Malware Analysis Report

2025-03-15 06:52

Sample ID 231219-bfz9bsfhg8
Target 6c348016ee136190e780d6161e8f2710cd830e697f9cd56a3df45bf7ec59867c
SHA256 6c348016ee136190e780d6161e8f2710cd830e697f9cd56a3df45bf7ec59867c
Tags
новый тег orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6c348016ee136190e780d6161e8f2710cd830e697f9cd56a3df45bf7ec59867c

Threat Level: Known bad

The file 6c348016ee136190e780d6161e8f2710cd830e697f9cd56a3df45bf7ec59867c was found to be: Known bad.

Malicious Activity Summary

новый тег orcus rat spyware stealer

Orcurs Rat Executable

Orcus family

Orcus

Orcus main payload

Orcurs Rat Executable

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Unsigned PE

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-19 01:05

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-19 01:05

Reported

2023-12-19 01:08

Platform

win7-20231215-en

Max time kernel

121s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6c348016ee136190e780d6161e8f2710cd830e697f9cd56a3df45bf7ec59867c.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6c348016ee136190e780d6161e8f2710cd830e697f9cd56a3df45bf7ec59867c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6c348016ee136190e780d6161e8f2710cd830e697f9cd56a3df45bf7ec59867c.exe

"C:\Users\Admin\AppData\Local\Temp\6c348016ee136190e780d6161e8f2710cd830e697f9cd56a3df45bf7ec59867c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 19705.client.sudorat.top udp
RU 31.44.184.52:19705 19705.client.sudorat.top tcp
N/A 127.0.0.1:1111 tcp

Files

memory/2888-0-0x0000000000A60000-0x0000000000D5E000-memory.dmp

memory/2888-1-0x00000000748F0000-0x0000000074FDE000-memory.dmp

memory/2888-2-0x0000000004F60000-0x0000000004FA0000-memory.dmp

memory/2888-3-0x0000000000380000-0x000000000038E000-memory.dmp

memory/2888-4-0x00000000004E0000-0x000000000053C000-memory.dmp

memory/2888-5-0x0000000000A10000-0x0000000000A22000-memory.dmp

memory/2888-6-0x0000000000A30000-0x0000000000A48000-memory.dmp

memory/2888-7-0x00000000022E0000-0x00000000022F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab4C3E.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2888-24-0x0000000004A50000-0x0000000004A5E000-memory.dmp

memory/2888-25-0x0000000004BF0000-0x0000000004BF2000-memory.dmp

memory/2888-26-0x00000000748F0000-0x0000000074FDE000-memory.dmp

memory/2888-27-0x0000000004F60000-0x0000000004FA0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-19 01:05

Reported

2023-12-19 01:08

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6c348016ee136190e780d6161e8f2710cd830e697f9cd56a3df45bf7ec59867c.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6c348016ee136190e780d6161e8f2710cd830e697f9cd56a3df45bf7ec59867c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6c348016ee136190e780d6161e8f2710cd830e697f9cd56a3df45bf7ec59867c.exe

"C:\Users\Admin\AppData\Local\Temp\6c348016ee136190e780d6161e8f2710cd830e697f9cd56a3df45bf7ec59867c.exe"

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 19705.client.sudorat.top udp
RU 31.44.184.52:19705 19705.client.sudorat.top tcp
N/A 127.0.0.1:1111 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 52.184.44.31.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

memory/3932-0-0x0000000074AB0000-0x0000000075260000-memory.dmp

memory/3932-1-0x0000000000A50000-0x0000000000D4E000-memory.dmp

memory/3932-2-0x0000000005800000-0x0000000005810000-memory.dmp

memory/3932-3-0x0000000001710000-0x000000000171E000-memory.dmp

memory/3932-4-0x0000000005910000-0x000000000596C000-memory.dmp

memory/3932-5-0x0000000006000000-0x00000000065A4000-memory.dmp

memory/3932-6-0x0000000005AF0000-0x0000000005B82000-memory.dmp

memory/3932-7-0x0000000005AE0000-0x0000000005AF2000-memory.dmp

memory/3932-8-0x0000000005FA0000-0x0000000005FB8000-memory.dmp

memory/3932-9-0x0000000006830000-0x0000000006840000-memory.dmp

memory/3932-10-0x0000000006B60000-0x0000000006B6A000-memory.dmp

memory/3932-11-0x00000000072F0000-0x0000000007356000-memory.dmp

memory/3932-12-0x0000000007980000-0x0000000007F98000-memory.dmp

memory/3932-13-0x0000000007390000-0x00000000073A2000-memory.dmp

memory/3932-14-0x00000000073F0000-0x000000000742C000-memory.dmp

memory/3932-15-0x0000000007430000-0x000000000747C000-memory.dmp

memory/3932-16-0x00000000075C0000-0x00000000076CA000-memory.dmp

memory/3932-17-0x0000000007FA0000-0x0000000008162000-memory.dmp

memory/3932-18-0x00000000075A0000-0x00000000075AE000-memory.dmp

memory/3932-19-0x0000000007850000-0x00000000078EC000-memory.dmp

memory/3932-20-0x00000000083C0000-0x0000000008410000-memory.dmp

memory/3932-21-0x0000000074AB0000-0x0000000075260000-memory.dmp

memory/3932-22-0x0000000005800000-0x0000000005810000-memory.dmp