orcus | 88f3320f4bcd533c568b9ba53205deb1b0e430c3c32a1dfa0bfded03851114a8

Analysis

max time kernel
151s
max time network
147s
platform
windows10_x64
resource
win10v20210410
submitted
21-05-2021 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

658CB5F3BD26B13BB619C625501D7283.exe
Size

907KB
MD5

658cb5f3bd26b13bb619c625501d7283
SHA1

55ed61f7bd39147201a022ec3f83edfc8c58e002
SHA256

88f3320f4bcd533c568b9ba53205deb1b0e430c3c32a1dfa0bfded03851114a8
SHA512

d932c5b58120b466ae3451ececbb9fc323603d70b728294dce88e8b911c38dd65f0a81ec8fbba7f4c7dd2b9f9f3304de318a5297703e1d94204c89c3be55ad91

Score

10^/10

orcus people rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

People

4.tcp.ngrok.io:16788

Mutex

55c8e5e3f5fe4794a3ef3a55735c66ad

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%appdata%\MultiRunner\MultiRunner.exe
reconnect_delay
10000
registry_keyname
MutliRunner
taskscheduler_taskname
MultiRunner
watchdog_path
AppData\MultiHelper.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus Main Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000200000001ab54-123.dat	family_orcus
behavioral2/files/0x000200000001ab54-125.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x000200000001ab54-123.dat	orcus
behavioral2/files/0x000200000001ab54-125.dat	orcus

Executes dropped EXE 3 IoCs

pid	Process
2476	MultiRunner.exe
3480	MultiHelper.exe
3228	MultiHelper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2476	MultiRunner.exe
2476	MultiRunner.exe
2476	MultiRunner.exe
3228	MultiHelper.exe
3228	MultiHelper.exe
3228	MultiHelper.exe
3228	MultiHelper.exe
2476	MultiRunner.exe
3228	MultiHelper.exe
2476	MultiRunner.exe
2476	MultiRunner.exe
3228	MultiHelper.exe
3228	MultiHelper.exe
2476	MultiRunner.exe
2476	MultiRunner.exe
3228	MultiHelper.exe
3228	MultiHelper.exe
2476	MultiRunner.exe
2476	MultiRunner.exe
3228	MultiHelper.exe
2476	MultiRunner.exe
3228	MultiHelper.exe
3228	MultiHelper.exe
2476	MultiRunner.exe
2476	MultiRunner.exe
3228	MultiHelper.exe
3228	MultiHelper.exe
2476	MultiRunner.exe
2476	MultiRunner.exe
3228	MultiHelper.exe
3228	MultiHelper.exe
2476	MultiRunner.exe
2476	MultiRunner.exe
3228	MultiHelper.exe
2476	MultiRunner.exe
3228	MultiHelper.exe
3228	MultiHelper.exe
2476	MultiRunner.exe
3228	MultiHelper.exe
2476	MultiRunner.exe
3228	MultiHelper.exe
2476	MultiRunner.exe
3228	MultiHelper.exe
2476	MultiRunner.exe
3228	MultiHelper.exe
2476	MultiRunner.exe
2476	MultiRunner.exe
3228	MultiHelper.exe
3228	MultiHelper.exe
2476	MultiRunner.exe
3228	MultiHelper.exe
2476	MultiRunner.exe
3228	MultiHelper.exe
2476	MultiRunner.exe
3228	MultiHelper.exe
2476	MultiRunner.exe
2476	MultiRunner.exe
3228	MultiHelper.exe
3228	MultiHelper.exe
2476	MultiRunner.exe
2476	MultiRunner.exe
3228	MultiHelper.exe
2476	MultiRunner.exe
3228	MultiHelper.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2476	MultiRunner.exe
Token: SeDebugPrivilege	3480	MultiHelper.exe
Token: SeDebugPrivilege	3228	MultiHelper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2476	MultiRunner.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3864 wrote to memory of 2476	3864	658CB5F3BD26B13BB619C625501D7283.exe	75
PID 3864 wrote to memory of 2476	3864	658CB5F3BD26B13BB619C625501D7283.exe	75
PID 3864 wrote to memory of 2476	3864	658CB5F3BD26B13BB619C625501D7283.exe	75
PID 2476 wrote to memory of 3480	2476	MultiRunner.exe	76
PID 2476 wrote to memory of 3480	2476	MultiRunner.exe	76
PID 2476 wrote to memory of 3480	2476	MultiRunner.exe	76
PID 3480 wrote to memory of 3228	3480	MultiHelper.exe	77
PID 3480 wrote to memory of 3228	3480	MultiHelper.exe	77
PID 3480 wrote to memory of 3228	3480	MultiHelper.exe	77

C:\Users\Admin\AppData\Local\Temp\658CB5F3BD26B13BB619C625501D7283.exe
"C:\Users\Admin\AppData\Local\Temp\658CB5F3BD26B13BB619C625501D7283.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3864
- C:\Users\Admin\AppData\Roaming\MultiRunner\MultiRunner.exe
  "C:\Users\Admin\AppData\Roaming\MultiRunner\MultiRunner.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Users\Admin\AppData\Roaming\MultiHelper.exe
    "C:\Users\Admin\AppData\Roaming\MultiHelper.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Roaming\MultiRunner\MultiRunner.exe" 2476 /protectFile
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3480
  - - C:\Users\Admin\AppData\Roaming\MultiHelper.exe
      "C:\Users\Admin\AppData\Roaming\MultiHelper.exe" /watchProcess "C:\Users\Admin\AppData\Roaming\MultiRunner\MultiRunner.exe" 2476 "/protectFile"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2476-134-0x0000000005B90000-0x0000000005BA5000-memory.dmp

Filesize
84KB

Download
memory/2476-148-0x0000000004F93000-0x0000000004F95000-memory.dmp

Filesize
8KB

Download
memory/2476-133-0x0000000005B20000-0x0000000005B68000-memory.dmp

Filesize
288KB

Download
memory/2476-146-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/2476-135-0x0000000005ED0000-0x0000000005ED1000-memory.dmp

Filesize
4KB

Download
memory/2476-136-0x0000000005D00000-0x0000000005D0C000-memory.dmp

Filesize
48KB

Download
memory/2476-137-0x0000000006370000-0x0000000006371000-memory.dmp

Filesize
4KB

Download
memory/3480-142-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/3864-120-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/3864-119-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/3864-118-0x0000000005140000-0x000000000519A000-memory.dmp

Filesize
360KB

Download
memory/3864-117-0x0000000001240000-0x000000000124C000-memory.dmp

Filesize
48KB

Download
memory/3864-116-0x0000000001250000-0x0000000001251000-memory.dmp

Filesize
4KB

Download
memory/3864-114-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/3864-121-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download