Overview

overview

10

Static

static

10

OrcusRAT-main.zip

windows10-2004-x64

10

Analysis

  • max time kernel
    350s
  • max time network
    358s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/06/2023, 09:43

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    OrcusRAT-main.zip

  • Size

    25.0MB

  • MD5

    4ebe8621171038676189cbc5e7053d9f

  • SHA1

    2e3a3b97163d1e8af1e41c36f9495062fb4b1934

  • SHA256

    3786d314f4e3906400b24657ed15fca047576eba9cf17630246db69503fdbea3

  • SHA512

    e0091ae9f3acddc7e8d11b89a60debc3dab57b8af57bde4a3f538b2283eae398a1adec8224bf5fd2d0be61be015fc2a79c49b06cf786945073e1cc87d66be356

  • SSDEEP

    786432:DFrAoo07VJxiSdlBx4IVwXuOHKW3kijZk:hrA+xJBgIEuMUiNk

Score
10/10
orcusratspywarestealer

Malware Config

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcurs Rat Executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\OrcusRAT-main.zip
    1⤵
      PID:4796
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:936
      • C:\Users\Admin\Desktop\OrcusRAT-main\Orcus.Administration.exe
        "C:\Users\Admin\Desktop\OrcusRAT-main\Orcus.Administration.exe"
        1⤵
        • Loads dropped DLL
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4488
        • C:\Windows\SysWOW64\explorer.exe
          "C:\Windows\System32\explorer.exe" /select, "C:\Users\Admin\Desktop\Orcus.Server.exe"
          2⤵
            PID:1156
          • C:\Windows\SysWOW64\explorer.exe
            "C:\Windows\System32\explorer.exe" /select, "C:\Users\Admin\Desktop\OrcusRAT-main\server 1\Orcus.Server.exe"
            2⤵
              PID:2236
          • C:\Windows\explorer.exe
            C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
            1⤵
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious use of SetWindowsHookEx
            PID:3624
          • C:\Windows\explorer.exe
            C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
            1⤵
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:620
            • C:\Users\Admin\Desktop\OrcusRAT-main\server 1\Orcus.Server.exe
              "C:\Users\Admin\Desktop\OrcusRAT-main\server 1\Orcus.Server.exe"
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:4400
          • C:\Users\Admin\Desktop\rat.exe
            "C:\Users\Admin\Desktop\rat.exe"
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops desktop.ini file(s)
            • Drops file in Windows directory
            • Suspicious use of WriteProcessMemory
            PID:3656
            • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of SetWindowsHookEx
              PID:3892
          • C:\Windows\system32\AUDIODG.EXE
            C:\Windows\system32\AUDIODG.EXE 0x240 0x30c
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2248

          Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\Costura\2C9662276C8B885676D4578FFA67621B\32\sqlite3.dll
                  Filesize

                  626KB

                  MD5

                  d8aec01ff14e3e7ad43a4b71e30482e4

                  SHA1

                  e3015f56f17d845ec7eef11d41bbbc28cc16d096

                  SHA256

                  da1d608be064555ab3d3d35e6db64527b8c44f3fa5ddd7c3ec723f80fc99736e

                  SHA512

                  f5b2f4bda0cc13e1d1c541fb0caea14081ee4daffd497e31a3d4d55d5f9d85a61158b4891a6527efe623b2f32b697ac912320d9be5c0303812ca98dcc8866fcf

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\opus.dll
                  Filesize

                  332KB

                  MD5

                  1fc04b8bb4896745163df806695ee193

                  SHA1

                  39174ce2fca9a3e86bb7a5686037bc42f2572de1

                  SHA256

                  3f2b2fd440fdd84288dadfc63e37a4bc7ea0aae26889ab0d4a5ef6148f44ce14

                  SHA512

                  3ff18bdd364f27e54ffbf2d1af53e3500ec57e7e8fa14185f7fb1ef6639d69ac6253543b9e2155ade45ca5bcd567e94334f1ee7ad0a7ff28194168dc49883261

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\GamerView\sqlite3.dll
                  Filesize

                  626KB

                  MD5

                  d8aec01ff14e3e7ad43a4b71e30482e4

                  SHA1

                  e3015f56f17d845ec7eef11d41bbbc28cc16d096

                  SHA256

                  da1d608be064555ab3d3d35e6db64527b8c44f3fa5ddd7c3ec723f80fc99736e

                  SHA512

                  f5b2f4bda0cc13e1d1c541fb0caea14081ee4daffd497e31a3d4d55d5f9d85a61158b4891a6527efe623b2f32b697ac912320d9be5c0303812ca98dcc8866fcf

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\GamerView\sqlite3.dll
                  Filesize

                  626KB

                  MD5

                  d8aec01ff14e3e7ad43a4b71e30482e4

                  SHA1

                  e3015f56f17d845ec7eef11d41bbbc28cc16d096

                  SHA256

                  da1d608be064555ab3d3d35e6db64527b8c44f3fa5ddd7c3ec723f80fc99736e

                  SHA512

                  f5b2f4bda0cc13e1d1c541fb0caea14081ee4daffd497e31a3d4d55d5f9d85a61158b4891a6527efe623b2f32b697ac912320d9be5c0303812ca98dcc8866fcf

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
                  Filesize

                  1.2MB

                  MD5

                  8161bcf22ad882c378ba60c0304c3321

                  SHA1

                  faefc1bb9240d5260f8e2ec85913dd3ed7e73abe

                  SHA256

                  739d55803651698c6ea4e7f5e150a51c039030730ac938902138fcdd7566d041

                  SHA512

                  ecb77b8ebf528d2837afa94cf12dfdf6fef788a6827015ec1e2b2790cfa65849d1fe95b8a0c84aad911b007885713d773cf7c5d0a13fa573723498692944c645

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
                  Filesize

                  1.2MB

                  MD5

                  8161bcf22ad882c378ba60c0304c3321

                  SHA1

                  faefc1bb9240d5260f8e2ec85913dd3ed7e73abe

                  SHA256

                  739d55803651698c6ea4e7f5e150a51c039030730ac938902138fcdd7566d041

                  SHA512

                  ecb77b8ebf528d2837afa94cf12dfdf6fef788a6827015ec1e2b2790cfa65849d1fe95b8a0c84aad911b007885713d773cf7c5d0a13fa573723498692944c645

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
                  Filesize

                  1.2MB

                  MD5

                  8161bcf22ad882c378ba60c0304c3321

                  SHA1

                  faefc1bb9240d5260f8e2ec85913dd3ed7e73abe

                  SHA256

                  739d55803651698c6ea4e7f5e150a51c039030730ac938902138fcdd7566d041

                  SHA512

                  ecb77b8ebf528d2837afa94cf12dfdf6fef788a6827015ec1e2b2790cfa65849d1fe95b8a0c84aad911b007885713d773cf7c5d0a13fa573723498692944c645

                  Download Submit

                • C:\Users\Admin\Desktop\Orcus.Server.exe
                  Filesize

                  3.3MB

                  MD5

                  423c84c4e8fe8fa7685ceed43acf8335

                  SHA1

                  7270183b6507932681257b9d9033f51600c4704d

                  SHA256

                  a5e07a905fa95fd8e7370fc706682d823ab9b8974f5867e96f1be9c4e16e0557

                  SHA512

                  ae1bbbe7e51df645f2afd3c64b8a8ae87b71db98929a1f87fd4903ec74a5fe54f6d996dbba71ac4dee985f50bb05ce4dd3df55b4965fab0477f01885146724d4

                  Download Submit

                • C:\Users\Admin\Desktop\OrcusRAT-main\server 1\Orcus.Server.exe
                  Filesize

                  3.3MB

                  MD5

                  423c84c4e8fe8fa7685ceed43acf8335

                  SHA1

                  7270183b6507932681257b9d9033f51600c4704d

                  SHA256

                  a5e07a905fa95fd8e7370fc706682d823ab9b8974f5867e96f1be9c4e16e0557

                  SHA512

                  ae1bbbe7e51df645f2afd3c64b8a8ae87b71db98929a1f87fd4903ec74a5fe54f6d996dbba71ac4dee985f50bb05ce4dd3df55b4965fab0477f01885146724d4

                  Download Submit

                • C:\Users\Admin\Desktop\OrcusRAT-main\server 1\Orcus.Server.exe
                  Filesize

                  3.3MB

                  MD5

                  423c84c4e8fe8fa7685ceed43acf8335

                  SHA1

                  7270183b6507932681257b9d9033f51600c4704d

                  SHA256

                  a5e07a905fa95fd8e7370fc706682d823ab9b8974f5867e96f1be9c4e16e0557

                  SHA512

                  ae1bbbe7e51df645f2afd3c64b8a8ae87b71db98929a1f87fd4903ec74a5fe54f6d996dbba71ac4dee985f50bb05ce4dd3df55b4965fab0477f01885146724d4

                  Download Submit

                • C:\Users\Admin\Desktop\OrcusRAT-main\server 1\certificate.pfx
                  Filesize

                  1KB

                  MD5

                  290e70ab7650669eeef11a47e157995b

                  SHA1

                  40543d41a1fe0bfaf2f2b4eea5ae1b741f823b0c

                  SHA256

                  7aac9f3dc8965da8e2ffa8ced78e9d45b7f17692b35f1d9f22870f519103a6ba

                  SHA512

                  e46b8eb0b7b7b016c429ff22ec9e3fce48e580953a05e3d3c59fce6d2ca667d578a6f6c2dce8fe733c2a1c27b4d99dbe1522e73b8c0d03bf7e2ae9062ef4d4cd

                  Download Submit

                • C:\Users\Admin\Desktop\OrcusRAT-main\server 1\settings.json
                  Filesize

                  584B

                  MD5

                  9c41e7964a32b8ae6d9ed3cb012aab9e

                  SHA1

                  83a37730cdd84d7fe542a8d200b2a863ab95fcdc

                  SHA256

                  e39512af4b652489fc621ffb1c3bb61db63d0c10acb441d83cdde9fbc70e42aa

                  SHA512

                  8aa58a24340dd6604b33686ef07ad224a921daa595d66db10ccd9724ea676550c2a1625a206d902da414fc385a18c445302e2a9d28def336c8cdb6e7a72d298c

                  Download Submit

                • C:\Users\Admin\Desktop\rat.exe
                  Filesize

                  1.2MB

                  MD5

                  8161bcf22ad882c378ba60c0304c3321

                  SHA1

                  faefc1bb9240d5260f8e2ec85913dd3ed7e73abe

                  SHA256

                  739d55803651698c6ea4e7f5e150a51c039030730ac938902138fcdd7566d041

                  SHA512

                  ecb77b8ebf528d2837afa94cf12dfdf6fef788a6827015ec1e2b2790cfa65849d1fe95b8a0c84aad911b007885713d773cf7c5d0a13fa573723498692944c645

                  Download Submit

                • C:\Users\Admin\Desktop\rat.exe
                  Filesize

                  1.2MB

                  MD5

                  8161bcf22ad882c378ba60c0304c3321

                  SHA1

                  faefc1bb9240d5260f8e2ec85913dd3ed7e73abe

                  SHA256

                  739d55803651698c6ea4e7f5e150a51c039030730ac938902138fcdd7566d041

                  SHA512

                  ecb77b8ebf528d2837afa94cf12dfdf6fef788a6827015ec1e2b2790cfa65849d1fe95b8a0c84aad911b007885713d773cf7c5d0a13fa573723498692944c645

                  Download Submit

                • memory/3656-282-0x00000000018F0000-0x0000000001900000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3892-296-0x0000000001700000-0x0000000001710000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3892-318-0x0000000060900000-0x0000000060992000-memory.dmp

                  Filesize

                  584KB

                  Download

                • memory/3892-319-0x0000000001700000-0x0000000001710000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3892-333-0x0000000001700000-0x0000000001710000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3892-329-0x0000000001700000-0x0000000001710000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3892-323-0x0000000060900000-0x0000000060992000-memory.dmp

                  Filesize

                  584KB

                  Download

                • memory/4400-243-0x0000000009400000-0x000000000940A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/4400-210-0x0000000005C50000-0x0000000005C8C000-memory.dmp

                  Filesize

                  240KB

                  Download

                • memory/4400-250-0x0000000004B70000-0x0000000004B80000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4400-242-0x0000000004B70000-0x0000000004B80000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4400-241-0x0000000004B70000-0x0000000004B80000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4400-238-0x00000000069F0000-0x00000000069FA000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/4400-320-0x0000000060900000-0x0000000060992000-memory.dmp

                  Filesize

                  584KB

                  Download

                • memory/4400-248-0x0000000060900000-0x0000000060992000-memory.dmp

                  Filesize

                  584KB

                  Download

                • memory/4400-208-0x0000000004B70000-0x0000000004B80000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4400-251-0x0000000004B70000-0x0000000004B80000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4400-206-0x0000000005CB0000-0x0000000005E72000-memory.dmp

                  Filesize

                  1.8MB

                  Download

                • memory/4400-324-0x0000000060900000-0x0000000060992000-memory.dmp

                  Filesize

                  584KB

                  Download

                • memory/4400-200-0x0000000000060000-0x00000000003B2000-memory.dmp

                  Filesize

                  3.3MB

                  Download

                • memory/4400-252-0x0000000004B70000-0x0000000004B80000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4400-255-0x0000000060900000-0x0000000060992000-memory.dmp

                  Filesize

                  584KB

                  Download

                • memory/4488-178-0x00000000062E0000-0x00000000062F0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4488-150-0x0000000008420000-0x0000000008432000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/4488-177-0x0000000013480000-0x00000000139AC000-memory.dmp

                  Filesize

                  5.2MB

                  Download

                • memory/4488-133-0x00000000004E0000-0x000000000151E000-memory.dmp

                  Filesize

                  16.2MB

                  Download

                • memory/4488-172-0x00000000062E0000-0x00000000062F0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4488-188-0x00000000062E0000-0x00000000062F0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4488-171-0x0000000006C30000-0x0000000006C40000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4488-170-0x00000000062E0000-0x00000000062F0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4488-169-0x00000000062E0000-0x00000000062F0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4488-168-0x00000000062E0000-0x00000000062F0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4488-167-0x00000000062E0000-0x00000000062F0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4488-166-0x000000000BE50000-0x000000000BE5E000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/4488-165-0x00000000110E0000-0x0000000011118000-memory.dmp

                  Filesize

                  224KB

                  Download

                • memory/4488-164-0x000000000BE60000-0x000000000BE68000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/4488-163-0x000000000BD10000-0x000000000BD18000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/4488-162-0x00000000098E0000-0x00000000098F0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4488-161-0x0000000009900000-0x000000000994C000-memory.dmp

                  Filesize

                  304KB

                  Download

                • memory/4488-160-0x0000000008BD0000-0x0000000008BD8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/4488-159-0x0000000008900000-0x0000000008908000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/4488-158-0x0000000008E80000-0x0000000009424000-memory.dmp

                  Filesize

                  5.6MB

                  Download

                • memory/4488-157-0x0000000008630000-0x000000000867A000-memory.dmp

                  Filesize

                  296KB

                  Download

                • memory/4488-152-0x00000000084C0000-0x00000000084CC000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/4488-151-0x0000000008540000-0x00000000085D2000-memory.dmp

                  Filesize

                  584KB

                  Download

                • memory/4488-173-0x00000000062E0000-0x00000000062F0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4488-256-0x0000000001AB0000-0x0000000001AC4000-memory.dmp

                  Filesize

                  80KB

                  Download

                • memory/4488-268-0x00000000062E0000-0x00000000062F0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4488-270-0x0000000001E80000-0x0000000001E9A000-memory.dmp

                  Filesize

                  104KB

                  Download

                • memory/4488-149-0x000000000FE40000-0x000000000FE52000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/4488-148-0x00000000037D0000-0x00000000037DA000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/4488-279-0x00000000062E0000-0x00000000062F0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4488-146-0x00000000037B0000-0x00000000037BE000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/4488-147-0x000000000FEB0000-0x000000000FF38000-memory.dmp

                  Filesize

                  544KB

                  Download

                • memory/4488-145-0x000000000C690000-0x000000000C6B2000-memory.dmp

                  Filesize

                  136KB

                  Download

                • memory/4488-144-0x000000000C6D0000-0x000000000C756000-memory.dmp

                  Filesize

                  536KB

                  Download

                • memory/4488-143-0x000000000C620000-0x000000000C632000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/4488-142-0x000000000C560000-0x000000000C578000-memory.dmp

                  Filesize

                  96KB

                  Download

                • memory/4488-141-0x0000000006820000-0x000000000683C000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/4488-140-0x0000000006800000-0x000000000681C000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/4488-139-0x00000000068F0000-0x00000000069F2000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/4488-138-0x00000000062E0000-0x00000000062F0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4488-322-0x0000000001F10000-0x0000000001F30000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/4488-137-0x00000000062E0000-0x00000000062F0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4488-136-0x0000000006450000-0x000000000653C000-memory.dmp

                  Filesize

                  944KB

                  Download

                • memory/4488-135-0x0000000006540000-0x00000000067D6000-memory.dmp

                  Filesize

                  2.6MB

                  Download

                • memory/4488-134-0x0000000005EB0000-0x0000000005F60000-memory.dmp

                  Filesize

                  704KB

                  Download