Malware Analysis Report

2025-03-15 06:54

Sample ID 231219-y3nv5scfam
Target 91ce27e029579672316835d3df17f5aa
SHA256 2d691f32f85f4036a2d2557e6a8712642de87f2e4bd739bc646d2e1868247d91
Tags
orcus client001 rat spyware stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d691f32f85f4036a2d2557e6a8712642de87f2e4bd739bc646d2e1868247d91

Threat Level: Known bad

The file 91ce27e029579672316835d3df17f5aa was found to be: Known bad.

Malicious Activity Summary

orcus client001 rat spyware stealer discovery

Orcus

Orcurs Rat Executable

Uses the VBS compiler for execution

Modifies file permissions

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-19 20:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-19 20:18

Reported

2023-12-20 02:07

Platform

win7-20231215-en

Max time kernel

121s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\91ce27e029579672316835d3df17f5aa.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2736 set thread context of 2976 N/A C:\Users\Admin\AppData\Local\Temp\91ce27e029579672316835d3df17f5aa.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2736 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\91ce27e029579672316835d3df17f5aa.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2736 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\91ce27e029579672316835d3df17f5aa.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2736 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\91ce27e029579672316835d3df17f5aa.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2736 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\91ce27e029579672316835d3df17f5aa.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2736 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\91ce27e029579672316835d3df17f5aa.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2736 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\91ce27e029579672316835d3df17f5aa.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2736 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\91ce27e029579672316835d3df17f5aa.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2736 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\91ce27e029579672316835d3df17f5aa.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2736 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\91ce27e029579672316835d3df17f5aa.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2976 wrote to memory of 2724 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 2976 wrote to memory of 2724 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 2976 wrote to memory of 2724 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 2976 wrote to memory of 2724 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 2736 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\91ce27e029579672316835d3df17f5aa.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 2736 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\91ce27e029579672316835d3df17f5aa.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 2736 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\91ce27e029579672316835d3df17f5aa.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 2736 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\91ce27e029579672316835d3df17f5aa.exe C:\Program Files\Java\jre7\bin\javaw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\91ce27e029579672316835d3df17f5aa.exe

"C:\Users\Admin\AppData\Local\Temp\91ce27e029579672316835d3df17f5aa.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 388

C:\Program Files\Java\jre7\bin\javaw.exe

"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\dankclicker.jar"

Network

N/A

Files

memory/2736-0-0x0000000074A30000-0x0000000074FDB000-memory.dmp

memory/2736-1-0x0000000074A30000-0x0000000074FDB000-memory.dmp

memory/2736-2-0x0000000000BC0000-0x0000000000C00000-memory.dmp

memory/2976-3-0x0000000000400000-0x00000000004E8000-memory.dmp

memory/2976-5-0x0000000000400000-0x00000000004E8000-memory.dmp

memory/2976-7-0x0000000000400000-0x00000000004E8000-memory.dmp

memory/2976-9-0x0000000000400000-0x00000000004E8000-memory.dmp

memory/2976-13-0x0000000000400000-0x00000000004E8000-memory.dmp

memory/2976-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2976-16-0x0000000000400000-0x00000000004E8000-memory.dmp

memory/2976-18-0x0000000000400000-0x00000000004E8000-memory.dmp

memory/2976-20-0x0000000002010000-0x0000000002050000-memory.dmp

memory/2976-19-0x0000000074A30000-0x0000000074FDB000-memory.dmp

memory/2976-21-0x0000000074A30000-0x0000000074FDB000-memory.dmp

memory/2736-23-0x0000000074A30000-0x0000000074FDB000-memory.dmp

memory/2724-24-0x00000000006C0000-0x00000000006C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dankclicker.jar

MD5 16731cbd00f8b3a7f83d07434e85b0d6
SHA1 54d52dd8aeaa2d232f4ec13d27ff44ae150fa22c
SHA256 d5c5d34e6fc48e09305135d86d6a635fd370f2ae31ee945538259458ff2fa124
SHA512 c4d891a727e4f3acc4315319e9983e3cd27af4ef2035242107f4d35c253dd726f9f0ba482d200b954a80c110725f11dfba4430fa2bf1d901b869ea7cb690e596

memory/1664-34-0x0000000002060000-0x0000000005060000-memory.dmp

memory/1664-35-0x0000000000210000-0x0000000000211000-memory.dmp

memory/2976-38-0x0000000074A30000-0x0000000074FDB000-memory.dmp

memory/2976-39-0x0000000002010000-0x0000000002050000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-19 20:18

Reported

2023-12-20 02:05

Platform

win10v2004-20231215-en

Max time kernel

2s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\91ce27e029579672316835d3df17f5aa.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3344 set thread context of 4468 N/A C:\Users\Admin\AppData\Local\Temp\91ce27e029579672316835d3df17f5aa.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3344 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\91ce27e029579672316835d3df17f5aa.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3344 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\91ce27e029579672316835d3df17f5aa.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3344 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\91ce27e029579672316835d3df17f5aa.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3344 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\91ce27e029579672316835d3df17f5aa.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3344 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\91ce27e029579672316835d3df17f5aa.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3344 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\91ce27e029579672316835d3df17f5aa.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3344 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\91ce27e029579672316835d3df17f5aa.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3344 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\91ce27e029579672316835d3df17f5aa.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4468 wrote to memory of 5060 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 4468 wrote to memory of 5060 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 4468 wrote to memory of 5060 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

Processes

C:\Users\Admin\AppData\Local\Temp\91ce27e029579672316835d3df17f5aa.exe

"C:\Users\Admin\AppData\Local\Temp\91ce27e029579672316835d3df17f5aa.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 784

C:\Program Files\Java\jre-1.8\bin\javaw.exe

"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\dankclicker.jar"

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/3344-0-0x0000000074680000-0x0000000074C31000-memory.dmp

memory/3344-1-0x0000000074680000-0x0000000074C31000-memory.dmp

memory/3344-2-0x00000000014D0000-0x00000000014E0000-memory.dmp

memory/4468-3-0x0000000000400000-0x00000000004E8000-memory.dmp

memory/4468-5-0x0000000074680000-0x0000000074C31000-memory.dmp

memory/4468-6-0x0000000000A50000-0x0000000000A60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dankclicker.jar

MD5 c9b4a232b6d98cb952d32c8b4aef2b80
SHA1 028d93dcd68d232ef9dfdae6a52c0dc94b7f5de9
SHA256 ecd6c802ed9d4bf315bd88aaa216f839d829ed2ba2efc31a5770a32d26610cdb
SHA512 1b3015efd7cb6dcbc94bf601565faf19ac05f6ae22bd039da0fd52de1f136ec5e2b635008f856c6ccf545a93235e76078a5271524503ec7e116faa4d38f4e514

memory/3344-16-0x0000000074680000-0x0000000074C31000-memory.dmp

memory/4468-18-0x0000000074680000-0x0000000074C31000-memory.dmp

memory/1332-23-0x000001AD21280000-0x000001AD22280000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 0edb262268ae18bad4f531765a2342d7
SHA1 fc003cc1f5d72115534f45b79b53a4b7e46db1f1
SHA256 10c2db4ab255bf30213976249d2149459383a95a44ff3de23b11b647c0660e92
SHA512 24ed0a2bbaa3ec51fbc51a95ca46248610e4b9fed414f140a1b2e783642404e2a8f3dea6cfda377a4e1308ff58e85ffcd4641bc0115163f96a3be0dc002dd2ff

memory/1332-31-0x000001AD1F9F0000-0x000001AD1F9F1000-memory.dmp

memory/1332-41-0x000001AD1F9F0000-0x000001AD1F9F1000-memory.dmp

memory/1332-45-0x000001AD1F9F0000-0x000001AD1F9F1000-memory.dmp

memory/1332-49-0x000001AD21280000-0x000001AD22280000-memory.dmp

memory/1332-53-0x000001AD1F9F0000-0x000001AD1F9F1000-memory.dmp

memory/1332-63-0x000001AD1F9F0000-0x000001AD1F9F1000-memory.dmp

memory/1332-61-0x000001AD21280000-0x000001AD22280000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JNativeHook-5B1590FA829A6B697D80B3EFB82CAD0DE50F8092.dll

MD5 08c0a8b8e22164b49443cee9096839df
SHA1 5b1590fa829a6b697d80b3efb82cad0de50f8092
SHA256 995d79a1e1ba5ee98e3865dc1ee22d4bd8dc8b19d5ece4b47bf28d14ad913590
SHA512 c4b9432aff3fe9a0284900e21be627642190e1414057cb6f6938a718872f5d64a56700ae863bb03e6978ea254bf773b69507e4489e2ed6e42d8f3080d26f313d

memory/1332-75-0x000001AD1F9F0000-0x000001AD1F9F1000-memory.dmp

memory/1332-77-0x0000000065E40000-0x0000000065E55000-memory.dmp

memory/1332-78-0x000001AD1F9F0000-0x000001AD1F9F1000-memory.dmp

memory/1332-79-0x000001AD1F9F0000-0x000001AD1F9F1000-memory.dmp

memory/1332-81-0x000001AD1F9F0000-0x000001AD1F9F1000-memory.dmp

memory/1332-83-0x000001AD21280000-0x000001AD22280000-memory.dmp