orcus | 88f3320f4bcd533c568b9ba53205deb1b0e430c3c32a1dfa0bfded03851114a8

Analysis

max time kernel
151s
max time network
152s
platform
windows7_x64
resource
win7v20210408
submitted
21-05-2021 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

658CB5F3BD26B13BB619C625501D7283.exe
Size

907KB
MD5

658cb5f3bd26b13bb619c625501d7283
SHA1

55ed61f7bd39147201a022ec3f83edfc8c58e002
SHA256

88f3320f4bcd533c568b9ba53205deb1b0e430c3c32a1dfa0bfded03851114a8
SHA512

d932c5b58120b466ae3451ececbb9fc323603d70b728294dce88e8b911c38dd65f0a81ec8fbba7f4c7dd2b9f9f3304de318a5297703e1d94204c89c3be55ad91

Score

10^/10

orcus people rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

People

4.tcp.ngrok.io:16788

Mutex

55c8e5e3f5fe4794a3ef3a55735c66ad

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%appdata%\MultiRunner\MultiRunner.exe
reconnect_delay
10000
registry_keyname
MutliRunner
taskscheduler_taskname
MultiRunner
watchdog_path
AppData\MultiHelper.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus Main Payload 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\MultiRunner\MultiRunner.exe	family_orcus
C:\Users\Admin\AppData\Roaming\MultiRunner\MultiRunner.exe	family_orcus
C:\Users\Admin\AppData\Roaming\MultiRunner\MultiRunner.exe	family_orcus

Orcurs Rat Executable 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\MultiRunner\MultiRunner.exe	orcus
C:\Users\Admin\AppData\Roaming\MultiRunner\MultiRunner.exe	orcus
C:\Users\Admin\AppData\Roaming\MultiRunner\MultiRunner.exe	orcus

Executes dropped EXE 3 IoCs

Processes:

MultiRunner.exeMultiHelper.exeMultiHelper.exe

pid process

1528 MultiRunner.exe
1000 MultiHelper.exe
944 MultiHelper.exe
Loads dropped DLL 2 IoCs

Processes:

658CB5F3BD26B13BB619C625501D7283.exeMultiRunner.exe

pid process

1820 658CB5F3BD26B13BB619C625501D7283.exe
1528 MultiRunner.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1528	MultiRunner.exe
1000	MultiHelper.exe
944	MultiHelper.exe

pid	process
1820	658CB5F3BD26B13BB619C625501D7283.exe
1528	MultiRunner.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MultiHelper.exeMultiRunner.exe

pid	process
944	MultiHelper.exe
944	MultiHelper.exe
1528	MultiRunner.exe
1528	MultiRunner.exe
944	MultiHelper.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

MultiRunner.exeMultiHelper.exeMultiHelper.exe

description pid process

Token: SeDebugPrivilege 1528 MultiRunner.exe
Token: SeDebugPrivilege 1000 MultiHelper.exe
Token: SeDebugPrivilege 944 MultiHelper.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MultiRunner.exe

pid process

1528 MultiRunner.exe

description	pid	process
Token: SeDebugPrivilege	1528	MultiRunner.exe
Token: SeDebugPrivilege	1000	MultiHelper.exe
Token: SeDebugPrivilege	944	MultiHelper.exe

pid	process
1528	MultiRunner.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

658CB5F3BD26B13BB619C625501D7283.exeMultiRunner.exeMultiHelper.exe

description	pid	process	target process
PID 1820 wrote to memory of 1528	1820	658CB5F3BD26B13BB619C625501D7283.exe	MultiRunner.exe
PID 1820 wrote to memory of 1528	1820	658CB5F3BD26B13BB619C625501D7283.exe	MultiRunner.exe
PID 1820 wrote to memory of 1528	1820	658CB5F3BD26B13BB619C625501D7283.exe	MultiRunner.exe
PID 1820 wrote to memory of 1528	1820	658CB5F3BD26B13BB619C625501D7283.exe	MultiRunner.exe
PID 1528 wrote to memory of 1000	1528	MultiRunner.exe	MultiHelper.exe
PID 1528 wrote to memory of 1000	1528	MultiRunner.exe	MultiHelper.exe
PID 1528 wrote to memory of 1000	1528	MultiRunner.exe	MultiHelper.exe
PID 1528 wrote to memory of 1000	1528	MultiRunner.exe	MultiHelper.exe
PID 1000 wrote to memory of 944	1000	MultiHelper.exe	MultiHelper.exe
PID 1000 wrote to memory of 944	1000	MultiHelper.exe	MultiHelper.exe
PID 1000 wrote to memory of 944	1000	MultiHelper.exe	MultiHelper.exe
PID 1000 wrote to memory of 944	1000	MultiHelper.exe	MultiHelper.exe

C:\Users\Admin\AppData\Local\Temp\658CB5F3BD26B13BB619C625501D7283.exe
"C:\Users\Admin\AppData\Local\Temp\658CB5F3BD26B13BB619C625501D7283.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Roaming\MultiRunner\MultiRunner.exe
  "C:\Users\Admin\AppData\Roaming\MultiRunner\MultiRunner.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Users\Admin\AppData\Roaming\MultiHelper.exe
    "C:\Users\Admin\AppData\Roaming\MultiHelper.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Roaming\MultiRunner\MultiRunner.exe" 1528 /protectFile
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1000
  - - C:\Users\Admin\AppData\Roaming\MultiHelper.exe
      "C:\Users\Admin\AppData\Roaming\MultiHelper.exe" /watchProcess "C:\Users\Admin\AppData\Roaming\MultiRunner\MultiRunner.exe" 1528 "/protectFile"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MultiHelper.exe

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\MultiHelper.exe

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\MultiHelper.exe

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\MultiHelper.exe.config

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Roaming\MultiRunner\MultiRunner.exe

MD5
658cb5f3bd26b13bb619c625501d7283

SHA1
55ed61f7bd39147201a022ec3f83edfc8c58e002

SHA256
88f3320f4bcd533c568b9ba53205deb1b0e430c3c32a1dfa0bfded03851114a8

SHA512
d932c5b58120b466ae3451ececbb9fc323603d70b728294dce88e8b911c38dd65f0a81ec8fbba7f4c7dd2b9f9f3304de318a5297703e1d94204c89c3be55ad91

Download Submit
C:\Users\Admin\AppData\Roaming\MultiRunner\MultiRunner.exe

MD5
658cb5f3bd26b13bb619c625501d7283

SHA1
55ed61f7bd39147201a022ec3f83edfc8c58e002

SHA256
88f3320f4bcd533c568b9ba53205deb1b0e430c3c32a1dfa0bfded03851114a8

SHA512
d932c5b58120b466ae3451ececbb9fc323603d70b728294dce88e8b911c38dd65f0a81ec8fbba7f4c7dd2b9f9f3304de318a5297703e1d94204c89c3be55ad91

Download Submit
C:\Users\Admin\AppData\Roaming\MultiRunner\MultiRunner.exe.config

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\Users\Admin\AppData\Roaming\MultiHelper.exe

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
\Users\Admin\AppData\Roaming\MultiRunner\MultiRunner.exe

MD5
658cb5f3bd26b13bb619c625501d7283

SHA1
55ed61f7bd39147201a022ec3f83edfc8c58e002

SHA256
88f3320f4bcd533c568b9ba53205deb1b0e430c3c32a1dfa0bfded03851114a8

SHA512
d932c5b58120b466ae3451ececbb9fc323603d70b728294dce88e8b911c38dd65f0a81ec8fbba7f4c7dd2b9f9f3304de318a5297703e1d94204c89c3be55ad91

Download Submit
memory/944-86-0x0000000000000000-mapping.dmp

Download
memory/1000-84-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/1000-80-0x0000000000000000-mapping.dmp

Download
memory/1528-66-0x0000000000000000-mapping.dmp

Download
memory/1528-77-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/1528-78-0x00000000007E0000-0x00000000007EC000-memory.dmp

Filesize
48KB

Download
memory/1528-76-0x00000000046D0000-0x0000000004718000-memory.dmp

Filesize
288KB

Download
memory/1528-74-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/1528-70-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/1528-90-0x0000000004775000-0x0000000004786000-memory.dmp

Filesize
68KB

Download
memory/1820-59-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/1820-64-0x0000000000630000-0x0000000000640000-memory.dmp

Filesize
64KB

Download
memory/1820-63-0x0000000002060000-0x00000000020BA000-memory.dmp

Filesize
360KB

Download
memory/1820-62-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/1820-61-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download