orcus | 994d07673de5e6dde1e1292d3502ce4f122c18e112a196278ee5f269b517399c

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7v20210410
submitted
26-05-2021 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Valorant Script.bat.exe
Size

1.4MB
MD5

637b3b849ab42985bd2bc59982202df9
SHA1

359dab386ed04c7e9bf1dac6af68ff4b70ee6d71
SHA256

994d07673de5e6dde1e1292d3502ce4f122c18e112a196278ee5f269b517399c
SHA512

db676cc9cc802d57093b6a71a4cba36e84b93e3ca57c421dc3998c219d711cbdadb3537db2d60b94ad14da5cce1c484a59d8d98ddff112715840d218f1d55488

Score

10^/10

orcus lol rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

lol

isnadsknsbs-38398.portmap.host:12201

Mutex

e1b8920439fc43a68e4d8395e70dc516

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus Main Payload 6 IoCs

resource	yara_rule
behavioral1/files/0x00040000000130ce-60.dat	family_orcus
behavioral1/files/0x00040000000130ce-62.dat	family_orcus
behavioral1/files/0x00040000000130ce-63.dat	family_orcus
behavioral1/files/0x00040000000130d6-87.dat	family_orcus
behavioral1/files/0x00040000000130d6-89.dat	family_orcus
behavioral1/files/0x00040000000130d6-100.dat	family_orcus

Orcurs Rat Executable 6 IoCs

resource	yara_rule
behavioral1/files/0x00040000000130ce-60.dat	orcus
behavioral1/files/0x00040000000130ce-62.dat	orcus
behavioral1/files/0x00040000000130ce-63.dat	orcus
behavioral1/files/0x00040000000130d6-87.dat	orcus
behavioral1/files/0x00040000000130d6-89.dat	orcus
behavioral1/files/0x00040000000130d6-100.dat	orcus

Executes dropped EXE 7 IoCs

pid	Process
1192	ROBLOX BUCKS AND MOD MENU.EXE
1812	WindowsInput.exe
1684	WindowsInput.exe
1480	Orcus.exe
1204	Orcus.exe
1992	OrcusWatchdog.exe
1784	OrcusWatchdog.exe

Loads dropped DLL 1 IoCs

pid	Process
1084	Valorant Script.bat.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	ROBLOX BUCKS AND MOD MENU.EXE
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	ROBLOX BUCKS AND MOD MENU.EXE

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Orcus\Orcus.exe	ROBLOX BUCKS AND MOD MENU.EXE
File created	C:\Program Files\Orcus\Orcus.exe.config	ROBLOX BUCKS AND MOD MENU.EXE
File created	C:\Program Files (x86)\ROBLOX BUCKS AND MOD MENU.EXE	Valorant Script.bat.exe
File created	C:\Program Files\Orcus\Orcus.exe	ROBLOX BUCKS AND MOD MENU.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1784	OrcusWatchdog.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1480	Orcus.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1480	Orcus.exe
Token: SeDebugPrivilege	1992	OrcusWatchdog.exe
Token: SeDebugPrivilege	1784	OrcusWatchdog.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1480	Orcus.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1480	Orcus.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1480	Orcus.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 1192	1084	Valorant Script.bat.exe	25
PID 1084 wrote to memory of 1192	1084	Valorant Script.bat.exe	25
PID 1084 wrote to memory of 1192	1084	Valorant Script.bat.exe	25
PID 1084 wrote to memory of 1192	1084	Valorant Script.bat.exe	25
PID 1192 wrote to memory of 1988	1192	ROBLOX BUCKS AND MOD MENU.EXE	27
PID 1192 wrote to memory of 1988	1192	ROBLOX BUCKS AND MOD MENU.EXE	27
PID 1192 wrote to memory of 1988	1192	ROBLOX BUCKS AND MOD MENU.EXE	27
PID 1988 wrote to memory of 1844	1988	csc.exe	29
PID 1988 wrote to memory of 1844	1988	csc.exe	29
PID 1988 wrote to memory of 1844	1988	csc.exe	29
PID 1192 wrote to memory of 1812	1192	ROBLOX BUCKS AND MOD MENU.EXE	30
PID 1192 wrote to memory of 1812	1192	ROBLOX BUCKS AND MOD MENU.EXE	30
PID 1192 wrote to memory of 1812	1192	ROBLOX BUCKS AND MOD MENU.EXE	30
PID 1192 wrote to memory of 1480	1192	ROBLOX BUCKS AND MOD MENU.EXE	33
PID 1192 wrote to memory of 1480	1192	ROBLOX BUCKS AND MOD MENU.EXE	33
PID 1192 wrote to memory of 1480	1192	ROBLOX BUCKS AND MOD MENU.EXE	33
PID 1276 wrote to memory of 1204	1276	taskeng.exe	37
PID 1276 wrote to memory of 1204	1276	taskeng.exe	37
PID 1276 wrote to memory of 1204	1276	taskeng.exe	37
PID 1480 wrote to memory of 1992	1480	Orcus.exe	38
PID 1480 wrote to memory of 1992	1480	Orcus.exe	38
PID 1480 wrote to memory of 1992	1480	Orcus.exe	38
PID 1480 wrote to memory of 1992	1480	Orcus.exe	38
PID 1992 wrote to memory of 1784	1992	OrcusWatchdog.exe	39
PID 1992 wrote to memory of 1784	1992	OrcusWatchdog.exe	39
PID 1992 wrote to memory of 1784	1992	OrcusWatchdog.exe	39
PID 1992 wrote to memory of 1784	1992	OrcusWatchdog.exe	39

C:\Users\Admin\AppData\Local\Temp\Valorant Script.bat.exe
"C:\Users\Admin\AppData\Local\Temp\Valorant Script.bat.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Program Files (x86)\ROBLOX BUCKS AND MOD MENU.EXE
  "C:\Program Files (x86)\ROBLOX BUCKS AND MOD MENU.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eve-pgls.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA4E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA4D.tmp"
      4⤵
      PID:1844
- - C:\Windows\SysWOW64\WindowsInput.exe
    "C:\Windows\SysWOW64\WindowsInput.exe" --install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1812
- - C:\Program Files\Orcus\Orcus.exe
    "C:\Program Files\Orcus\Orcus.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
      "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 1480 /protectFile
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1992
    - - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
        
        "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 1480 "/protectFile"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:1684

C:\Windows\system32\taskeng.exe
taskeng.exe {AEB53CCD-17F5-4434-921E-C9779C301641} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  PID:1204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1084-59-0x00000000752F1000-0x00000000752F3000-memory.dmp

Filesize
8KB

Download
memory/1192-64-0x000007FEF2640000-0x000007FEF36D6000-memory.dmp

Filesize
16.6MB

Download
memory/1192-65-0x0000000000A10000-0x0000000000A12000-memory.dmp

Filesize
8KB

Download
memory/1204-113-0x000000001A890000-0x000000001A892000-memory.dmp

Filesize
8KB

Download
memory/1480-97-0x0000000000990000-0x00000000009A5000-memory.dmp

Filesize
84KB

Download
memory/1480-112-0x000000001B068000-0x000000001B087000-memory.dmp

Filesize
124KB

Download
memory/1480-92-0x000000001A810000-0x000000001A86A000-memory.dmp

Filesize
360KB

Download
memory/1480-93-0x0000000000240000-0x000000000024C000-memory.dmp

Filesize
48KB

Download
memory/1480-94-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/1480-95-0x0000000000B60000-0x0000000000BA8000-memory.dmp

Filesize
288KB

Download
memory/1480-96-0x000000001B060000-0x000000001B062000-memory.dmp

Filesize
8KB

Download
memory/1480-98-0x0000000000A40000-0x0000000000A4C000-memory.dmp

Filesize
48KB

Download
memory/1480-111-0x000000001B062000-0x000000001B064000-memory.dmp

Filesize
8KB

Download
memory/1480-90-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download
memory/1684-86-0x0000000019A30000-0x0000000019A32000-memory.dmp

Filesize
8KB

Download
memory/1812-77-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/1812-83-0x000000001B0C0000-0x000000001B0C2000-memory.dmp

Filesize
8KB

Download
memory/1988-81-0x00000000022F0000-0x00000000022F2000-memory.dmp

Filesize
8KB

Download
memory/1992-109-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download