orcus | 4563fa06b9e2a308b48d6e342715b02b494170e4cceafa902d21bd8dd953ff8e

General

Target

4563fa06b9e2a308b48d6e342715b02b494170e4cceafa902d21bd8dd953ff8e.exe
Size

909KB
MD5

0766f3d3a085ff223182010af4678eef
SHA1

3b4c8be4d002121a9e604864fbe1897c598467c0
SHA256

4563fa06b9e2a308b48d6e342715b02b494170e4cceafa902d21bd8dd953ff8e
SHA512

7f4c05d364b4c683f7f7f054099200b21023abfb4ddea7f5f65133f6904d9fea10bfb616ab2a336893d5e31541a551730991f94e1a4610cd422a754022980254

Score

10^/10

orcus persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

185.209.23.119:10134

Mutex

d4911beaeae0483b888d4daf666bbb74

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 3 IoCs

Processes:

resource	yara_rule
C:\Program Files\Orcus\Orcus.exe	family_orcus
C:\Program Files\Orcus\Orcus.exe	family_orcus
C:\Program Files\Orcus\Orcus.exe	family_orcus

Orcurs Rat Executable 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2448-130-0x0000000000650000-0x000000000073A000-memory.dmp	orcus
C:\Program Files\Orcus\Orcus.exe	orcus
C:\Program Files\Orcus\Orcus.exe	orcus
C:\Program Files\Orcus\Orcus.exe	orcus

Executes dropped EXE 4 IoCs

Processes:

WindowsInput.exeWindowsInput.exeOrcus.exeOrcus.exe

pid process

3392 WindowsInput.exe
4392 WindowsInput.exe
5028 Orcus.exe
2616 Orcus.exe

pid	process
3392	WindowsInput.exe
4392	WindowsInput.exe
5028	Orcus.exe
2616	Orcus.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4563fa06b9e2a308b48d6e342715b02b494170e4cceafa902d21bd8dd953ff8e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	4563fa06b9e2a308b48d6e342715b02b494170e4cceafa902d21bd8dd953ff8e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Orcus.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files\\Orcus\\Orcus.exe\""	Orcus.exe

Drops file in System32 directory 3 IoCs

Processes:

4563fa06b9e2a308b48d6e342715b02b494170e4cceafa902d21bd8dd953ff8e.exeWindowsInput.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsInput.exe	4563fa06b9e2a308b48d6e342715b02b494170e4cceafa902d21bd8dd953ff8e.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	4563fa06b9e2a308b48d6e342715b02b494170e4cceafa902d21bd8dd953ff8e.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 3 IoCs

Processes:

4563fa06b9e2a308b48d6e342715b02b494170e4cceafa902d21bd8dd953ff8e.exe

description	ioc	process
File created	C:\Program Files\Orcus\Orcus.exe	4563fa06b9e2a308b48d6e342715b02b494170e4cceafa902d21bd8dd953ff8e.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	4563fa06b9e2a308b48d6e342715b02b494170e4cceafa902d21bd8dd953ff8e.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	4563fa06b9e2a308b48d6e342715b02b494170e4cceafa902d21bd8dd953ff8e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Orcus.exe

description pid process

Token: SeDebugPrivilege 5028 Orcus.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Orcus.exe

pid process

5028 Orcus.exe

description	pid	process
Token: SeDebugPrivilege	5028	Orcus.exe

pid	process
5028	Orcus.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

4563fa06b9e2a308b48d6e342715b02b494170e4cceafa902d21bd8dd953ff8e.exe

description	pid	process	target process
PID 2448 wrote to memory of 3392	2448	4563fa06b9e2a308b48d6e342715b02b494170e4cceafa902d21bd8dd953ff8e.exe	WindowsInput.exe
PID 2448 wrote to memory of 3392	2448	4563fa06b9e2a308b48d6e342715b02b494170e4cceafa902d21bd8dd953ff8e.exe	WindowsInput.exe
PID 2448 wrote to memory of 5028	2448	4563fa06b9e2a308b48d6e342715b02b494170e4cceafa902d21bd8dd953ff8e.exe	Orcus.exe
PID 2448 wrote to memory of 5028	2448	4563fa06b9e2a308b48d6e342715b02b494170e4cceafa902d21bd8dd953ff8e.exe	Orcus.exe

C:\Users\Admin\AppData\Local\Temp\4563fa06b9e2a308b48d6e342715b02b494170e4cceafa902d21bd8dd953ff8e.exe
"C:\Users\Admin\AppData\Local\Temp\4563fa06b9e2a308b48d6e342715b02b494170e4cceafa902d21bd8dd953ff8e.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3392

C:\Program Files\Orcus\Orcus.exe
"C:\Program Files\Orcus\Orcus.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5028

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:4392

C:\Program Files\Orcus\Orcus.exe
"C:\Program Files\Orcus\Orcus.exe"
1⤵
- Executes dropped EXE
PID:2616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe
Filesize
909KB

MD5
0766f3d3a085ff223182010af4678eef

SHA1
3b4c8be4d002121a9e604864fbe1897c598467c0

SHA256
4563fa06b9e2a308b48d6e342715b02b494170e4cceafa902d21bd8dd953ff8e

SHA512
7f4c05d364b4c683f7f7f054099200b21023abfb4ddea7f5f65133f6904d9fea10bfb616ab2a336893d5e31541a551730991f94e1a4610cd422a754022980254

Download Submit
C:\Program Files\Orcus\Orcus.exe
Filesize
909KB

MD5
0766f3d3a085ff223182010af4678eef

SHA1
3b4c8be4d002121a9e604864fbe1897c598467c0

SHA256
4563fa06b9e2a308b48d6e342715b02b494170e4cceafa902d21bd8dd953ff8e

SHA512
7f4c05d364b4c683f7f7f054099200b21023abfb4ddea7f5f65133f6904d9fea10bfb616ab2a336893d5e31541a551730991f94e1a4610cd422a754022980254

Download Submit
C:\Program Files\Orcus\Orcus.exe
Filesize
909KB

MD5
0766f3d3a085ff223182010af4678eef

SHA1
3b4c8be4d002121a9e604864fbe1897c598467c0

SHA256
4563fa06b9e2a308b48d6e342715b02b494170e4cceafa902d21bd8dd953ff8e

SHA512
7f4c05d364b4c683f7f7f054099200b21023abfb4ddea7f5f65133f6904d9fea10bfb616ab2a336893d5e31541a551730991f94e1a4610cd422a754022980254

Download Submit
C:\Program Files\Orcus\Orcus.exe.config
Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe
Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe
Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe
Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config
Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
memory/2448-131-0x00007FF8C0C00000-0x00007FF8C16C1000-memory.dmp

Filesize
10.8MB

Download
memory/2448-132-0x00007FF8C0C00000-0x00007FF8C16C1000-memory.dmp

Filesize
10.8MB

Download
memory/2448-150-0x00007FF8C0C00000-0x00007FF8C16C1000-memory.dmp

Filesize
10.8MB

Download
memory/2448-130-0x0000000000650000-0x000000000073A000-memory.dmp

Filesize
936KB

Download
memory/2616-155-0x00007FF8C0C00000-0x00007FF8C16C1000-memory.dmp

Filesize
10.8MB

Download
memory/2616-154-0x00007FF8C0C00000-0x00007FF8C16C1000-memory.dmp

Filesize
10.8MB

Download
memory/3392-142-0x00007FF8C0C00000-0x00007FF8C16C1000-memory.dmp

Filesize
10.8MB

Download
memory/3392-141-0x0000000001360000-0x000000000139C000-memory.dmp

Filesize
240KB

Download
memory/3392-140-0x00000000012F0000-0x0000000001302000-memory.dmp

Filesize
72KB

Download
memory/3392-139-0x00007FF8C0C00000-0x00007FF8C16C1000-memory.dmp

Filesize
10.8MB

Download
memory/3392-138-0x00007FF8C0C00000-0x00007FF8C16C1000-memory.dmp

Filesize
10.8MB

Download
memory/3392-137-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

Filesize
48KB

Download
memory/3392-133-0x0000000000000000-mapping.dmp

Download
memory/4392-144-0x00007FF8C0C00000-0x00007FF8C16C1000-memory.dmp

Filesize
10.8MB

Download
memory/4392-145-0x000000001B550000-0x000000001B65A000-memory.dmp

Filesize
1.0MB

Download
memory/4392-156-0x00007FF8C0C00000-0x00007FF8C16C1000-memory.dmp

Filesize
10.8MB

Download
memory/5028-151-0x00007FF8C0C00000-0x00007FF8C16C1000-memory.dmp

Filesize
10.8MB

Download
memory/5028-153-0x000000001C410000-0x000000001C5D2000-memory.dmp

Filesize
1.8MB

Download
memory/5028-146-0x0000000000000000-mapping.dmp

Download
memory/5028-157-0x00007FF8C0C00000-0x00007FF8C16C1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads