File name:	SorillusRAT.rar
Full analysis:	https://app.any.run/tasks/42101f99-7f66-4969-b3d6-b0e1d0ec5951
Verdict:	Malicious activity
Threats:	Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015. Malware Trends Tracker >>>
Analysis date:	July 28, 2024, 13:50:33
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	adwind evasion
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	6B59FC4285E7842E36F3EC5A72935B44
SHA1:	C1F3A89AC73F57C68C78BC9A1EC4C1FAC687B9AF
SHA256:	E7AAB6ECC96BE090AB8E04384E4685ED3E92466F5C776AA155A7FD5F05A098E6
SSDEEP:	786432:SgTpulP9RMRYuLx1EefJn/mhE9+5PCghok/uLyWE7yRtl:SgTpcP9R/sx15ea9+5PFekGLyWE7yRv

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)


(PID) Process:	(5448) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(5448) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(5448) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(5448) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\SorillusRAT.rar
(PID) Process:	(5448) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(5448) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(5448) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(5448) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(5448) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:	(5448) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\General
Operation:	write	Name:	LastFolder
Value: C:\Users\admin\Desktop

PID	Process	Filename		Type
4364	WinRAR.exe	C:\Users\admin\Desktop\Sorillus\jre1.8.0_361\bin\api-ms-win-core-debug-l1-1-0.dll		executable
		MD5:B0E0678DDC403EFFC7CDC69AE6D641FB	SHA256:45E48320ABE6E3C6079F3F6B84636920A367989A88F9BA6847F88C210D972CF1
4364	WinRAR.exe	C:\Users\admin\Desktop\Sorillus\jre1.8.0_361\bin\api-ms-win-core-datetime-l1-1-0.dll		executable
		MD5:AC51E3459E8FCE2A646A6AD4A2E220B9	SHA256:77577F35D3A61217EA70F21398E178F8749455689DB52A2B35A85F9B54C79638
4364	WinRAR.exe	C:\Users\admin\Desktop\Sorillus\jre1.8.0_361\bin\api-ms-win-core-console-l1-2-0.dll		executable
		MD5:7676560D0E9BC1EE9502D2F920D2892F	SHA256:00942431C2D3193061C7F4DC340E8446BFDBF792A7489F60349299DFF689C2F9
4364	WinRAR.exe	C:\Users\admin\Desktop\Sorillus\jre1.8.0_361\bin\api-ms-win-core-libraryloader-l1-1-0.dll		executable
		MD5:D75144FCB3897425A855A270331E38C9	SHA256:08484ED55E43584068C337281E2C577CF984BB504871B3156DE11C7CC1EEC38F
4364	WinRAR.exe	C:\Users\admin\Desktop\Sorillus\jre1.8.0_361\bin\api-ms-win-core-localization-l1-2-0.dll		executable
		MD5:8ACB83D102DABD9A5017A94239A2B0C6	SHA256:059CB23FDCF4D80B92E3DA29E9EF4C322EDF6FBA9A1837978FD983E9BDFC7413
4364	WinRAR.exe	C:\Users\admin\Desktop\Sorillus\jre1.8.0_361\bin\api-ms-win-core-processenvironment-l1-1-0.dll		executable
		MD5:F43286B695326FC0C20704F0EEBFDEA6	SHA256:AA415DB99828F30A396CBD4E53C94096DB89756C88A19D8564F0EED0674ADD43
4364	WinRAR.exe	C:\Users\admin\Desktop\Sorillus\jre1.8.0_361\bin\api-ms-win-core-processthreads-l1-1-0.dll		executable
		MD5:E173F3AB46096482C4361378F6DCB261	SHA256:C9A686030E073975009F993485D362CC31C7F79B683DEF713E667D13E9605A14
4364	WinRAR.exe	C:\Users\admin\Desktop\Sorillus\jre1.8.0_361\bin\api-ms-win-core-processthreads-l1-1-1.dll		executable
		MD5:9C9B50B204FCB84265810EF1F3C5D70A	SHA256:25A99BDF8BF4D16077DC30DD9FFEF7BB5A2CEAF9AFCEE7CF52AD408355239D40
4364	WinRAR.exe	C:\Users\admin\Desktop\Sorillus\jre1.8.0_361\bin\api-ms-win-core-profile-l1-1-0.dll		executable
		MD5:0233F97324AAAA048F705D999244BC71	SHA256:42F4E84073CF876BBAB9DD42FD87124A4BA10BB0B59D2C3031CB2B2DA7140594
4364	WinRAR.exe	C:\Users\admin\Desktop\Sorillus\jre1.8.0_361\bin\api-ms-win-core-rtlsupport-l1-1-0.dll		executable
		MD5:E1BA66696901CF9B456559861F92786E	SHA256:02D987EBA4A65509A2DF8ED5DD0B1A0578966E624FCF5806614ECE88A817499F

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	95.100.146.32:443	https://www.bing.com/manifest/threshold.appcache	unknown	text	3.76 Kb	unknown
—	—	GET	200	95.100.146.17:443	https://www.bing.com/DSB/search?dsbmr=1&format=dsbjson&client=windowsminiserp&dsbschemaversion=1.1&dsbminiserp=1&q=q&pastMomentsInDays=6&cc=US&setlang=en-us&clientDateTime=7%2F28%2F2024%2C%201%3A54%3A43%20PM	unknown	text	147 Kb	unknown
—	—	GET	200	95.100.146.25:443	https://www.bing.com/dsb/scenario?name=TrendingSearchWithCache&cc=us&setlang=en-us	unknown	binary	626 b	unknown
—	—	POST	204	95.100.146.17:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	unknown
—	—	GET	200	95.100.146.10:443	https://th.bing.com/th?id=ODSWG.a63c4ede-672e-4b0b-b035-e0f9aa973fce&c=1&rs=1&p=0	unknown	—	—	unknown
—	—	GET	200	95.100.146.40:443	https://r.bing.com/rb/16/jnc,nj/8is6HLWQOmmjdhp0hh0w6MjZScI.js?bu=DygxcoQBiQGMAYEBe36_AcIBMbIBMcUB&or=w	unknown	s	21.4 Kb	unknown
—	—	GET	200	95.100.146.40:443	https://th.bing.com/th?id=ODSWG.ImagesIcon&w=16&h=16&c=1&rs=1&p=0	unknown	image	812 b	unknown
—	—	GET	200	95.100.146.19:443	https://www.bing.com/th?id=ODSWG.dca94339-a688-4380-8388-726b3d0cc5e6&pid=dsb	unknown	image	21.4 Kb	unknown
—	—	GET	200	95.100.146.17:443	https://th.bing.com/th?id=OPN.RTNews_Xi90gGfSvtR3KLjxn9Cb-g&w=140&h=96&c=1&rs=1&p=0	unknown	image	4.97 Kb	unknown
—	—	GET	200	95.100.146.25:443	https://www.bing.com/th?id=ODSWG.337890f2-f5b9-4e65-8611-af96ccc12251&pid=dsb	unknown	image	24.0 Kb	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	131.253.33.254:443	a-ring-fallback.msedge.net	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
—	—	95.100.146.17:443	www.bing.com	Akamai International B.V.	CZ	unknown
2988	slui.exe	40.91.76.224:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6012	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3952	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
—	—	40.91.76.224:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 20.73.194.208 51.104.136.2	whitelisted
t-ring-fdv2.msedge.net	13.107.237.254	unknown
a-ring-fallback.msedge.net	131.253.33.254	unknown
www.bing.com	95.100.146.17 95.100.146.40 95.100.146.19 95.100.146.25 95.100.146.10 95.100.146.32 95.100.146.11	whitelisted
google.com	142.250.186.174	whitelisted
self.events.data.microsoft.com	52.182.143.209	whitelisted
0.0.0.0	—	unknown
fp-afd-nocache-ccp.azureedge.net	13.107.246.60	whitelisted
th.bing.com	95.100.146.17 95.100.146.25 95.100.146.19 95.100.146.32 95.100.146.10 95.100.146.40	whitelisted
r.bing.com	95.100.146.19 95.100.146.25 95.100.146.32 95.100.146.10 95.100.146.40 95.100.146.17	whitelisted

PID	Process	Class	Message
4052	javaw.exe	Device Retrieving External IP Address Detected	ET INFO Observed External IP Lookup Domain (checkip .amazonaws .com) in TLS SNI
2284	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (checkip .amazonaws .com)

General Info

SorillusRAT.rar

6B59FC4285E7842E36F3EC5A72935B44

C1F3A89AC73F57C68C78BC9A1EC4C1FAC687B9AF

E7AAB6ECC96BE090AB8E04384E4685ED3E92466F5C776AA155A7FD5F05A098E6

786432:SgTpulP9RMRYuLx1EefJn/mhE9+5PCghok/uLyWE7yRtl:SgTpcP9R/sx15ea9+5PFekGLyWE7yRv

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

ADWIND has been detected

Changes the autorun value in the registry

SUSPICIOUS

Process drops legitimate windows executable

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Starts CMD.EXE for commands execution

Uses ATTRIB.EXE to modify file attributes

Uses REG/REGEDIT.EXE to modify registry

Checks for external IP

INFO

Manual execution by a user

Checks supported languages

Executable content was dropped or overwritten

Create files in a temporary directory

Creates files in the program directory

Reads the computer name

Reads the machine GUID from the registry

Creates files or folders in the user directory

Drops the executable file immediately after the start

Reads security settings of Internet Explorer

Reads Microsoft Office registry keys

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings