File name:	SorillusRAT.rar
Full analysis:	https://app.any.run/tasks/42101f99-7f66-4969-b3d6-b0e1d0ec5951
Verdict:	Malicious activity
Threats:	Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015. Malware Trends Tracker >>>
Analysis date:	July 28, 2024, 13:50:33
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	adwind evasion
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	6B59FC4285E7842E36F3EC5A72935B44
SHA1:	C1F3A89AC73F57C68C78BC9A1EC4C1FAC687B9AF
SHA256:	E7AAB6ECC96BE090AB8E04384E4685ED3E92466F5C776AA155A7FD5F05A098E6
SSDEEP:	786432:SgTpulP9RMRYuLx1EefJn/mhE9+5PCghok/uLyWE7yRtl:SgTpcP9R/sx15ea9+5PFekGLyWE7yRv

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)


(PID) Process:	(5448) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(5448) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(5448) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(5448) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\SorillusRAT.rar
(PID) Process:	(5448) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(5448) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(5448) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(5448) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(5448) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:	(5448) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\General
Operation:	write	Name:	LastFolder
Value: C:\Users\admin\Desktop

PID	Process	Filename		Type
4364	WinRAR.exe	C:\Users\admin\Desktop\Sorillus\jre1.8.0_361\bin\api-ms-win-core-console-l1-2-0.dll		executable
		MD5:7676560D0E9BC1EE9502D2F920D2892F	SHA256:00942431C2D3193061C7F4DC340E8446BFDBF792A7489F60349299DFF689C2F9
4364	WinRAR.exe	C:\Users\admin\Desktop\Sorillus\jre1.8.0_361\bin\api-ms-win-core-file-l2-1-0.dll		executable
		MD5:3BF4406DE02AA148F460E5D709F4F67D	SHA256:349A79FA1572E3538DFBB942610D8C47D03E8A41B98897BC02EC7E897D05237E
4364	WinRAR.exe	C:\Users\admin\Desktop\Sorillus\jre1.8.0_361\bin\api-ms-win-core-file-l1-1-0.dll		executable
		MD5:580D9EA2308FC2D2D2054A79EA63227C	SHA256:7CB0396229C3DA434482A5EF929D3A2C392791712242C9693F06BAA78948EF66
4364	WinRAR.exe	C:\Users\admin\Desktop\Sorillus\jre1.8.0_361\bin\api-ms-win-core-interlocked-l1-1-0.dll		executable
		MD5:A038716D7BBD490378B26642C0C18E94	SHA256:B02324C49DD039FA889B4647331AA9AC65E5ADC0CC06B26F9F086E2654FF9F08
4364	WinRAR.exe	C:\Users\admin\Desktop\Sorillus\jre1.8.0_361\bin\api-ms-win-core-localization-l1-2-0.dll		executable
		MD5:8ACB83D102DABD9A5017A94239A2B0C6	SHA256:059CB23FDCF4D80B92E3DA29E9EF4C322EDF6FBA9A1837978FD983E9BDFC7413
4364	WinRAR.exe	C:\Users\admin\Desktop\Sorillus\jre1.8.0_361\bin\api-ms-win-core-datetime-l1-1-0.dll		executable
		MD5:AC51E3459E8FCE2A646A6AD4A2E220B9	SHA256:77577F35D3A61217EA70F21398E178F8749455689DB52A2B35A85F9B54C79638
4364	WinRAR.exe	C:\Users\admin\Desktop\Sorillus\jre1.8.0_361\bin\api-ms-win-core-handle-l1-1-0.dll		executable
		MD5:BBAFA10627AF6DFAE5ED6E4AEAE57B2A	SHA256:C78A1217F8DCB157D1A66B80348DA48EBDBBEDCEA1D487FC393191C05AAD476D
4364	WinRAR.exe	C:\Users\admin\Desktop\Sorillus\jre1.8.0_361\bin\api-ms-win-core-libraryloader-l1-1-0.dll		executable
		MD5:D75144FCB3897425A855A270331E38C9	SHA256:08484ED55E43584068C337281E2C577CF984BB504871B3156DE11C7CC1EEC38F
4364	WinRAR.exe	C:\Users\admin\Desktop\Sorillus\jre1.8.0_361\bin\api-ms-win-core-processthreads-l1-1-1.dll		executable
		MD5:9C9B50B204FCB84265810EF1F3C5D70A	SHA256:25A99BDF8BF4D16077DC30DD9FFEF7BB5A2CEAF9AFCEE7CF52AD408355239D40
4364	WinRAR.exe	C:\Users\admin\Desktop\Sorillus\jre1.8.0_361\bin\api-ms-win-core-processenvironment-l1-1-0.dll		executable
		MD5:F43286B695326FC0C20704F0EEBFDEA6	SHA256:AA415DB99828F30A396CBD4E53C94096DB89756C88A19D8564F0EED0674ADD43

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	95.100.146.10:443	https://th.bing.com/th?id=ODSWG.a63c4ede-672e-4b0b-b035-e0f9aa973fce&c=1&rs=1&p=0	unknown	—	—	—
—	—	GET	200	95.100.146.17:443	https://www.bing.com/DSB/search?dsbmr=1&format=dsbjson&client=windowsminiserp&dsbschemaversion=1.1&dsbminiserp=1&q=q&pastMomentsInDays=6&cc=US&setlang=en-us&clientDateTime=7%2F28%2F2024%2C%201%3A54%3A43%20PM	unknown	text	147 Kb	—
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	—
—	—	GET	200	13.107.246.60:443	https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?5d4a2dcba33e699653c21a0699ed0e8d	unknown	image	43 b	—
—	—	GET	200	95.100.146.32:443	https://th.bing.com/th?id=OPN.RTNews_Hb3wXFH2bY7l-cfbm9OF8g&w=140&h=96&c=1&rs=1&p=0	unknown	image	3.31 Kb	—
—	—	POST	204	95.100.146.17:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	—
—	—	GET	200	95.100.146.19:443	https://www.bing.com/th?id=ODSWG.dca94339-a688-4380-8388-726b3d0cc5e6&pid=dsb	unknown	image	21.4 Kb	—
—	—	POST	200	52.182.143.209:443	https://self.events.data.microsoft.com/OneCollector/1.0/	unknown	binary	9 b	—
—	—	GET	200	95.100.146.10:443	https://th.bing.com/th?id=OPN.RTNews_-cPzCNaPObnwOltMQJOoTg&w=140&h=96&c=1&rs=1&p=0	unknown	image	3.63 Kb	—
—	—	GET	200	95.100.146.17:443	https://th.bing.com/th?id=OPN.RTNews_Xi90gGfSvtR3KLjxn9Cb-g&w=140&h=96&c=1&rs=1&p=0	unknown	image	4.97 Kb	—

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	131.253.33.254:443	a-ring-fallback.msedge.net	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
—	—	95.100.146.17:443	www.bing.com	Akamai International B.V.	CZ	unknown
2988	slui.exe	40.91.76.224:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6012	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3952	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
—	—	40.91.76.224:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 20.73.194.208 51.104.136.2	whitelisted
t-ring-fdv2.msedge.net	13.107.237.254	unknown
a-ring-fallback.msedge.net	131.253.33.254	unknown
www.bing.com	95.100.146.17 95.100.146.40 95.100.146.19 95.100.146.25 95.100.146.10 95.100.146.32 95.100.146.11	whitelisted
google.com	142.250.186.174	whitelisted
self.events.data.microsoft.com	52.182.143.209	whitelisted
0.0.0.0	—	unknown
fp-afd-nocache-ccp.azureedge.net	13.107.246.60	whitelisted
th.bing.com	95.100.146.17 95.100.146.25 95.100.146.19 95.100.146.32 95.100.146.10 95.100.146.40	whitelisted
r.bing.com	95.100.146.19 95.100.146.25 95.100.146.32 95.100.146.10 95.100.146.40 95.100.146.17	whitelisted

PID	Process	Class	Message
4052	javaw.exe	Device Retrieving External IP Address Detected	ET INFO Observed External IP Lookup Domain (checkip .amazonaws .com) in TLS SNI
2284	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (checkip .amazonaws .com)

General Info

SorillusRAT.rar

6B59FC4285E7842E36F3EC5A72935B44

C1F3A89AC73F57C68C78BC9A1EC4C1FAC687B9AF

E7AAB6ECC96BE090AB8E04384E4685ED3E92466F5C776AA155A7FD5F05A098E6

786432:SgTpulP9RMRYuLx1EefJn/mhE9+5PCghok/uLyWE7yRtl:SgTpcP9R/sx15ea9+5PFekGLyWE7yRv

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

ADWIND has been detected

Drops the executable file immediately after the start

Changes the autorun value in the registry

SUSPICIOUS

Process drops legitimate windows executable

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Uses ATTRIB.EXE to modify file attributes

Starts CMD.EXE for commands execution

Uses REG/REGEDIT.EXE to modify registry

Checks for external IP

INFO

Manual execution by a user

Checks supported languages

Reads the computer name

Executable content was dropped or overwritten

Creates files in the program directory

Creates files or folders in the user directory

Create files in a temporary directory

Reads the machine GUID from the registry

Reads security settings of Internet Explorer

Reads Microsoft Office registry keys

Drops the executable file immediately after the start

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings