orcus | 3e4ef7b0224b4601e28838ec6319634315025d824c1404a2a9e114139dbdbe21

General

Target

cd42f90ac522a1bf3a23764c700bbfa4.exe
Size

903KB
MD5

cd42f90ac522a1bf3a23764c700bbfa4
SHA1

0caaca5d0f02fe988b7c6629271dfb325431b71c
SHA256

3e4ef7b0224b4601e28838ec6319634315025d824c1404a2a9e114139dbdbe21
SHA512

6a4155f288155cd9b2da52275e30dad56390b12060841eb20ad2a68b6ea8d426c699bb40bc4abc80c146ed46d2e9b000d9198a52c379e9b9ed32d73ed49401c5

Score

10^/10

orcus persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

185.163.47.163:10134

Mutex

4ad7857f77a347b49a5a7908a4f79070

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus Main Payload 2 IoCs

Processes:

resource	yara_rule
C:\Program Files\Orcus\Orcus.exe	family_orcus
C:\Program Files\Orcus\Orcus.exe	family_orcus

Orcurs Rat Executable 2 IoCs

Processes:

resource	yara_rule
C:\Program Files\Orcus\Orcus.exe	orcus
C:\Program Files\Orcus\Orcus.exe	orcus

Executes dropped EXE 1 IoCs

Processes:

Orcus.exe

pid process

524 Orcus.exe

pid	process
524	Orcus.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Orcus.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files\\Orcus\\Orcus.exe\""	Orcus.exe

Drops file in Program Files directory 3 IoCs

Processes:

cd42f90ac522a1bf3a23764c700bbfa4.exe

description	ioc	process
File opened for modification	C:\Program Files\Orcus\Orcus.exe	cd42f90ac522a1bf3a23764c700bbfa4.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	cd42f90ac522a1bf3a23764c700bbfa4.exe
File created	C:\Program Files\Orcus\Orcus.exe	cd42f90ac522a1bf3a23764c700bbfa4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Orcus.exe

description pid process

Token: SeDebugPrivilege 524 Orcus.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Orcus.exe

pid process

524 Orcus.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Orcus.exe

pid process

524 Orcus.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Orcus.exe

pid process

524 Orcus.exe

description	pid	process
Token: SeDebugPrivilege	524	Orcus.exe

pid	process
524	Orcus.exe

pid	process
524	Orcus.exe

pid	process
524	Orcus.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

cd42f90ac522a1bf3a23764c700bbfa4.execsc.exe

description	pid	process	target process
PID 1096 wrote to memory of 2040	1096	cd42f90ac522a1bf3a23764c700bbfa4.exe	csc.exe
PID 1096 wrote to memory of 2040	1096	cd42f90ac522a1bf3a23764c700bbfa4.exe	csc.exe
PID 1096 wrote to memory of 2040	1096	cd42f90ac522a1bf3a23764c700bbfa4.exe	csc.exe
PID 2040 wrote to memory of 1944	2040	csc.exe	cvtres.exe
PID 2040 wrote to memory of 1944	2040	csc.exe	cvtres.exe
PID 2040 wrote to memory of 1944	2040	csc.exe	cvtres.exe
PID 1096 wrote to memory of 524	1096	cd42f90ac522a1bf3a23764c700bbfa4.exe	Orcus.exe
PID 1096 wrote to memory of 524	1096	cd42f90ac522a1bf3a23764c700bbfa4.exe	Orcus.exe
PID 1096 wrote to memory of 524	1096	cd42f90ac522a1bf3a23764c700bbfa4.exe	Orcus.exe

C:\Users\Admin\AppData\Local\Temp\cd42f90ac522a1bf3a23764c700bbfa4.exe
"C:\Users\Admin\AppData\Local\Temp\cd42f90ac522a1bf3a23764c700bbfa4.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dl1amwex.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84DA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC84D9.tmp"
3⤵
PID:1944

C:\Program Files\Orcus\Orcus.exe
"C:\Program Files\Orcus\Orcus.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

MD5
cd42f90ac522a1bf3a23764c700bbfa4

SHA1
0caaca5d0f02fe988b7c6629271dfb325431b71c

SHA256
3e4ef7b0224b4601e28838ec6319634315025d824c1404a2a9e114139dbdbe21

SHA512
6a4155f288155cd9b2da52275e30dad56390b12060841eb20ad2a68b6ea8d426c699bb40bc4abc80c146ed46d2e9b000d9198a52c379e9b9ed32d73ed49401c5

Download Submit
C:\Program Files\Orcus\Orcus.exe

MD5
cd42f90ac522a1bf3a23764c700bbfa4

SHA1
0caaca5d0f02fe988b7c6629271dfb325431b71c

SHA256
3e4ef7b0224b4601e28838ec6319634315025d824c1404a2a9e114139dbdbe21

SHA512
6a4155f288155cd9b2da52275e30dad56390b12060841eb20ad2a68b6ea8d426c699bb40bc4abc80c146ed46d2e9b000d9198a52c379e9b9ed32d73ed49401c5

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES84DA.tmp

MD5
d347a1872d1d9a8470fbeb20025d9437

SHA1
edd9744eb3cb5567e1fe2d5e449358cfdd57dfc4

SHA256
4c15e505f6d21562bd8ade0e2d8118c57a8e1968c7b3fbaf7a575afb327b58d1

SHA512
63876b08fa267739d68c51028078a91b4395386b0fc13a87dfa0556e09c5e21b7c36ff4050d3d7506d0458a58e33fa4b501ad86b9613925190a0e53bababb36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dl1amwex.dll

MD5
0983020d9faf6f256e4cf348f4612778

SHA1
7d2ff528b8d014a4f044b1d387c388fc1108d99d

SHA256
8d77d25a129aafefd80adc8c38b6f565246d75f122228b05e2c9d6cad6bd5f2a

SHA512
21e734fa9a3e084236b919eb2a0560d5336f783f68634d310c283989749511a3cace9b8095ed3c1a34340219296445a3fca081b56a43092af33606a6c789a465

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC84D9.tmp

MD5
e3e12427d4d10d64f365d5efc335c378

SHA1
9eeb0f4e74cbdd04e7084fdf473a3f820831837a

SHA256
e4b7a6c5ba4a2553ac0e2383ba572442df1b67db80af453c0417dd92f7afb87b

SHA512
64fdaba79d060f192bdf79c824d50d46eae78db6c19dfcf2506a49480526ce9c7004ebba45fb91c27d45da5c3da88c0137f3316c8a1a3bab7751716f75c8641c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dl1amwex.0.cs

MD5
2b14ae8b54d216abf4d228493ceca44a

SHA1
d134351498e4273e9d6391153e35416bc743adef

SHA256
4e1cc3da1f7bf92773aae6cffa6d61bfc3e25aead3ad947f6215f93a053f346c

SHA512
5761b605add10ae3ef80f3b8706c8241b4e8abe4ac3ce36b7be8a97d08b08da5a72fedd5e976b3c9e1c463613a943ebb5d323e6a075ef6c7c3b1abdc0d53ac05

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dl1amwex.cmdline

MD5
7d28249b719a96833afbaea82f62f19f

SHA1
588adb9ea8449df172afbf4a275f4f92a1f18eb7

SHA256
20316afbc592102675134a6e9af520f887e7fba26b5b9e4c636a32ab6af79afc

SHA512
d13705c9c622b14496630df5275ef9eb708a5b766eaf9b768cfa56e4d2b491b115b0eccecd24478e87802c14a889b3e7a7c2a035d39dea65f04b311359b300bc

Download Submit
memory/524-76-0x0000000000810000-0x000000000086A000-memory.dmp

Filesize
360KB

Download
memory/524-79-0x00000000005B0000-0x00000000005F8000-memory.dmp

Filesize
288KB

Download
memory/524-83-0x000000001B0B6000-0x000000001B0D5000-memory.dmp

Filesize
124KB

Download
memory/524-82-0x0000000000590000-0x000000000059C000-memory.dmp

Filesize
48KB

Download
memory/524-69-0x0000000000000000-mapping.dmp

Download
memory/524-73-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/524-81-0x000000001B0B0000-0x000000001B0B2000-memory.dmp

Filesize
8KB

Download
memory/524-80-0x0000000001F00000-0x0000000001F15000-memory.dmp

Filesize
84KB

Download
memory/524-77-0x0000000000240000-0x000000000024C000-memory.dmp

Filesize
48KB

Download
memory/524-78-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/1096-61-0x000007FEF2BC0000-0x000007FEF3C56000-memory.dmp

Filesize
16.6MB

Download
memory/1096-60-0x0000000002080000-0x0000000002082000-memory.dmp

Filesize
8KB

Download
memory/1944-65-0x0000000000000000-mapping.dmp

Download
memory/2040-75-0x00000000021F0000-0x00000000021F2000-memory.dmp

Filesize
8KB

Download
memory/2040-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads