373d89
ZipCompressedSize:	26843465
ZipUncompressedSize:	26843465
ZipFileName:	Solara.zip

PID	CMD	Path	Indicators	Parent process
520	"C:\Users\admin\Desktop\Solara\Solara.exe"	C:\Users\admin\Desktop\Solara\Solara.exe	—	explorer.exe
User: admin Integrity Level: MEDIUM Description: AdventureHub Exit code: 3221226540 Version: 3.2.1.0
2452	"C:\Users\admin\Desktop\Solara\Solara.exe"	C:\Users\admin\Desktop\Solara\Solara.exe		explorer.exe
User: admin Integrity Level: HIGH Description: AdventureHub Exit code: 0 Version: 3.2.1.0
4672	C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding	C:\Windows\System32\rundll32.exe	—	svchost.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800)
5432	"C:\Users\admin\Desktop\Solara\Solara.exe"	C:\Users\admin\Desktop\Solara\Solara.exe		explorer.exe
User: admin Integrity Level: HIGH Description: AdventureHub Exit code: 0 Version: 3.2.1.0
6256	"C:\Users\admin\Desktop\Solara\Solara.exe"	C:\Users\admin\Desktop\Solara\Solara.exe	—	explorer.exe
User: admin Integrity Level: MEDIUM Description: AdventureHub Exit code: 3221226540 Version: 3.2.1.0
6332	"C:\Users\admin\AppData\Local\Temp\installer.exe"	C:\Users\admin\AppData\Local\Temp\installer.exe		Solara.exe
User: admin Integrity Level: HIGH Exit code: 0
6812	"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\RobloxInjector.zip	C:\Program Files\WinRAR\WinRAR.exe	—	explorer.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0
6936	"C:\Users\admin\Desktop\Solara\Solara.exe"	C:\Users\admin\Desktop\Solara\Solara.exe	—	explorer.exe
User: admin Integrity Level: MEDIUM Description: AdventureHub Exit code: 3221226540 Version: 3.2.1.0
7012	"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIa6812.37929\Solara.zip	C:\Program Files\WinRAR\WinRAR.exe	—	WinRAR.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0
7120	"C:\Users\admin\Desktop\Solara\Solara.exe"	C:\Users\admin\Desktop\Solara\Solara.exe		explorer.exe
User: admin Integrity Level: HIGH Description: AdventureHub Exit code: 0 Version: 3.2.1.0

PID	Process	Filename		Type
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\Solara.exe		—
		MD5:—	SHA256:—
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\libSceGpuAddress.dll		executable
		MD5:E1F0BBDB0DEB8DFE138A8DC92227E00F	SHA256:E99F1F208AFCB5186C9B27CEE362A6525CF2808F1905CB306302AB2D97817357
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\bin\libcrypto-1_1-x64.dll		executable
		MD5:3390D76A13973BD46B512BF257C171C8	SHA256:DEB034588EF43DB62809CC2C599374894BF7FEF5DF990DA6EAAA0674FBEC0301
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\bin\natives_blob.bin		binary
		MD5:94855C31F6C24656A6D67CEAE0B04CCA	SHA256:20210A0E530832A0267D584015EECB331C2AC0D841FAF7B36FEB9D326C32C113
6812	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIa6812.37929\Solara.zip		compressed
		MD5:389175BA8E4954158576889837EC7B39	SHA256:6604CA9D094C607A49D23F0B75A66BF6DFBEC4C1C82FA50B449326A4D0B9F953
6812	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6812.38887\Solara.zip		compressed
		MD5:389175BA8E4954158576889837EC7B39	SHA256:6604CA9D094C607A49D23F0B75A66BF6DFBEC4C1C82FA50B449326A4D0B9F953
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\bin\reports\assetpreview.dll		executable
		MD5:92791E8FE8F475B0F10525A93AFDA182	SHA256:386B8145F1DB7797D659CDDDA75A4CAB8EBD930D2E9C9E83474B768AD5A87E2F
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\bin\reports\ati_compress_wrapper.dll		executable
		MD5:6289CB9973840BDE3258392CC07B4420	SHA256:59B8E6AFA8BD163213B63BBC8B7AF18E495DDEBEE801EBDA39EF62FD559901C3
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\bin\reports\amd_ags_x64.dll		executable
		MD5:C69E3E05BF240D7762286833E39C9029	SHA256:2449E8339E0F031BC4F954398F5917B8EB5A2D20C32D4688A083D5DD9F637AB8
7156	WinRAR.exe	C:\Users\admin\Desktop\Solara\bin\reports\cs2.exe		executable
		MD5:6C4BEC50E1F595CAA7F308FBE1DE3C4A	SHA256:96FB21E9E74F9C1B1BAC42D0553EE9EBA93E55BB6FD32A18165DC4C3D75CCD24

