Overview

overview

10

Static

static

1

Sorillus Rat V6.1.zip

windows10-2004-x64

10

Analysis

  • max time kernel
    38s
  • max time network
    46s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-12-2024 16:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Sorillus Rat V6.1.zip

  • Size

    88.0MB

  • MD5

    bd9d764b4e67c5c13fe879377fd272c0

  • SHA1

    9d0da2d83e754157b05fb51b64918dbacc1a1661

  • SHA256

    6fa0a4a2b99f3fd92c3e635cf1fa1595d8544b1177962f80bfe21e82fa8fe122

  • SHA512

    eaa3b718e7a12cb1c857e79f5a3dc47912220586384d476475c929111dedc4d8282d29dbc028e7f07cffcd30b07237fd05da15b4c018efedf96ecd2abd8ada5e

  • SSDEEP

    1572864:hqwKPP5vg7vUgNt8Hwy2p7RgtXZwkE0bAPcXNB2WhxusDuXznEvaW6DGmHvAdyPE:DKPRgZt7y2UXycOcXNgA/aznStsGU4W0

Score
10/10
adwindredlinediscoveryinfostealertrojan

Malware Config

Signatures

  • AdWind

    A Java-based RAT family operated as malware-as-a-service.

    trojanadwind
  • Adwind family
    adwind
  • Class file contains resources related to AdWind 1 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Redline family
    redline
  • Executes dropped EXE 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Sorillus Rat V6.1.zip"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4812
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3384
    • C:\Users\Admin\Desktop\Sorillus Rat V6.1\start.exe
      "C:\Users\Admin\Desktop\Sorillus Rat V6.1\start.exe"
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1752
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4964
      • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
        java -jar Sorillus.jar
        2⤵
          PID:5088
        • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
          javaw -jar Sorillus.jar
          2⤵
            PID:2224

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\7zECC290C97\Sorillus Rat V6.1\jre1.8.0_361\lib\images\cursors\win32_LinkNoDrop32x32.gif
          Filesize

          153B

          MD5

          1e9d8f133a442da6b0c74d49bc84a341

          SHA1

          259edc45b4569427e8319895a444f4295d54348f

          SHA256

          1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

          SHA512

          63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

          Download Submit

        • C:\Users\Admin\Desktop\Sorillus Rat V6.1\Sorillus.jar
          Filesize

          10.1MB

          MD5

          f9119b4bbb55ce59f43113c71cd177f8

          SHA1

          1605b453fa74091f92f51691a3dd378c1b67f3fa

          SHA256

          3eb57cd3c204ba1741e4500ef2566f524b10f4da23b3831f0855abcea0987649

          SHA512

          b166ce950e2c2bd2f23fe9063656ffd31da66dbd699419a71479d52654bf4113bddd8f51392577470a6f1342cc7546f5474d0765a209ff3b01ae65074d04a650

          Download Submit

        • C:\Users\Admin\Desktop\Sorillus Rat V6.1\start.exe
          Filesize

          506KB

          MD5

          e5fb57e8214483fd395bd431cb3d1c4b

          SHA1

          60e22fc9e0068c8156462f003760efdcac82766b

          SHA256

          e389fc5782f754918a10b020adcd8faa11c25658b8d6f8cbc49f9ac3a7637684

          SHA512

          dc2ed0421db7dd5a3afeacb6a9f5017c97fc07d0b2d1745b50ede50087a58245d31d6669077a672b32541dbfa233ef87260a37be48de3bd407d8c587fc903d89

          Download Submit

        • memory/1752-579-0x0000000005AD0000-0x0000000005B0C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/1752-574-0x0000000074D7E000-0x0000000074D7F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1752-577-0x0000000005A70000-0x0000000005A82000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1752-578-0x0000000005BA0000-0x0000000005CAA000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1752-575-0x0000000074D70000-0x0000000075520000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1752-580-0x0000000005B30000-0x0000000005B7C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1752-581-0x0000000074D7E000-0x0000000074D7F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1752-576-0x0000000005FF0000-0x0000000006608000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/1752-593-0x0000000074D70000-0x0000000075520000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1752-570-0x0000000001450000-0x00000000014A6000-memory.dmp

          Filesize

          344KB

          Download

        • memory/2224-613-0x000001CCB63F0000-0x000001CCB63F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2224-617-0x000001CCB63F0000-0x000001CCB63F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5088-600-0x0000027CDD390000-0x0000027CDD391000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5088-595-0x0000027CDD390000-0x0000027CDD391000-memory.dmp

          Filesize

          4KB

          Download