orcus | 73b3f7a47789c76c1b9f255c87af664fb9e1ccb7dbec3208031d966e2f218b99

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
22/11/2023, 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73b3f7a47789c76c1b9f255c87af664fb9e1ccb7dbec3208031d966e2f218b99.exe
Size

3.0MB
MD5

ec6e909738e4a520d7d484a01f1ccf62
SHA1

c0b78f115589e302a65f6c1b38476dfe13b43874
SHA256

73b3f7a47789c76c1b9f255c87af664fb9e1ccb7dbec3208031d966e2f218b99
SHA512

270cd1fa8d9305fa8eb04b3342ebb8fd1c478aa24e30bd64d61ab213ca945b2a3e07cae3a5a9f5d23e72b99c2c24e60cf0dee6626b72fde7b6c1db263c265224
SSDEEP

49152:JOHm7p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpqFr8NOI8pilFmvxHnr:J1HTPJg8z1mKnypSbRxo9JCmg

Score

10^/10

orcus новый тег rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

Новый тег

128.59.46.185:1707

Mutex

sudo_1irav9l2ncocbcypyrghnq6n4zxr8cn3

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%appdata%\_externaluploads\cpuupdate.exe
reconnect_delay
10000
registry_keyname
Sudik
taskscheduler_taskname
sudik
watchdog_path
AppData\aga.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcurs Rat Executable 1 IoCs

resource	yara_rule
behavioral2/memory/3652-1-0x00000000002B0000-0x00000000005B2000-memory.dmp	orcus

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3652	73b3f7a47789c76c1b9f255c87af664fb9e1ccb7dbec3208031d966e2f218b99.exe

C:\Users\Admin\AppData\Local\Temp\73b3f7a47789c76c1b9f255c87af664fb9e1ccb7dbec3208031d966e2f218b99.exe
"C:\Users\Admin\AppData\Local\Temp\73b3f7a47789c76c1b9f255c87af664fb9e1ccb7dbec3208031d966e2f218b99.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3652-1-0x00000000002B0000-0x00000000005B2000-memory.dmp

Filesize
3.0MB

Download
memory/3652-0-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/3652-2-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/3652-3-0x0000000002800000-0x000000000280E000-memory.dmp

Filesize
56KB

Download
memory/3652-4-0x0000000004FA0000-0x0000000004FFC000-memory.dmp

Filesize
368KB

Download
memory/3652-5-0x00000000057A0000-0x0000000005D44000-memory.dmp

Filesize
5.6MB

Download
memory/3652-6-0x00000000051F0000-0x0000000005282000-memory.dmp

Filesize
584KB

Download
memory/3652-7-0x00000000050F0000-0x0000000005102000-memory.dmp

Filesize
72KB

Download
memory/3652-8-0x00000000056D0000-0x00000000056E8000-memory.dmp

Filesize
96KB

Download
memory/3652-9-0x0000000005F50000-0x0000000005F60000-memory.dmp

Filesize
64KB

Download
memory/3652-10-0x0000000006290000-0x000000000629A000-memory.dmp

Filesize
40KB

Download
memory/3652-13-0x0000000006BA0000-0x0000000006C06000-memory.dmp

Filesize
408KB

Download
memory/3652-14-0x0000000007230000-0x0000000007848000-memory.dmp

Filesize
6.1MB

Download
memory/3652-15-0x0000000006C40000-0x0000000006C52000-memory.dmp

Filesize
72KB

Download
memory/3652-16-0x0000000006CA0000-0x0000000006CDC000-memory.dmp

Filesize
240KB

Download
memory/3652-17-0x0000000006CE0000-0x0000000006D2C000-memory.dmp

Filesize
304KB

Download
memory/3652-18-0x0000000006E70000-0x0000000006F7A000-memory.dmp

Filesize
1.0MB

Download
memory/3652-19-0x0000000007850000-0x0000000007A12000-memory.dmp

Filesize
1.8MB

Download
memory/3652-20-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/3652-21-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads