MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e3815d3fa28d83e1499f53f457f63b7299bc62cac9b7bcc2431e1095bbf2a29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SorillusRAT


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e3815d3fa28d83e1499f53f457f63b7299bc62cac9b7bcc2431e1095bbf2a29
SHA3-384 hash: f32dab549c2f9525ffb0729f9a57bf81d23c8010adfe5b95643d5b79aad1dda4cfadb97ecbb26ab49dac97ac491c7b10
SHA1 hash: a81c4e22b1889989543834b7a02b04fd10e0eff9
MD5 hash: e6ac57ddeaf99ed249d1ea1f68f64d71
humanhash: mars-oven-table-bravo
File name:SKM_000021672228910.jar
Download: download sample
Signature SorillusRAT
Create hunting rule
File size:1'034'734 bytes
First seen:2022-09-27 05:58:46 UTC
Last seen:Never
File type:Java file jar
MIME type:application/zip
ssdeep 12288:s5psJpLFglmJrpd/4WWe0c7fLNuS9bWuY+Dkgl/vgapikKSXd3Eg9+CTMwObjG7w:YpsLLylsldwqpu8VDTzK2dUI+7wwGU
TLSH T14F25F1A7EE9F096DF3A7283F0A8EDC12665C35493446C18EB517B542492880F67E2FCD
TrID 72.9% (.JAR) Java Archive (13500/1/2)
21.6% (.ZIP) ZIP compressed archive (4000/1)
5.4% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter abuse_ch
Tags:jar SorillusRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
223
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SKM_000021672228910.zip
Verdict:
No threats detected
Analysis date:
2022-09-26 15:24:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/eee74bbe-4533-44a4-8140-ba4d51bf6bc8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/313818/
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6332912d665fcdb8807a2c4e/reports/7a206e25-c9c7-4bef-9e07-5a771890ff30/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/4e3815d3fa28d83e1499f53f457f63b7299bc62cac9b7bcc2431e1095bbf2a29
Result
Threat name:
Sorillus RAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1078076
Signature
Creates autostart registry keys to launch java
Exploit detected, runtime environment starts unknown processes
Java Jar creates autostart registry key (Windows persistence behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Yara detected Sorillus RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 710623 Sample: SKM_000021672228910.jar Startdate: 27/09/2022 Architecture: WINDOWS Score: 84 61 Multi AV Scanner detection for domain / URL 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 Yara detected Sorillus RAT 2->65 67 4 other signatures 2->67 8 cmd.exe 2 2->8         started        11 javaw.exe 2 2->11         started        14 javaw.exe 2 2->14         started        process3 dnsIp4 71 Uses cmd line tools excessively to alter registry or file data 8->71 16 java.exe 7 8->16         started        21 conhost.exe 8->21         started        57 severdops.ddns.net 11->57 23 cmd.exe 1 11->23         started        59 severdops.ddns.net 14->59 25 cmd.exe 1 14->25         started        signatures5 process6 dnsIp7 53 severdops.ddns.net 208.67.106.143, 1122, 49719, 49720 GRAYSON-COLLIN-COMMUNICATIONSUS United States 16->53 55 192.168.2.1 unknown unknown 16->55 51 C:\Users\user\AppData\...\1664295051842.tmp, Zip 16->51 dropped 69 Uses cmd line tools excessively to alter registry or file data 16->69 27 cmd.exe 1 16->27         started        30 icacls.exe 1 16->30         started        32 attrib.exe 1 16->32         started        34 conhost.exe 23->34         started        36 reg.exe 1 23->36         started        38 conhost.exe 25->38         started        40 reg.exe 1 25->40         started        file8 signatures9 process10 signatures11 75 Uses cmd line tools excessively to alter registry or file data 27->75 42 reg.exe 1 1 27->42         started        45 conhost.exe 27->45         started        47 conhost.exe 30->47         started        49 conhost.exe 32->49         started        process12 signatures13 73 Creates autostart registry keys to launch java 42->73
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4e3815d3fa28d83e1499f53f457f63b7299bc62cac9b7bcc2431e1095bbf2a29/
Threat name:
ByteCode-JAVA.Trojan.AdWind
Create hunting rule
Status:
Malicious
First seen:
2022-09-26 15:17:51 UTC
File Type:
Binary (Archive)
Extracted files:
131
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jy4blu72fdmd4fez6u7uk73dw4uzxrrmvsnxxtbeghqqsw57fiuq._file
Result
Malware family:
n/a
Score:
  4/10
Tags:
n/a
Link:
https://tria.ge/reports/220927-gpqzxadgdp/
Behaviour
Suspicious use of SetWindowsHookEx
Drops file in Program Files directory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.30
Link:
https://yomi.yoroi.company/submissions/4e3815d3fa28d83e1499f53f457f63b7299bc62cac9b7bcc2431e1095bbf2a29

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/313818/

Comments