adwind | 6dfff4c60b32f6e841b1e7cf4ea99831820f4aa2dd81421d7257bdfedcd28365 | Triage

Submit
Reports

Overview

overview

Static

static

Sorillas.jar

windows11-21h2-x64

Sharing

General

Target

Sorillas.jar
Size

10.0MB
Sample

250204-n9xfraxleq
MD5

7e3c3eadd00b0903f1fcc806536cf406
SHA1

efe17275ac9ffc91fb1ce25f579fbfa1f8dc6095
SHA256

6dfff4c60b32f6e841b1e7cf4ea99831820f4aa2dd81421d7257bdfedcd28365
SHA512

9dcd295c96f6beab8fb5af447fa759bbf7ff1154f345affeff1b06e2f205e561cd6eb31db23f3656e751d0892c4b766112684068b43bb4e70a075c1a909a2abc
SSDEEP

196608:ulloD+JyfJIFFM0rT/mpDni/Mcd8qAbPeGmeIWvhAn9QrmE:uHoz0FM02JiEQ/kGdeIWJC9Qrx

Score

10^/10

adwind quasar defense_evasion discovery persistence privilege_escalation spyware trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

Sorillas.jar

Resource

win11-20241007-en

quasar defense_evasion discovery persistence privilege_escalation spyware trojan

windows11-21h2-x64

34 signatures

900 seconds

Malware Config

Targets

- Target
  
  Sorillas.jar
- Size
  
  10.0MB
- MD5
  
  7e3c3eadd00b0903f1fcc806536cf406
- SHA1
  
  efe17275ac9ffc91fb1ce25f579fbfa1f8dc6095
- SHA256
  
  6dfff4c60b32f6e841b1e7cf4ea99831820f4aa2dd81421d7257bdfedcd28365
- SHA512
  
  9dcd295c96f6beab8fb5af447fa759bbf7ff1154f345affeff1b06e2f205e561cd6eb31db23f3656e751d0892c4b766112684068b43bb4e70a075c1a909a2abc
- SSDEEP
  
  196608:ulloD+JyfJIFFM0rT/mpDni/Mcd8qAbPeGmeIWvhAn9QrmE:uHoz0FM02JiEQ/kGdeIWJC9Qrx
Score

10^/10

quasar defense_evasion discovery persistence privilege_escalation spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Downloads MZ/PE file
- Modifies Windows Firewall
  defense_evasion
- Drops startup file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Component Object Model Hijacking

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Component Object Model Hijacking

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Subvert Trust Controls

SIP and Trust Provider Hijacking

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

quasardefense_evasiondiscoverypersistenceprivilege_escalationspywaretrojan

© 2018-2025

Terms | Privacy