Malware analysis SolaraV3.exe Malicious activity | ANY.RUN - Malware Sandbox Online (2025)

Table of Contents
SolaraV3.exe 1EDCBD8592A179A3A0356001E379F5F4 69B4744A1388E56094F54C3DFF1D94B6CC70F64F 98304:GRxzswM2NXvVz2VkgITRj1flvuT094SsIGaY3o9ebveXyND8b:Q MALICIOUS SUSPICIOUS INFO TRiD EXIF Behavior graph Process information Modification events Dropped files HTTP requests Connections DNS requests Threats

File name:

SolaraV3.exe

Full analysis: https://app.any.run/tasks/7d77fbcb-0c7a-4d3e-9571-d78ac0fceba6
Verdict: Malicious activity
Threats:

MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations.

Malware Trends Tracker>>>

Analysis date: December 26, 2024, 19:02:57
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:

stealer

redline

metastealer

Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 8 sections
MD5:

1EDCBD8592A179A3A0356001E379F5F4

SHA1:

69B4744A1388E56094F54C3DFF1D94B6CC70F64F

SHA256:
SSDEEP:

98304:GRxzswM2NXvVz2VkgITRj1flvuT094SsIGaY3o9ebveXyND8b:Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6496)

    • Connects to the CnC server

      • iп.exe (PID: 3688)

    • REDLINE has been detected (SURICATA)

      • iп.exe (PID: 3688)

    • METASTEALER has been detected (SURICATA)

      • iп.exe (PID: 3688)

    • Steals credentials from Web Browsers

      • iп.exe (PID: 3688)

    • Actions looks like stealing of personal data

      • iп.exe (PID: 3688)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • SolaraV3.exe (PID: 6332)

    • BASE64 encoded PowerShell command has been detected

      • SolaraV3.exe (PID: 6332)

    • Executable content was dropped or overwritten

      • SolaraV3.exe (PID: 6332)

    • Base64-obfuscated command line is found

      • SolaraV3.exe (PID: 6332)

    • Reads security settings of Internet Explorer

      • SolaraV3.exe (PID: 6332)

    • Reads the date of Windows installation

      • SolaraV3.exe (PID: 6332)

    • Connects to unusual port

      • iп.exe (PID: 3688)

  • INFO

    • Checks supported languages

      • SolaraV3.exe (PID: 6332)
      • iп.exe (PID: 3688)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6496)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6496)

    • Creates files or folders in the user directory

      • SolaraV3.exe (PID: 6332)

    • Reads the computer name

      • SolaraV3.exe (PID: 6332)
      • iп.exe (PID: 3688)

    • Reads the machine GUID from the registry

      • iп.exe (PID: 3688)

    • The process uses the downloaded file

      • SolaraV3.exe (PID: 6332)

    • Process checks computer location settings

      • SolaraV3.exe (PID: 6332)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • iп.exe (PID: 3688)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the

full report

No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:11:28 16:44:06+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 1309696
InitializedDataSize: 1728512
UninitializedDataSize: 1218560
EntryPoint: 0x611a4
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: WinForm
FileDescription: WinForm
FileVersion: 1.0.0.0
InternalName: WinForm.dll
LegalCopyright:
OriginalFileName: WinForm.dll
ProductName: WinForm
ProductVersion: 1.0.0
AssemblyVersion: 1.0.0.0

No data.

Malware analysis SolaraV3.exe Malicious activity | ANY.RUN - Malware Sandbox Online (1)

All screenshots are available in the full report

All screenshots are available in the

full report

Total processes

130

Monitored processes

4

Malicious processes

2

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

3688"C:\Users\admin\AppData\Roaming\c0oegqoeja2frurm\iп.exe" C:\Users\admin\AppData\Roaming\c0oegqoeja2frurm\iп.exeSolaraV3.exe

User:

admin

Integrity Level:

MEDIUM

Description:

XHP

Exit code:

Version:

12.9.1.22

Modules

Images

c:\users\admin\appdata\roaming\c0oegqoeja2frurm\iп.exe

c:\windows\system32\ntdll.dll

c:\windows\syswow64\ntdll.dll

c:\windows\system32\wow64.dll

c:\windows\system32\wow64win.dll

c:\windows\system32\wow64cpu.dll

c:\windows\syswow64\mscoree.dll

c:\windows\syswow64\kernel32.dll

c:\windows\syswow64\kernelbase.dll

c:\windows\syswow64\apphelp.dll

6332"C:\Users\admin\AppData\Local\Temp\SolaraV3.exe" C:\Users\admin\AppData\Local\Temp\SolaraV3.exeexplorer.exe

User:

admin

Company:

WinForm

Integrity Level:

MEDIUM

Description:

WinForm

Exit code:

Version:

1.0.0.0

Modules

Images

c:\users\admin\appdata\local\temp\solarav3.exe

c:\windows\system32\ntdll.dll

c:\windows\system32\kernel32.dll

c:\windows\system32\kernelbase.dll

c:\windows\system32\apphelp.dll

c:\windows\system32\advapi32.dll

c:\windows\system32\msvcrt.dll

c:\windows\system32\sechost.dll

c:\windows\system32\rpcrt4.dll

c:\windows\system32\bcrypt.dll

6496"powershell.exe" -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVQBzAGUAcgBzAFwAYQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABjADAAbwBlAGcAcQBvAGUAagBhADIAZgByAHUAcgBtACcAC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSolaraV3.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

1

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images

c:\windows\system32\windowspowershell\v1.0\powershell.exe

c:\windows\system32\ntdll.dll

c:\windows\system32\kernel32.dll

c:\windows\system32\kernelbase.dll

c:\windows\system32\apphelp.dll

c:\windows\system32\msvcrt.dll

c:\windows\system32\oleaut32.dll

c:\windows\system32\msvcp_win.dll

c:\windows\system32\ucrtbase.dll

c:\windows\system32\combase.dll

6504\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images

c:\windows\system32\conhost.exe

c:\windows\system32\ntdll.dll

c:\windows\system32\kernel32.dll

c:\windows\system32\kernelbase.dll

c:\windows\system32\msvcp_win.dll

c:\windows\system32\ucrtbase.dll

c:\windows\system32\shcore.dll

c:\windows\system32\msvcrt.dll

c:\windows\system32\combase.dll

c:\windows\system32\rpcrt4.dll

Total events

7495

Read events

7495

Write events

Delete events

Modification events

No data

Executable files

1

Suspicious files

1

Text files

2

Unknown types

Dropped files

PID

Process

Filename

Type

6496powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_amnfl50k.djv.ps1text

MD5:D17FE0A3F47BE24A6453E9EF58C94641

SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

6496powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vw5narry.lfj.psm1text

MD5:D17FE0A3F47BE24A6453E9EF58C94641

SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

6496powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary

MD5:5A894256FB098BCB68F8B68B714B5A24

SHA256:192D247F5B787BB1577A3A804647CEB23993A0F7412BC9D11FEE10F62D5281A4

6332SolaraV3.exeC:\Users\admin\AppData\Roaming\c0oegqoeja2frurm\iп.exeexecutable

MD5:1A255CE64AD74A033CCC7E57913EEABB

SHA256:1D4EF812CEC61FCF35DF4F278B947BC77D1A4257A1542869ACB355E0B5B4D31E

Download PCAP, analyze network streams, HTTP content and a lot more at the

full report

HTTP(S) requests

9

TCP/UDP connections

33

DNS requests

16

Threats

7

HTTP requests

PID

Process

Method

HTTP Code

IP

URL

CN

Type

Size

Reputation

GET

200

2.16.164.51:80

http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

unknown

whitelisted

GET

200

2.16.164.51:80

http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

unknown

whitelisted

GET

200

192.229.221.95:80

http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D

unknown

whitelisted

GET

200

88.221.169.152:80

http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl

unknown

whitelisted

GET

200

88.221.169.152:80

http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl

unknown

whitelisted

6412

backgroundTaskHost.exe

GET

200

192.229.221.95:80

http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D

unknown

whitelisted

1176

svchost.exe

GET

200

192.229.221.95:80

http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D

unknown

whitelisted

4264

SIHClient.exe

GET

200

184.30.21.171:80

http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl

unknown

whitelisted

4264

SIHClient.exe

GET

200

184.30.21.171:80

http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl

unknown

whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the

full report

Connections

PID

Process

IP

Domain

ASN

CN

Reputation

20.73.194.208:443

settings-win.data.microsoft.com

MICROSOFT-CORP-MSN-AS-BLOCK

NL

whitelisted

192.168.100.255:137

whitelisted

2.16.164.51:80

crl.microsoft.com

Akamai International B.V.

NL

whitelisted

88.221.169.152:80

www.microsoft.com

AKAMAI-AS

DE

whitelisted

5064

SearchApp.exe

2.23.209.179:443

www.bing.com

Akamai International B.V.

GB

whitelisted

192.229.221.95:80

ocsp.digicert.com

EDGECAST

US

whitelisted

4

System

192.168.100.255:138

whitelisted

1176

svchost.exe

40.126.32.136:443

login.live.com

MICROSOFT-CORP-MSN-AS-BLOCK

NL

whitelisted

1076

svchost.exe

184.28.89.167:443

go.microsoft.com

AKAMAI-AS

US

whitelisted

1176

svchost.exe

192.229.221.95:80

ocsp.digicert.com

EDGECAST

US

unknown

DNS requests

Domain

IP

Reputation

settings-win.data.microsoft.com

  • 20.73.194.208
  • 51.124.78.146

whitelisted

crl.microsoft.com

  • 2.16.164.51
  • 2.16.164.120

whitelisted

google.com

  • 142.250.185.78

whitelisted

www.microsoft.com

  • 88.221.169.152
  • 184.30.21.171

whitelisted

www.bing.com

  • 2.23.209.179
  • 2.23.209.130
  • 2.23.209.189
  • 2.23.209.182
  • 2.23.209.176
  • 2.23.209.133
  • 2.23.209.185
  • 2.23.209.187
  • 2.23.209.177

whitelisted

ocsp.digicert.com

  • 192.229.221.95

whitelisted

login.live.com

  • 40.126.32.136
  • 20.190.160.14
  • 40.126.32.138
  • 40.126.32.133
  • 40.126.32.134
  • 40.126.32.76
  • 40.126.32.140
  • 40.126.32.74

whitelisted

go.microsoft.com

  • 184.28.89.167

whitelisted

arc.msn.com

  • 20.223.35.26

whitelisted

fd.api.iris.microsoft.com

  • 20.31.169.57

whitelisted

Threats

PID

Process

Class

Message

Potentially Bad Traffic

ET INFO Microsoft net.tcp Connection Initialization Activity

A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC Activity

A Network Trojan was detected

ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)

A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC - Id1Response

A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC Activity

A Network Trojan was detected

ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)

A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC Activity

No debug info

Malware analysis SolaraV3.exe Malicious activity | ANY.RUN - Malware Sandbox Online (2025)
Top Articles
Unveiling Artissima 2025: 5 Affordable Artworks to Discover
Heidi Klum's Halloween Transformation: A Sneak Peek at Her Spooky Look
T'Pau Gear Stolen: Band Forced to Postpone Hitchin Gig - Full Story
Latest Posts
9 Major Events That Happened Since the Blue Jays Last Won the World Series in 1993
Banks Hire FTI for Braskem Debt Negotiations: What to Expect
Recommended Articles
Article information

Author: Dr. Pierre Goyette

Last Updated:

Views: 6386

Rating: 5 / 5 (50 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Dr. Pierre Goyette

Birthday: 1998-01-29

Address: Apt. 611 3357 Yong Plain, West Audra, IL 70053

Phone: +5819954278378

Job: Construction Director

Hobby: Embroidery, Creative writing, Shopping, Driving, Stand-up comedy, Coffee roasting, Scrapbooking

Introduction: My name is Dr. Pierre Goyette, I am a enchanting, powerful, jolly, rich, graceful, colorful, zany person who loves writing and wants to share my knowledge and understanding with you.