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3620	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
6332	installer.exe	GET	200	142.250.186.35:80	http://c.pki.goog/r/gsr1.crl	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6508	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
6332	installer.exe	GET	200	142.250.186.35:80	http://c.pki.goog/r/r4.crl	unknown	—	—	whitelisted
3620	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
440	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	104.126.37.128:443	www.bing.com	Akamai International B.V.	DE	whitelisted
1176	svchost.exe	40.126.32.134:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 4.231.128.59 40.127.240.158	whitelisted
crl.microsoft.com	23.48.23.143 23.48.23.156	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
google.com	142.250.186.46	whitelisted
www.bing.com	104.126.37.128 104.126.37.123 104.126.37.176 104.126.37.130 104.126.37.185 104.126.37.136 104.126.37.154 104.126.37.129 104.126.37.163	whitelisted
login.live.com	40.126.32.134 40.126.32.76 20.190.160.20 20.190.160.17 40.126.32.136 40.126.32.72 40.126.32.140 40.126.32.138	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
go.microsoft.com	23.213.170.81 23.213.166.81	whitelisted
arc.msn.com	20.223.36.55	whitelisted
fd.api.iris.microsoft.com	20.223.36.55	whitelisted

PID	Process	Class	Message
6332	installer.exe	Misc activity	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
2192	svchost.exe	Misc activity	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
6332	installer.exe	A Network Trojan was detected	ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)
6332	installer.exe	A Network Trojan was detected	ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M1
6332	installer.exe	A Network Trojan was detected	ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M1
6332	installer.exe	Successful Credential Theft Detected	STEALER [ANY.RUN] Meduza Stealer
6332	installer.exe	Successful Credential Theft Detected	STEALER [ANY.RUN] Meduza Stealer
6332	installer.exe	Successful Credential Theft Detected	STEALER [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)
6332	installer.exe	A Network Trojan was detected	ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)
6332	installer.exe	Successful Credential Theft Detected	STEALER [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)

General Info

/bow16nelson/Solara-Executor-Roblox/releases/download/Enjoy!/RobloxInjector.zip

5A2CDBCC82C80A5181618C40844F0766

E8F8439D49EF5AF776271685191B665F20554A30

8FAD9CED8EEF4B980C51ECA9F5B2B1095B69DE9DFE204592CA99782102169C37

196608:NslLlXJl2geFA3NIg0gjWKQyLIwdk4wUfU0X+IJ28q2jK/NoEmy9p87B:WkgCgzKwiJUf9+mJqkSSy9O7B

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Steals credentials from Web Browsers

MEDUZASTEALER has been detected (SURICATA)

Actions looks like stealing of personal data

SUSPICIOUS

Application launched itself

Process drops legitimate windows executable

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Executable content was dropped or overwritten

Reads the date of Windows installation

Searches for installed software

The process connected to a server suspected of theft

Checks for external IP

Connects to unusual port

The process creates files with name similar to system file names

INFO

The process uses the downloaded file

Manual execution by a user

Checks supported languages

Checks proxy server information

Reads the machine GUID from the registry

Disables trace logs

Create files in a temporary directory

Reads the computer name

Process checks computer location settings

Reads Environment values

Reads product name

Reads the software policy settings

Creates files or folders in the user directory

Reads the time zone

Executable content was dropped or overwritten

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings