orcus | 3f25bc78db5f00c85bbd8662838858fa12989976b7be9c70aa6f68fe92c78a53

Analysis

max time kernel
150s
max time network
158s
platform
windows10_x64
resource
win10v20210408
submitted
28-05-2021 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6d66119_extracted.exe
Size

953KB
MD5

7c0515a40b439d120deb649fb8ccafe3
SHA1

c081cb8c417f69a8675f9c90b5cc6778d770d8a7
SHA256

3f25bc78db5f00c85bbd8662838858fa12989976b7be9c70aa6f68fe92c78a53
SHA512

12f160d3162f5fa8a62e972630e0e9c17385e7ab4a8760a8680f20a89f3acc64c1baff8a68b5a7b8e8f7785b72cac3ae7254bb1b223aacbe413a5e5a65455f41

Score

10^/10

orcus start - steam rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

Start - Steam

185.217.1.185:911

Mutex

a36e4add169c442b882f8f0c5cb7e8cf

Attributes

autostart_method
TaskScheduler
enable_keylogger
false
install_path
%programdata%\Steam\Steam Client.exe
reconnect_delay
6600
registry_keyname
Steam Webhelper Standalone
taskscheduler_taskname
Steam Client WebHelper
watchdog_path
Temp\Steam Client WebHelper.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus Main Payload 3 IoCs

Processes:

resource	yara_rule
C:\ProgramData\Steam\Steam Client.exe	family_orcus
C:\ProgramData\Steam\Steam Client.exe	family_orcus
C:\ProgramData\Steam\Steam Client.exe	family_orcus

Orcurs Rat Executable 3 IoCs

Processes:

resource	yara_rule
C:\ProgramData\Steam\Steam Client.exe	orcus
C:\ProgramData\Steam\Steam Client.exe	orcus
C:\ProgramData\Steam\Steam Client.exe	orcus

Executes dropped EXE 4 IoCs

Processes:

Steam Client.exeSteam Client.exeSteam Client WebHelper.exeSteam Client WebHelper.exe

pid process

4268 Steam Client.exe
3476 Steam Client.exe
492 Steam Client WebHelper.exe
1004 Steam Client WebHelper.exe

pid	process
4268	Steam Client.exe
3476	Steam Client.exe
492	Steam Client WebHelper.exe
1004	Steam Client WebHelper.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

f6d66119_extracted.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	f6d66119_extracted.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	f6d66119_extracted.exe

Drops file in Windows directory 3 IoCs

Processes:

f6d66119_extracted.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	f6d66119_extracted.exe
File created	C:\Windows\assembly\Desktop.ini	f6d66119_extracted.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	f6d66119_extracted.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Steam Client WebHelper.exeSteam Client.exe

pid	process
1004	Steam Client WebHelper.exe
1004	Steam Client WebHelper.exe
1004	Steam Client WebHelper.exe
4268	Steam Client.exe
4268	Steam Client.exe
4268	Steam Client.exe
1004	Steam Client WebHelper.exe
4268	Steam Client.exe
1004	Steam Client WebHelper.exe
4268	Steam Client.exe
1004	Steam Client WebHelper.exe
4268	Steam Client.exe
1004	Steam Client WebHelper.exe
4268	Steam Client.exe
1004	Steam Client WebHelper.exe
4268	Steam Client.exe
1004	Steam Client WebHelper.exe
4268	Steam Client.exe
1004	Steam Client WebHelper.exe
4268	Steam Client.exe
1004	Steam Client WebHelper.exe
4268	Steam Client.exe
1004	Steam Client WebHelper.exe
4268	Steam Client.exe
1004	Steam Client WebHelper.exe
4268	Steam Client.exe
1004	Steam Client WebHelper.exe
4268	Steam Client.exe
1004	Steam Client WebHelper.exe
4268	Steam Client.exe
1004	Steam Client WebHelper.exe
4268	Steam Client.exe
1004	Steam Client WebHelper.exe
4268	Steam Client.exe
1004	Steam Client WebHelper.exe
4268	Steam Client.exe
1004	Steam Client WebHelper.exe
4268	Steam Client.exe
1004	Steam Client WebHelper.exe
4268	Steam Client.exe
1004	Steam Client WebHelper.exe
4268	Steam Client.exe
1004	Steam Client WebHelper.exe
4268	Steam Client.exe
1004	Steam Client WebHelper.exe
4268	Steam Client.exe
1004	Steam Client WebHelper.exe
4268	Steam Client.exe
1004	Steam Client WebHelper.exe
4268	Steam Client.exe
1004	Steam Client WebHelper.exe
4268	Steam Client.exe
1004	Steam Client WebHelper.exe
4268	Steam Client.exe
1004	Steam Client WebHelper.exe
4268	Steam Client.exe
1004	Steam Client WebHelper.exe
4268	Steam Client.exe
1004	Steam Client WebHelper.exe
4268	Steam Client.exe
1004	Steam Client WebHelper.exe
4268	Steam Client.exe
1004	Steam Client WebHelper.exe
4268	Steam Client.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Steam Client.exeSteam Client WebHelper.exeSteam Client WebHelper.exe

description	pid	process
Token: SeDebugPrivilege	4268	Steam Client.exe
Token: SeDebugPrivilege	492	Steam Client WebHelper.exe
Token: SeDebugPrivilege	1004	Steam Client WebHelper.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f6d66119_extracted.execsc.exeSteam Client.exeSteam Client WebHelper.exe

description	pid	process	target process
PID 4652 wrote to memory of 3036	4652	f6d66119_extracted.exe	csc.exe
PID 4652 wrote to memory of 3036	4652	f6d66119_extracted.exe	csc.exe
PID 3036 wrote to memory of 2204	3036	csc.exe	cvtres.exe
PID 3036 wrote to memory of 2204	3036	csc.exe	cvtres.exe
PID 4652 wrote to memory of 4268	4652	f6d66119_extracted.exe	Steam Client.exe
PID 4652 wrote to memory of 4268	4652	f6d66119_extracted.exe	Steam Client.exe
PID 4268 wrote to memory of 492	4268	Steam Client.exe	Steam Client WebHelper.exe
PID 4268 wrote to memory of 492	4268	Steam Client.exe	Steam Client WebHelper.exe
PID 4268 wrote to memory of 492	4268	Steam Client.exe	Steam Client WebHelper.exe
PID 492 wrote to memory of 1004	492	Steam Client WebHelper.exe	Steam Client WebHelper.exe
PID 492 wrote to memory of 1004	492	Steam Client WebHelper.exe	Steam Client WebHelper.exe
PID 492 wrote to memory of 1004	492	Steam Client WebHelper.exe	Steam Client WebHelper.exe

C:\Users\Admin\AppData\Local\Temp\f6d66119_extracted.exe
"C:\Users\Admin\AppData\Local\Temp\f6d66119_extracted.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y-p2yf_o.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB973.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB972.tmp"
    3⤵
    PID:2204
- C:\ProgramData\Steam\Steam Client.exe
  "C:\ProgramData\Steam\Steam Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Users\Admin\AppData\Local\Temp\Steam Client WebHelper.exe
    "C:\Users\Admin\AppData\Local\Temp\Steam Client WebHelper.exe" /launchSelfAndExit "C:\ProgramData\Steam\Steam Client.exe" 4268 /protectFile
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:492
  - - C:\Users\Admin\AppData\Local\Temp\Steam Client WebHelper.exe
      "C:\Users\Admin\AppData\Local\Temp\Steam Client WebHelper.exe" /watchProcess "C:\ProgramData\Steam\Steam Client.exe" 4268 "/protectFile"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1004

C:\ProgramData\Steam\Steam Client.exe
"C:\ProgramData\Steam\Steam Client.exe"
1⤵
- Executes dropped EXE
PID:3476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Steam\Steam Client.exe

MD5
7c0515a40b439d120deb649fb8ccafe3

SHA1
c081cb8c417f69a8675f9c90b5cc6778d770d8a7

SHA256
3f25bc78db5f00c85bbd8662838858fa12989976b7be9c70aa6f68fe92c78a53

SHA512
12f160d3162f5fa8a62e972630e0e9c17385e7ab4a8760a8680f20a89f3acc64c1baff8a68b5a7b8e8f7785b72cac3ae7254bb1b223aacbe413a5e5a65455f41

Download Submit
C:\ProgramData\Steam\Steam Client.exe

MD5
7c0515a40b439d120deb649fb8ccafe3

SHA1
c081cb8c417f69a8675f9c90b5cc6778d770d8a7

SHA256
3f25bc78db5f00c85bbd8662838858fa12989976b7be9c70aa6f68fe92c78a53

SHA512
12f160d3162f5fa8a62e972630e0e9c17385e7ab4a8760a8680f20a89f3acc64c1baff8a68b5a7b8e8f7785b72cac3ae7254bb1b223aacbe413a5e5a65455f41

Download Submit
C:\ProgramData\Steam\Steam Client.exe

MD5
7c0515a40b439d120deb649fb8ccafe3

SHA1
c081cb8c417f69a8675f9c90b5cc6778d770d8a7

SHA256
3f25bc78db5f00c85bbd8662838858fa12989976b7be9c70aa6f68fe92c78a53

SHA512
12f160d3162f5fa8a62e972630e0e9c17385e7ab4a8760a8680f20a89f3acc64c1baff8a68b5a7b8e8f7785b72cac3ae7254bb1b223aacbe413a5e5a65455f41

Download Submit
C:\ProgramData\Steam\Steam Client.exe.config

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB973.tmp

MD5
d1d78ba003641f45b3a28beb606925d9

SHA1
98c600e6b0a7aafa0270589e89d053b3ca195acc

SHA256
1c38f62492452aca7f497edf0da511d69a77c5957c9cbec7ebd956546c3fb229

SHA512
52b9a17ec3518564df2f2e053379cfed7155064f452a02026d44cecb7c5dccc20690fefb15ab5d5d4cb567381e2f909f529354e8d2c8f1bdd8008d6dccf7b7b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Steam Client WebHelper.exe

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Steam Client WebHelper.exe

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Steam Client WebHelper.exe

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Steam Client WebHelper.exe.config

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\y-p2yf_o.dll

MD5
125f4afbf92cb5193232c7763ca8d3ea

SHA1
bbf76f630bcd9d5b8e4310ad762c073a5b77acb2

SHA256
93bdb0ba778605a29ccfebed369acbbcd266ccef4d96682b030d7e2c1d5c1296

SHA512
918d9ca1e9ed66424e8ad4ddd92a486fc808a13ce99d34ec89582ce70e80ad4cdf36b5dbf441c0be81914596e2c54f303cb507dad200a1af285f49111855c26c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB972.tmp

MD5
e17fef625332cdf0bc57c32efe03009b

SHA1
fbca949186213fadd6e81c4ea6a8dee2ab813771

SHA256
2f74124836f5e89674099b1475b7b275eff1fe337ae2c46371388a1f89a36f8c

SHA512
134918f7fcebffaaa8ca8a25b51e6a222e658b32bfcc3ed00b76ec74c2c514bbee966b1d198777a22180ea217a1799f5f20e8eb515a9f05f110b5a61efd6f622

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\y-p2yf_o.0.cs

MD5
09541f0f24d7424667f7949ba18bcedf

SHA1
ca1b137c243a19c8fa8cf8e63d671f2433df4422

SHA256
cdb855262cab6551d2e279853a52a5904ecd08fa73467194d940a506f0bcefe8

SHA512
a01797c4a1e9e871463395548fede447bd3d78a3a024699f49d8b58e404a369b72bf731262b144aeedee9c01af03d3b9cae820117927776f9b31bb778d1a58a7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\y-p2yf_o.cmdline

MD5
d2891c7d3aace06e5d47746575b307d4

SHA1
b4666e61c08efb6d861d823456d3da836ed11224

SHA256
4f193cd5dcb8f599b31b0b87a8e68e13e2cddb4ffdfcc20343888ec7cd657809

SHA512
7cdd29577d11137c3a7c69a8acb987a745c1e6a70dd2d5a1d3e32be673483abe5a5e0644cbec7bfe7d78faf48048114241cb206203e56678d53a09eda9619828

Download Submit
memory/492-144-0x0000000000000000-mapping.dmp

Download
memory/492-148-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/1004-151-0x0000000000000000-mapping.dmp

Download
memory/2204-118-0x0000000000000000-mapping.dmp

Download
memory/3036-122-0x00000000009B0000-0x00000000009B2000-memory.dmp

Filesize
8KB

Download
memory/3036-115-0x0000000000000000-mapping.dmp

Download
memory/3476-143-0x000000001BA90000-0x000000001BA92000-memory.dmp

Filesize
8KB

Download
memory/4268-132-0x0000000000F60000-0x0000000000F70000-memory.dmp

Filesize
64KB

Download
memory/4268-136-0x0000000001240000-0x0000000001255000-memory.dmp

Filesize
84KB

Download
memory/4268-141-0x0000000001260000-0x000000000126C000-memory.dmp

Filesize
48KB

Download
memory/4268-142-0x000000001B772000-0x000000001B774000-memory.dmp

Filesize
8KB

Download
memory/4268-133-0x0000000000F50000-0x0000000000F52000-memory.dmp

Filesize
8KB

Download
memory/4268-134-0x0000000002CB0000-0x0000000002CF8000-memory.dmp

Filesize
288KB

Download
memory/4268-131-0x0000000000F20000-0x0000000000F2C000-memory.dmp

Filesize
48KB

Download
memory/4268-130-0x000000001B770000-0x000000001B772000-memory.dmp

Filesize
8KB

Download
memory/4268-129-0x0000000002C50000-0x0000000002CAA000-memory.dmp

Filesize
360KB

Download
memory/4268-150-0x000000001B774000-0x000000001B776000-memory.dmp

Filesize
8KB

Download
memory/4268-127-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/4268-123-0x0000000000000000-mapping.dmp

Download
memory/4652-114-0x0000000001210000-0x0000000001212000-memory.dmp

Filesize
8KB

Download