orcus | 88f3320f4bcd533c568b9ba53205deb1b0e430c3c32a1dfa0bfded03851114a8

Analysis

max time kernel
151s
max time network
152s
platform
windows7_x64
resource
win7v20210408
submitted
21-05-2021 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

658CB5F3BD26B13BB619C625501D7283.exe
Size

907KB
MD5

658cb5f3bd26b13bb619c625501d7283
SHA1

55ed61f7bd39147201a022ec3f83edfc8c58e002
SHA256

88f3320f4bcd533c568b9ba53205deb1b0e430c3c32a1dfa0bfded03851114a8
SHA512

d932c5b58120b466ae3451ececbb9fc323603d70b728294dce88e8b911c38dd65f0a81ec8fbba7f4c7dd2b9f9f3304de318a5297703e1d94204c89c3be55ad91

Score

10^/10

orcus people rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

People

4.tcp.ngrok.io:16788

Mutex

55c8e5e3f5fe4794a3ef3a55735c66ad

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%appdata%\MultiRunner\MultiRunner.exe
reconnect_delay
10000
registry_keyname
MutliRunner
taskscheduler_taskname
MultiRunner
watchdog_path
AppData\MultiHelper.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus Main Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x00050000000130cd-65.dat	family_orcus
behavioral1/files/0x00050000000130cd-67.dat	family_orcus
behavioral1/files/0x00050000000130cd-69.dat	family_orcus

Orcurs Rat Executable 3 IoCs

resource	yara_rule
behavioral1/files/0x00050000000130cd-65.dat	orcus
behavioral1/files/0x00050000000130cd-67.dat	orcus
behavioral1/files/0x00050000000130cd-69.dat	orcus

Executes dropped EXE 3 IoCs

pid	Process
1528	MultiRunner.exe
1000	MultiHelper.exe
944	MultiHelper.exe

Loads dropped DLL 2 IoCs

pid	Process
1820	658CB5F3BD26B13BB619C625501D7283.exe
1528	MultiRunner.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
944	MultiHelper.exe
944	MultiHelper.exe
1528	MultiRunner.exe
1528	MultiRunner.exe
944	MultiHelper.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe
1528	MultiRunner.exe
944	MultiHelper.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1528	MultiRunner.exe
Token: SeDebugPrivilege	1000	MultiHelper.exe
Token: SeDebugPrivilege	944	MultiHelper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1528	MultiRunner.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 1528	1820	658CB5F3BD26B13BB619C625501D7283.exe	29
PID 1820 wrote to memory of 1528	1820	658CB5F3BD26B13BB619C625501D7283.exe	29
PID 1820 wrote to memory of 1528	1820	658CB5F3BD26B13BB619C625501D7283.exe	29
PID 1820 wrote to memory of 1528	1820	658CB5F3BD26B13BB619C625501D7283.exe	29
PID 1528 wrote to memory of 1000	1528	MultiRunner.exe	30
PID 1528 wrote to memory of 1000	1528	MultiRunner.exe	30
PID 1528 wrote to memory of 1000	1528	MultiRunner.exe	30
PID 1528 wrote to memory of 1000	1528	MultiRunner.exe	30
PID 1000 wrote to memory of 944	1000	MultiHelper.exe	31
PID 1000 wrote to memory of 944	1000	MultiHelper.exe	31
PID 1000 wrote to memory of 944	1000	MultiHelper.exe	31
PID 1000 wrote to memory of 944	1000	MultiHelper.exe	31

C:\Users\Admin\AppData\Local\Temp\658CB5F3BD26B13BB619C625501D7283.exe
"C:\Users\Admin\AppData\Local\Temp\658CB5F3BD26B13BB619C625501D7283.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Roaming\MultiRunner\MultiRunner.exe
  "C:\Users\Admin\AppData\Roaming\MultiRunner\MultiRunner.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Users\Admin\AppData\Roaming\MultiHelper.exe
    "C:\Users\Admin\AppData\Roaming\MultiHelper.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Roaming\MultiRunner\MultiRunner.exe" 1528 /protectFile
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1000
  - - C:\Users\Admin\AppData\Roaming\MultiHelper.exe
      "C:\Users\Admin\AppData\Roaming\MultiHelper.exe" /watchProcess "C:\Users\Admin\AppData\Roaming\MultiRunner\MultiRunner.exe" 1528 "/protectFile"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1000-84-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/1528-77-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/1528-78-0x00000000007E0000-0x00000000007EC000-memory.dmp

Filesize
48KB

Download
memory/1528-76-0x00000000046D0000-0x0000000004718000-memory.dmp

Filesize
288KB

Download
memory/1528-74-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/1528-70-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/1528-90-0x0000000004775000-0x0000000004786000-memory.dmp

Filesize
68KB

Download
memory/1820-59-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/1820-64-0x0000000000630000-0x0000000000640000-memory.dmp

Filesize
64KB

Download
memory/1820-63-0x0000000002060000-0x00000000020BA000-memory.dmp

Filesize
360KB

Download
memory/1820-62-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/1820-61-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download