File name:	SorillusRAT_@ReverseEngineeringLab.rar
Full analysis:	https://app.any.run/tasks/8fa008a6-7ac8-404c-a242-9b8e5a4a921c
Verdict:	Malicious activity
Threats:	Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	November 26, 2024, 17:48:10
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-scr adwind java rat remote evasion arch-html
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	6B59FC4285E7842E36F3EC5A72935B44
SHA1:	C1F3A89AC73F57C68C78BC9A1EC4C1FAC687B9AF
SHA256:	E7AAB6ECC96BE090AB8E04384E4685ED3E92466F5C776AA155A7FD5F05A098E6
SSDEEP:	786432:SgTpulP9RMRYuLx1EefJn/mhE9+5PCghok/uLyWE7yRtl:SgTpcP9R/sx15ea9+5PFekGLyWE7yRv

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

FileVersion:	RAR v5
CompressedSize:	6288
UncompressedSize:	12224
OperatingSystem:	Win32
ArchivedFileName:	Sorillus/jre1.8.0_361/bin/api-ms-win-core-console-l1-1-0.dll


(PID) Process:	(3988) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(3988) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(3988) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(3988) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\SorillusRAT_@ReverseEngineeringLab.rar
(PID) Process:	(3988) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(3988) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(3988) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(3988) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(3988) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0
(PID) Process:	(3988) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000

PID	Process	Filename		Type
3988	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb3988.14833\Sorillus\jre1.8.0_361\bin\api-ms-win-core-handle-l1-1-0.dll		executable
		MD5:BBAFA10627AF6DFAE5ED6E4AEAE57B2A	SHA256:C78A1217F8DCB157D1A66B80348DA48EBDBBEDCEA1D487FC393191C05AAD476D
3988	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb3988.14833\Sorillus\jre1.8.0_361\bin\api-ms-win-core-heap-l1-1-0.dll		executable
		MD5:3A4B6B36470BAD66621542F6D0D153AB	SHA256:2E981EE04F35C0E0B7C58282B70DCC9FC0318F20F900607DAE7A0D40B36E80AF
3988	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb3988.14833\Sorillus\jre1.8.0_361\bin\api-ms-win-core-console-l1-2-0.dll		executable
		MD5:7676560D0E9BC1EE9502D2F920D2892F	SHA256:00942431C2D3193061C7F4DC340E8446BFDBF792A7489F60349299DFF689C2F9
3988	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb3988.14833\Sorillus\jre1.8.0_361\bin\api-ms-win-core-file-l1-2-0.dll		executable
		MD5:35BC1F1C6FBCCEC7EB8819178EF67664	SHA256:7A3C5167731238CF262F749AA46AB3BFB2AE1B22191B76E28E1D7499D28C24B7
3988	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb3988.14833\Sorillus\jre1.8.0_361\bin\api-ms-win-core-datetime-l1-1-0.dll		executable
		MD5:AC51E3459E8FCE2A646A6AD4A2E220B9	SHA256:77577F35D3A61217EA70F21398E178F8749455689DB52A2B35A85F9B54C79638
3988	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb3988.14833\Sorillus\jre1.8.0_361\bin\api-ms-win-core-errorhandling-l1-1-0.dll		executable
		MD5:94788729C9E7B9C888F4E323A27AB548	SHA256:ACCDD7455FB6D02FE298B987AD412E00D0B8E6F5FB10B52826367E7358AE1187
3988	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb3988.14833\Sorillus\jre1.8.0_361\bin\api-ms-win-core-debug-l1-1-0.dll		executable
		MD5:B0E0678DDC403EFFC7CDC69AE6D641FB	SHA256:45E48320ABE6E3C6079F3F6B84636920A367989A88F9BA6847F88C210D972CF1
3988	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb3988.14833\Sorillus\jre1.8.0_361\bin\api-ms-win-core-console-l1-1-0.dll		executable
		MD5:919E653868A3D9F0C9865941573025DF	SHA256:2AFBFA1D77969D0F4CEE4547870355498D5C1DA81D241E09556D0BD1D6230F8C
3988	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb3988.14833\Sorillus\jre1.8.0_361\bin\api-ms-win-core-file-l2-1-0.dll		executable
		MD5:3BF4406DE02AA148F460E5D709F4F67D	SHA256:349A79FA1572E3538DFBB942610D8C47D03E8A41B98897BC02EC7E897D05237E
3988	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb3988.14833\Sorillus\jre1.8.0_361\bin\api-ms-win-core-file-l1-1-0.dll		executable
		MD5:580D9EA2308FC2D2D2054A79EA63227C	SHA256:7CB0396229C3DA434482A5EF929D3A2C392791712242C9693F06BAA78948EF66

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	23.37.237.227:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	DE	binary	973 b	whitelisted
880	svchost.exe	GET	200	23.53.41.242:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	1.01 Kb	whitelisted
6284	SIHClient.exe	GET	200	23.37.237.227:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	DE	binary	408 b	whitelisted
880	svchost.exe	GET	200	23.37.237.227:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	DE	binary	973 b	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.53.41.242:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	1.01 Kb	whitelisted
6284	SIHClient.exe	GET	200	23.37.237.227:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	DE	binary	418 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5064	SearchApp.exe	2.16.204.135:443	www.bing.com	Akamai International B.V.	DE	whitelisted
880	svchost.exe	23.53.41.242:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	23.53.41.242:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
880	svchost.exe	23.37.237.227:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4712	MoUsoCoreWorker.exe	23.37.237.227:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5404	java.exe	52.18.175.46:443	checkip.amazonaws.com	AMAZON-02	IE	shared
5912	javaw.exe	95.223.77.143:4444	—	Vodafone GmbH	DE	malicious

Domain	IP	Reputation
www.bing.com	2.16.204.135 2.16.204.141 2.16.204.142 2.16.204.156 2.16.204.153 2.16.204.145 2.16.204.134 2.16.204.146 2.16.204.138	whitelisted
settings-win.data.microsoft.com	51.104.136.2	whitelisted
google.com	142.250.185.206	whitelisted
crl.microsoft.com	23.53.41.242 23.53.42.51 23.53.42.34	whitelisted
www.microsoft.com	23.37.237.227	whitelisted
checkip.amazonaws.com	52.18.175.46 54.73.109.50 54.74.44.6	shared
self.events.data.microsoft.com	104.208.16.88	whitelisted
slscr.update.microsoft.com	20.109.210.53	whitelisted
fe3cr.delivery.mp.microsoft.com	52.165.164.15	whitelisted

PID	Process	Class	Message
2192	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (checkip .amazonaws .com)
5404	java.exe	Device Retrieving External IP Address Detected	ET INFO Observed External IP Lookup Domain (checkip .amazonaws .com) in TLS SNI

General Info

SorillusRAT_@ReverseEngineeringLab.rar

6B59FC4285E7842E36F3EC5A72935B44

C1F3A89AC73F57C68C78BC9A1EC4C1FAC687B9AF

E7AAB6ECC96BE090AB8E04384E4685ED3E92466F5C776AA155A7FD5F05A098E6

786432:SgTpulP9RMRYuLx1EefJn/mhE9+5PCghok/uLyWE7yRtl:SgTpcP9R/sx15ea9+5PFekGLyWE7yRv

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

ADWIND has been detected

ADWIND has been detected (SURICATA)

Connects to the CnC server

SUSPICIOUS

Process drops legitimate windows executable

Starts CMD.EXE for commands execution

Executable content was dropped or overwritten

Uses ATTRIB.EXE to modify file attributes

Uses REG/REGEDIT.EXE to modify registry

Checks for external IP

Connects to unusual port

Identifying current user with WHOAMI command

Contacting a server suspected of hosting an CnC

INFO

Manual execution by a user

The process uses the downloaded file

Executable content was dropped or overwritten

Application based on Java

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings