orcus | 994d07673de5e6dde1e1292d3502ce4f122c18e112a196278ee5f269b517399c

Analysis

max time kernel
150s
max time network
147s
platform
windows10_x64
resource
win10v20210408
submitted
26-05-2021 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Valorant Script.bat.exe
Size

1.4MB
MD5

637b3b849ab42985bd2bc59982202df9
SHA1

359dab386ed04c7e9bf1dac6af68ff4b70ee6d71
SHA256

994d07673de5e6dde1e1292d3502ce4f122c18e112a196278ee5f269b517399c
SHA512

db676cc9cc802d57093b6a71a4cba36e84b93e3ca57c421dc3998c219d711cbdadb3537db2d60b94ad14da5cce1c484a59d8d98ddff112715840d218f1d55488

Score

10^/10

orcus lol rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

lol

isnadsknsbs-38398.portmap.host:12201

Mutex

e1b8920439fc43a68e4d8395e70dc516

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus Main Payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000200000001ab16-115.dat	family_orcus
behavioral2/files/0x000200000001ab16-116.dat	family_orcus
behavioral2/files/0x000200000001ab20-144.dat	family_orcus
behavioral2/files/0x000200000001ab20-146.dat	family_orcus
behavioral2/files/0x000200000001ab20-154.dat	family_orcus

Orcurs Rat Executable 5 IoCs

resource	yara_rule
behavioral2/files/0x000200000001ab16-115.dat	orcus
behavioral2/files/0x000200000001ab16-116.dat	orcus
behavioral2/files/0x000200000001ab20-144.dat	orcus
behavioral2/files/0x000200000001ab20-146.dat	orcus
behavioral2/files/0x000200000001ab20-154.dat	orcus

Executes dropped EXE 7 IoCs

pid	Process
2592	ROBLOX BUCKS AND MOD MENU.EXE
2296	WindowsInput.exe
3904	WindowsInput.exe
2988	Orcus.exe
1768	Orcus.exe
396	OrcusWatchdog.exe
1792	OrcusWatchdog.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	ROBLOX BUCKS AND MOD MENU.EXE
File opened for modification	C:\Windows\assembly\Desktop.ini	ROBLOX BUCKS AND MOD MENU.EXE

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe	ROBLOX BUCKS AND MOD MENU.EXE
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	ROBLOX BUCKS AND MOD MENU.EXE
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Orcus\Orcus.exe	ROBLOX BUCKS AND MOD MENU.EXE
File created	C:\Program Files\Orcus\Orcus.exe.config	ROBLOX BUCKS AND MOD MENU.EXE
File created	C:\Program Files (x86)\ROBLOX BUCKS AND MOD MENU.EXE	Valorant Script.bat.exe
File created	C:\Program Files\Orcus\Orcus.exe	ROBLOX BUCKS AND MOD MENU.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	ROBLOX BUCKS AND MOD MENU.EXE
File created	C:\Windows\assembly\Desktop.ini	ROBLOX BUCKS AND MOD MENU.EXE
File opened for modification	C:\Windows\assembly\Desktop.ini	ROBLOX BUCKS AND MOD MENU.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2988	Orcus.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
1792	OrcusWatchdog.exe
1792	OrcusWatchdog.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	Orcus.exe
Token: SeDebugPrivilege	396	OrcusWatchdog.exe
Token: SeDebugPrivilege	1792	OrcusWatchdog.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2988	Orcus.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2988	Orcus.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2988	Orcus.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 2592	3492	Valorant Script.bat.exe	75
PID 3492 wrote to memory of 2592	3492	Valorant Script.bat.exe	75
PID 2592 wrote to memory of 3308	2592	ROBLOX BUCKS AND MOD MENU.EXE	76
PID 2592 wrote to memory of 3308	2592	ROBLOX BUCKS AND MOD MENU.EXE	76
PID 3308 wrote to memory of 2152	3308	csc.exe	78
PID 3308 wrote to memory of 2152	3308	csc.exe	78
PID 2592 wrote to memory of 2296	2592	ROBLOX BUCKS AND MOD MENU.EXE	79
PID 2592 wrote to memory of 2296	2592	ROBLOX BUCKS AND MOD MENU.EXE	79
PID 2592 wrote to memory of 2988	2592	ROBLOX BUCKS AND MOD MENU.EXE	81
PID 2592 wrote to memory of 2988	2592	ROBLOX BUCKS AND MOD MENU.EXE	81
PID 2988 wrote to memory of 396	2988	Orcus.exe	83
PID 2988 wrote to memory of 396	2988	Orcus.exe	83
PID 2988 wrote to memory of 396	2988	Orcus.exe	83
PID 396 wrote to memory of 1792	396	OrcusWatchdog.exe	84
PID 396 wrote to memory of 1792	396	OrcusWatchdog.exe	84
PID 396 wrote to memory of 1792	396	OrcusWatchdog.exe	84

C:\Users\Admin\AppData\Local\Temp\Valorant Script.bat.exe
"C:\Users\Admin\AppData\Local\Temp\Valorant Script.bat.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Program Files (x86)\ROBLOX BUCKS AND MOD MENU.EXE
  "C:\Program Files (x86)\ROBLOX BUCKS AND MOD MENU.EXE"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pix4cs06.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3308
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES41F1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC41F0.tmp"
      4⤵
      PID:2152
- - C:\Windows\SysWOW64\WindowsInput.exe
    "C:\Windows\SysWOW64\WindowsInput.exe" --install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:2296
- - C:\Program Files\Orcus\Orcus.exe
    "C:\Program Files\Orcus\Orcus.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
      "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 2988 /protectFile
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:396
    - - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
        
        "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 2988 "/protectFile"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:3904

C:\Program Files\Orcus\Orcus.exe
"C:\Program Files\Orcus\Orcus.exe"
1⤵
- Executes dropped EXE
PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/396-169-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/1768-167-0x000000001CE10000-0x000000001CE12000-memory.dmp

Filesize
8KB

Download
memory/2296-130-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2296-134-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/2296-135-0x000000001C310000-0x000000001C312000-memory.dmp

Filesize
8KB

Download
memory/2296-133-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/2592-117-0x0000000002410000-0x0000000002412000-memory.dmp

Filesize
8KB

Download
memory/2988-160-0x000000001CB40000-0x000000001CB4C000-memory.dmp

Filesize
48KB

Download
memory/2988-153-0x000000001C550000-0x000000001C598000-memory.dmp

Filesize
288KB

Download
memory/2988-155-0x000000001CA20000-0x000000001CA35000-memory.dmp

Filesize
84KB

Download
memory/2988-158-0x000000001CD30000-0x000000001CD31000-memory.dmp

Filesize
4KB

Download
memory/2988-151-0x0000000000910000-0x0000000000912000-memory.dmp

Filesize
8KB

Download
memory/2988-150-0x0000000000900000-0x000000000090C000-memory.dmp

Filesize
48KB

Download
memory/2988-149-0x000000001C3F0000-0x000000001C44A000-memory.dmp

Filesize
360KB

Download
memory/2988-147-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2988-168-0x0000000000914000-0x0000000000916000-memory.dmp

Filesize
8KB

Download
memory/2988-152-0x0000000000C50000-0x0000000000C60000-memory.dmp

Filesize
64KB

Download
memory/2988-166-0x0000000000912000-0x0000000000914000-memory.dmp

Filesize
8KB

Download
memory/3308-125-0x0000000002260000-0x0000000002262000-memory.dmp

Filesize
8KB

Download
memory/3904-142-0x000000001C120000-0x000000001C121000-memory.dmp

Filesize
4KB

Download
memory/3904-139-0x0000000001B20000-0x0000000001B22000-memory.dmp

Filesize
8KB

Download