adwind | 862d9420d4773e4bf8f106e01398a351ff6837a2d02457b48120cd0bb631f162

Resubmissions

15-12-2024 09:11

241215-k53v7a1per 10

15-12-2024 09:04

241215-k1sjna1nek 10

Analysis

max time kernel
95s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sorillus V6.2 updated.zip
Size

224.0MB
MD5

93c78d45339f83c36c9da8e79d3f1665
SHA1

507de0bdffff3a316e0156fa14e514bf788da446
SHA256

862d9420d4773e4bf8f106e01398a351ff6837a2d02457b48120cd0bb631f162
SHA512

277fca01af54a970f043c1aeb7b10fd0c79aed776b14ac9a706b683372d9adf158cc45cdf1a5d3dfa8faaf5357dcf239e197db2564af460734414d39dbd2318f
SSDEEP

786432:KB7pso5UjVIrcv6c1BsaWWrXzdYCrYVcbGR53UMrwBSlomS5nr5v6sIcI47Tj+2M:KdAacvHBsaT3dp2x3UdiTx/Irg0cwfO/

Score

10^/10

adwind discovery persistence trojan

Malware Config

Signatures

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind
Adwind family
adwind

Class file contains resources related to AdWind 2 IoCs

resource	yara_rule
sample	family_adwind4
sample	family_adwind4

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	start.exe

Executes dropped EXE 2 IoCs

pid	Process
4340	start.exe
3316	java.exe

Loads dropped DLL 64 IoCs

pid	Process
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe
3316	java.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1734254156305.tmp"	reg.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\desktop.ini	7zFM.exe
File opened for modification	C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\desktop.ini	7zFM.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
27	pastebin.com
26	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\tmp_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	start.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.tmp\ = "tmp_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\tmp_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\tmp_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\tmp_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\tmp_auto_file\shell\edit\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\tmp_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.tmp	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\tmp_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\tmp_auto_file\shell\edit	OpenWith.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3864	7zFM.exe
4080	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3864	7zFM.exe
Token: 35	3864	7zFM.exe
Token: SeSecurityPrivilege	3864	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3864	7zFM.exe
3864	7zFM.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
1144	javaw.exe
3316	java.exe
4080	OpenWith.exe
4080	OpenWith.exe
4080	OpenWith.exe
4080	OpenWith.exe
4080	OpenWith.exe
4080	OpenWith.exe
4080	OpenWith.exe
4080	OpenWith.exe
4080	OpenWith.exe
4080	OpenWith.exe
4080	OpenWith.exe
4080	OpenWith.exe
4080	OpenWith.exe
4080	OpenWith.exe
4080	OpenWith.exe
4080	OpenWith.exe
4080	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 4452	4340	start.exe	101
PID 4340 wrote to memory of 4452	4340	start.exe	101
PID 4340 wrote to memory of 4452	4340	start.exe	101
PID 4340 wrote to memory of 1144	4340	start.exe	103
PID 4340 wrote to memory of 1144	4340	start.exe	103
PID 4452 wrote to memory of 3316	4452	cmd.exe	104
PID 4452 wrote to memory of 3316	4452	cmd.exe	104
PID 1144 wrote to memory of 4904	1144	javaw.exe	105
PID 1144 wrote to memory of 4904	1144	javaw.exe	105
PID 1144 wrote to memory of 4752	1144	javaw.exe	107
PID 1144 wrote to memory of 4752	1144	javaw.exe	107
PID 4752 wrote to memory of 4164	4752	cmd.exe	109
PID 4752 wrote to memory of 4164	4752	cmd.exe	109
PID 4080 wrote to memory of 872	4080	OpenWith.exe	121
PID 4080 wrote to memory of 872	4080	OpenWith.exe	121

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4904	attrib.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Sorillus V6.2 updated.zip"
1⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3864

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3728

C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\start.exe
"C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\start.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\server.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\jre1.8.0_361\bin\java.exe
    jre1.8.0_361\bin\java.exe -jar -noverify Sorillus.jar
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3316
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\tools.jar"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Windows\SYSTEM32\attrib.exe
    attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1734254156305.tmp
    3⤵
    - Views/modifies file attributes
    PID:4904
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1734254156305.tmp" /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1734254156305.tmp" /f
      4⤵
      Adds Run key to start application
      PID:4164

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:4392

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Sorillus\.tmp\server.css1912718808301120477.tmp
  2⤵
  PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\Sorillus.jar

Filesize
10.1MB

MD5
f9119b4bbb55ce59f43113c71cd177f8

SHA1
1605b453fa74091f92f51691a3dd378c1b67f3fa

SHA256
3eb57cd3c204ba1741e4500ef2566f524b10f4da23b3831f0855abcea0987649

SHA512
b166ce950e2c2bd2f23fe9063656ffd31da66dbd699419a71479d52654bf4113bddd8f51392577470a6f1342cc7546f5474d0765a209ff3b01ae65074d04a650

Download Submit
C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\jre1.8.0_361\bin\api-ms-win-core-console-l1-1-0.dll

Filesize
11KB

MD5
919e653868a3d9f0c9865941573025df

SHA1
eff2d4ff97e2b8d7ed0e456cb53b74199118a2e2

SHA256
2afbfa1d77969d0f4cee4547870355498d5c1da81d241e09556d0bd1d6230f8c

SHA512
6aec9d7767eb82ebc893ebd97d499debff8da130817b6bb4bcb5eb5de1b074898f87db4f6c48b50052d4f8a027b3a707cad9d7ed5837a6dd9b53642b8a168932

Download Submit
C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\jre1.8.0_361\bin\api-ms-win-core-console-l1-2-0.dll

Filesize
11KB

MD5
7676560d0e9bc1ee9502d2f920d2892f

SHA1
4a7a7a99900e41ff8a359ca85949acd828ddb068

SHA256
00942431c2d3193061c7f4dc340e8446bfdbf792a7489f60349299dff689c2f9

SHA512
f1e8db9ad44cd1aa991b9ed0e000c58978eb60b3b7d9908b6eb78e8146e9e12590b0014fc4a97bc490ffe378c0bf59a6e02109bfd8a01c3b6d0d653a5b612d15

Download Submit
C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\jre1.8.0_361\bin\api-ms-win-core-datetime-l1-1-0.dll

Filesize
11KB

MD5
ac51e3459e8fce2a646a6ad4a2e220b9

SHA1
60cf810b7ad8f460d0b8783ce5e5bbcd61c82f1a

SHA256
77577f35d3a61217ea70f21398e178f8749455689db52a2b35a85f9b54c79638

SHA512
6239240d4f4fa64fc771370fb25a16269f91a59a81a99a6a021b8f57ca93d6bb3b3fcecc8dede0ef7914652a2c85d84d774f13a4143536a3f986487a776a2eae

Download Submit
C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\jre1.8.0_361\bin\api-ms-win-core-debug-l1-1-0.dll

Filesize
11KB

MD5
b0e0678ddc403effc7cdc69ae6d641fb

SHA1
c1a4ce4ded47740d3518cd1ff9e9ce277d959335

SHA256
45e48320abe6e3c6079f3f6b84636920a367989a88f9ba6847f88c210d972cf1

SHA512
2badf761a0614d09a60d0abb6289ebcbfa3bf69425640eb8494571afd569c8695ae20130aac0e1025e8739d76a9bff2efc9b4358b49efe162b2773be9c3e2ad4

Download Submit
C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\jre1.8.0_361\bin\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
11KB

MD5
94788729c9e7b9c888f4e323a27ab548

SHA1
b0ba0c4cf1d8b2b94532aa1880310f28e87756ec

SHA256
accdd7455fb6d02fe298b987ad412e00d0b8e6f5fb10b52826367e7358ae1187

SHA512
ab65495b1d0dd261f2669e04dc18a8da8f837b9ac622fc69fde271ff5e6aa958b1544edd8988f017d3dd83454756812c927a7702b1ed71247e506530a11f21c6

Download Submit
C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\jre1.8.0_361\bin\api-ms-win-core-file-l1-1-0.dll

Filesize
14KB

MD5
580d9ea2308fc2d2d2054a79ea63227c

SHA1
04b3f21cbba6d59a61cd839ae3192ea111856f65

SHA256
7cb0396229c3da434482a5ef929d3a2c392791712242c9693f06baa78948ef66

SHA512
97c1d3f4f9add03f21c6b3517e1d88d1bf9a8733d7bdca1aecba9e238d58ff35780c4d865461cc7cd29e9480b3b3b60864abb664dcdc6f691383d0b281c33369

Download Submit
C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\jre1.8.0_361\bin\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
35bc1f1c6fbccec7eb8819178ef67664

SHA1
bbcad0148ff008e984a75937aaddf1ef6fda5e0c

SHA256
7a3c5167731238cf262f749aa46ab3bfb2ae1b22191b76e28e1d7499d28c24b7

SHA512
9ab9b5b12215e57af5b3c588ed5003d978071dc591ed18c78c4563381a132edb7b2c508a8b75b4f1ed8823118d23c88eda453cd4b42b9020463416f8f6832a3d

Download Submit
C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\jre1.8.0_361\bin\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
3bf4406de02aa148f460e5d709f4f67d

SHA1
89b28107c39bb216da00507ffd8adb7838d883f6

SHA256
349a79fa1572e3538dfbb942610d8c47d03e8a41b98897bc02ec7e897d05237e

SHA512
5ff6e8ad602d9e31ac88e06a6fbb54303c57d011c388f46d957aee8cd3b7d7cced8b6bfa821ff347ade62f7359acb1fba9ee181527f349c03d295bdb74efbace

Download Submit
C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\jre1.8.0_361\bin\api-ms-win-core-handle-l1-1-0.dll

Filesize
11KB

MD5
bbafa10627af6dfae5ed6e4aeae57b2a

SHA1
3094832b393416f212db9107add80a6e93a37947

SHA256
c78a1217f8dcb157d1a66b80348da48ebdbbedcea1d487fc393191c05aad476d

SHA512
d5fcba2314ffe7ff6e8b350d65a2cdd99ca95ea36b71b861733bc1ed6b6bb4d85d4b1c4c4de2769fbf90d4100b343c250347d9ed1425f4a6c3fe6a20aed01f17

Download Submit
C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\jre1.8.0_361\bin\api-ms-win-core-heap-l1-1-0.dll

Filesize
11KB

MD5
3a4b6b36470bad66621542f6d0d153ab

SHA1
5005454ba8e13bac64189c7a8416ecc1e3834dc6

SHA256
2e981ee04f35c0e0b7c58282b70dcc9fc0318f20f900607dae7a0d40b36e80af

SHA512
84b00167abe67f6b58341045012723ef4839c1dfc0d8f7242370c4ad9fabbe4feefe73f9c6f7953eae30422e0e743dc62503a0e8f7449e11c5820f2dfca89294

Download Submit
C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\jre1.8.0_361\bin\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
11KB

MD5
a038716d7bbd490378b26642c0c18e94

SHA1
29cd67219b65339b637a1716a78221915ceb4370

SHA256
b02324c49dd039fa889b4647331aa9ac65e5adc0cc06b26f9f086e2654ff9f08

SHA512
43cb12d715dda4dcdb131d99127417a71a16e4491bc2d5723f63a1c6dfabe578553bc9dc8cf8effae4a6be3e65422ec82079396e9a4d766bf91681bdbd7837b1

Download Submit
C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\jre1.8.0_361\bin\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
12KB

MD5
d75144fcb3897425a855a270331e38c9

SHA1
132c9ade61d574aa318e835eb78c4cccddefdea2

SHA256
08484ed55e43584068c337281e2c577cf984bb504871b3156de11c7cc1eec38f

SHA512
295a6699529d6b173f686c9bbb412f38d646c66aab329eac4c36713fdd32a3728b9c929f9dcadde562f625fb80bc79026a52772141ad2080a0c9797305adff2e

Download Submit
C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\jre1.8.0_361\bin\java.dll

Filesize
163KB

MD5
db081a9968bb0c37a57725cdb66a0c7b

SHA1
d5fed172d82111d1f3bcb46ab3bd8b412f3ee003

SHA256
5b9b01f1ec06ad559285201cf0907e1c31473f6fb91aa09813dd8f076f94afe3

SHA512
8a3717be2bdc1d2e628a069a61ac5b504467c52c7b52496c14050cd0fbc3e1023c791ca8b5c3270579e1cc725a8a0cff62c427dc1c25c2ec74725d1dacc621d5

Download Submit
C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\jre1.8.0_361\bin\java.exe

Filesize
273KB

MD5
47b34557cbf069e0ad9807305cb5c36a

SHA1
58abfbefc486427175b15e69e8e8f4e346318c34

SHA256
cabcfcf1aebf926bbe03b2aded9e7bbb57f4e10600578a6f2acafbf83b7423d4

SHA512
f9354ec19c3bad2a3a9e95211a306e54ebe559127d8ae660ce75c88839afd558821a0a858366db8820517cb12f7fe0056bb5c09199c1fe1a9083e299b02a148d

Download Submit
C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\jre1.8.0_361\bin\msvcp140.dll

Filesize
613KB

MD5
c1b066f9e3e2f3a6785161a8c7e0346a

SHA1
8b3b943e79c40bc81fdac1e038a276d034bbe812

SHA256
99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd

SHA512
36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

Download Submit
C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\jre1.8.0_361\bin\server\jvm.dll

Filesize
8.2MB

MD5
a5b5e313919826735b73731252a2bc2e

SHA1
090054f0aeeaaac570130ef5a03c26970cdb050c

SHA256
86765f3558ffbb2cf28fb683ee17c288967e636b5cb4fe0422ade39591f6abf4

SHA512
2e0199624f91f9c952ea4fb81a01096febe8dde6fba85f66e7978c98ba749da3cd53cb6d986260e357c19a1d3b5411d6716548ef57e31ec75d55f4d3a3420c3f

Download Submit
C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\jre1.8.0_361\bin\vcruntime140.dll

Filesize
83KB

MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\jre1.8.0_361\bin\verify.dll

Filesize
54KB

MD5
c15088054d639475e51b88251369c226

SHA1
8849a9ee53e6bc7d1618103b674a6f481b72f3aa

SHA256
a7e7890ec2e238b3108fe2d9b4796898b2fff30ce07957f60689975d7460098c

SHA512
81ae70caf0304c63adadc3437e592ea9540db59ac7bd7417b769b5702a2aa012bec79aab8ce01187ebbd78555b7824fc4434a113dd9be5b667ce693b293122c4

Download Submit
C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\jre1.8.0_361\bin\zip.dll

Filesize
84KB

MD5
7c7a8adce66eeb67a96ca617c8286d72

SHA1
da1f100637f0b94aaea4e3999ef96a32a63bfc2b

SHA256
d15be64cc05ae14db69b5a3558cd57767eda91e708c74d3dccdc4958c42cb5d9

SHA512
00d3c1145b8c8ea246f456000c2fcfe1e978d148ad69ddabdf9e5f332db4e44025211916c6452b5030f8326d523d6e72de8aebd9e41d83afccb8713e88782f31

Download Submit
C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\jre1.8.0_361\lib\amd64\jvm.cfg

Filesize
634B

MD5
499f2a4e0a25a41c1ff80df2d073e4fd

SHA1
e2469cbe07e92d817637be4e889ebb74c3c46253

SHA256
80847ed146dbc5a9f604b07ec887737fc266699abba266177b553149487ce9eb

SHA512
7828f7b06d0f4309b9edd3aa71ae0bb7ee92d2f8df5642c13437bba2a3888e457dc9b24c16aa9e0f19231530cb44b8ccd955cbbdf5956ce8622cc208796b357d

Download Submit
C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\jre1.8.0_361\lib\charsets.jar

Filesize
2.9MB

MD5
82ade56ed7fa67287198802746ee6045

SHA1
2c5ad0a04bd0fae259cf29af346379284c684d42

SHA256
c89895405e63110d69bb37178f0650bf2a4a489ab9e98da613464c61c475b58c

SHA512
cd3c2180e185d1fce354ede366845668ab165ad0ebf7fd9cd9fbb3723ab64c3515c30e772e1577a747468e530d677c7955b41528d39e6d3c8c988b11604e470d

Download Submit
C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\jre1.8.0_361\lib\ext\jfxrt.jar

Filesize
17.4MB

MD5
671df034c39d335d5e9de4da7cf70e97

SHA1
184aa46308c1af192f119b6cae48c6a567175592

SHA256
0fb07fad0f05706dcdb487ef3fa8adfc97e1a47792ee9cb7af359c77a9393542

SHA512
7512b351ef1429bb722318c415cbcd5459dc86678b11634e3dd8e83394e59a48551a817842d73107546ffdfe05eb06f7ab4ce6a853ce266f3503885d4517a8ed

Download Submit
C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\jre1.8.0_361\lib\ext\meta-index

Filesize
1KB

MD5
005faac2118450bfcd46ae414da5f0e5

SHA1
9f5c887e0505e1bb06bd1fc7975a3219709d061d

SHA256
f0bce718f8d2b38247ce0ac814a1470c826602f4251d86369c2359ff60676bd8

SHA512
8b618c74b359ab3c9d3c8a4864f8e48fe4054514a396352a829a84c9b843a2028c6c31eb53e857e03c803294e05f69c5bf586e261312264e7607b2efd14f78a9

Download Submit
C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\jre1.8.0_361\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
1e9d8f133a442da6b0c74d49bc84a341

SHA1
259edc45b4569427e8319895a444f4295d54348f

SHA256
1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

SHA512
63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

Download Submit
C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\jre1.8.0_361\lib\jce.jar

Filesize
119KB

MD5
1f4d4fc6b33c30c5782c66b80d92c4f9

SHA1
194df32fb23b470dae4929605d18abd041c743c6

SHA256
81b8de0e148ed3601cf5f1bdf2787c5b15213d842bc537af9ede9635d692b904

SHA512
dfde7e03fc106b785887f2a409b3528c5862663f188c95f6a95c739bdfcc8c6205c03b739de1b259e9a8a0360aa4e10e8d4bce1a57445797a214160b8d98a085

Download Submit
C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\jre1.8.0_361\lib\jfr.jar

Filesize
559KB

MD5
18c5aec1e008f781bf74707662920000

SHA1
c29c11cda5b867b68cba1fa7cb331d54a66b3f56

SHA256
e9eab8ec4712142a3ed9ac833d853e144043699c1712986736f3667a9267c11b

SHA512
9988b510d7e036ef41673edd8e38e2f72b695741da3ef63678b808b5e10a76951d016e27cdd23857de0ed0f3b44be8f7fb3a141021b543f104f2a214e53ca74d

Download Submit
C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\jre1.8.0_361\lib\jsse.jar

Filesize
1.7MB

MD5
f095a5ac04775e1093d54822460cc5a7

SHA1
2e0f0ec528c41b437126c506a91fe1ad5e699865

SHA256
784b8df88387ee27383d6db4e184b169a21cb4b8bcb0d8395a7b1ac2b128108a

SHA512
c0b5ca94ead3dffd33e19a2d757b2b653867b4f539a143ef17baeef1015c3845aba4f0666ef1d0c7ce02d156ce826b9c324c8159983a71d19d60415d60e25d36

Download Submit
C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\jre1.8.0_361\lib\meta-index

Filesize
2KB

MD5
91aa6ea7320140f30379f758d626e59d

SHA1
3be2febe28723b1033ccdaa110eaf59bbd6d1f96

SHA256
4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4

SHA512
03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb

Download Submit
C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\jre1.8.0_361\lib\resources.jar

Filesize
3.4MB

MD5
0fdcdf2b521c8ffba3fcae32a684358e

SHA1
45a3ae43334b1a0f46d76599d3926c40fa790965

SHA256
2189d10490922562be379da742eedc5e77cac61a6d2a484a3ed4693965dfe290

SHA512
1a1489faa7903bc24d4cc3fbd0ee80e79602a39ea9530f10075a52460e6100c807dbafb17e4b1a7997c23cbe3906808291be7718e6525a79a295e1ddc8ed9eda

Download Submit
C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\server.bat

Filesize
176B

MD5
e1988798b3866111515f5ccf9bddccd6

SHA1
bb841813e3041ae5abab0f0415d0635d3a848268

SHA256
a3b49c8c19033e2062cbb208c299b763991a4c231e2d6311a3fc817d68f953e7

SHA512
2393f70b9d749e6183431ed1add8fb979c076c9951c14b274708b25cba169c14f4d4db67bc0ce83808c826d4fa694ed7feebe82ecb4f74a6d4fb136f01916065

Download Submit
C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\start.exe

Filesize
10.8MB

MD5
c93660311732e2492c3ad4dd9444af40

SHA1
fc0e8e5e51cfeb31b6da3d5e31f82b49846fbfdd

SHA256
980ab860755c17a6d4f9f6ec667d523973aa16ab1d463e390eb850ec1e14f462

SHA512
df86c89edbd4cf9ddfc32e02d99f341684f2187501055ee974eba210e919cc0cd9ae66b69582adb2435aa61fe8ccdb21f3f6bea76dc977e4215b40582976baa1

Download Submit
C:\Users\Admin\Desktop\Sorillus V6.2 updated\Sorillus Rat V6.2\tools.jar

Filesize
639KB

MD5
9f01e19c3e57aff4b1c9fe8b8e4aacb5

SHA1
75cd56641ee6e7dd1e4f38f6e6893fb4792377c6

SHA256
ce6854586e3238b35ca261f55f0846b1239ed7b99f0ae065dec19c2a64ba6b92

SHA512
ebc94e7f097c60f9bf1edabcab4bc14c73126c8a1f97dd3a02e7fdc10adf01f2fd39e8eb44d58fa6642b5db2b91f16cba3f584edaea85947d9c68adfd91119d9

Download Submit
C:\Users\Admin\Sorillus\.tmp\+JXF148806127780264201.tmp

Filesize
217KB

MD5
1bf71be111189e76987a4bb9b3115cb7

SHA1
40442c189568184b6e6c27a25d69f14d91b65039

SHA256
cf5f5184c1441a1660aa52526328e9d5c2793e77b6d8d3a3ad654bdb07ab8424

SHA512
cb18b69e98a194af5e3e3d982a75254f3a20bd94c68816a15f38870b9be616cef0c32033f253219cca9146b2b419dd6df28cc4ceeff80d01f400aa0ed101e061

Download Submit
C:\Users\Admin\Sorillus\.tmp\+JXF7331010291414984544.tmp

Filesize
52KB

MD5
de2d73ffb31b036a481049751970e2ca

SHA1
5c26b381aa54a3336729cbaf4281620e03c34873

SHA256
5afafd11dad40cc06023a6a5c1a6793b1cb55720314a18d4352879d6214b014e

SHA512
f19bda9d9f355dab1ae3846c5e3a6535e59c529d0efe6204dd54000f3e088cf94099a1ccab94c0fadf7631385b94ca8c667f76c0556066ea49f06b2ac1479adb

Download Submit
C:\Users\Admin\Sorillus\.tmp\+JXF8649811842461320077.tmp

Filesize
164KB

MD5
8a36205bd9b83e03af0591a004bc97f4

SHA1
56c5c0d38bde4c1f1549dda43db37b09c608aad3

SHA256
4e147ab64b9fdf6d89d01f6b8c3ca0b3cddc59d608a8e2218f9a2504b5c98e14

SHA512
e96b43b0ca3fd7775d75a702f44cd1b0dfd325e1db317f7cba84efdf572571fe7594068f9132a937251aab8bd1f68783213677d4953aca197195fbe5db1f90d7

Download Submit
memory/1144-973-0x0000023B10520000-0x0000023B10521000-memory.dmp

Filesize
4KB

Download
memory/1144-693-0x0000023B10520000-0x0000023B10521000-memory.dmp

Filesize
4KB

Download
memory/1144-598-0x0000023B10520000-0x0000023B10521000-memory.dmp

Filesize
4KB

Download
memory/1144-700-0x0000023B10520000-0x0000023B10521000-memory.dmp

Filesize
4KB

Download
memory/1144-719-0x0000023B10520000-0x0000023B10521000-memory.dmp

Filesize
4KB

Download
memory/1144-752-0x0000023B10520000-0x0000023B10521000-memory.dmp

Filesize
4KB

Download
memory/1144-962-0x0000023B10520000-0x0000023B10521000-memory.dmp

Filesize
4KB

Download
memory/1144-953-0x0000023B10520000-0x0000023B10521000-memory.dmp

Filesize
4KB

Download
memory/3316-699-0x000001453AA50000-0x000001453AA51000-memory.dmp

Filesize
4KB

Download
memory/3316-901-0x000001453AA50000-0x000001453AA51000-memory.dmp

Filesize
4KB

Download
memory/3316-807-0x000001453AA50000-0x000001453AA51000-memory.dmp

Filesize
4KB

Download
memory/3316-795-0x000001453AA50000-0x000001453AA51000-memory.dmp

Filesize
4KB

Download
memory/3316-681-0x000001453AA50000-0x000001453AA51000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads