Malware Analysis Report

2025-03-15 06:52

Sample ID 231221-bdymqahed8
Target c31f48204b6a9e9188296864abf9b8ad92a54f13973c2c5462da521a9b7c0263
SHA256 c31f48204b6a9e9188296864abf9b8ad92a54f13973c2c5462da521a9b7c0263
Tags
orcus persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c31f48204b6a9e9188296864abf9b8ad92a54f13973c2c5462da521a9b7c0263

Threat Level: Known bad

The file c31f48204b6a9e9188296864abf9b8ad92a54f13973c2c5462da521a9b7c0263 was found to be: Known bad.

Malicious Activity Summary

orcus persistence rat spyware stealer

Orcurs Rat Executable

Orcus

Orcus family

Orcus main payload

Orcurs Rat Executable

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-21 01:02

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-21 01:02

Reported

2023-12-21 01:04

Platform

win7-20231215-en

Max time kernel

121s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c31f48204b6a9e9188296864abf9b8ad92a54f13973c2c5462da521a9b7c0263.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows = "\"C:\\Program Files (x86)\\Orcus\\Orcus.exe\"" C:\Program Files (x86)\Orcus\Orcus.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\c31f48204b6a9e9188296864abf9b8ad92a54f13973c2c5462da521a9b7c0263.exe N/A
File opened for modification C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\c31f48204b6a9e9188296864abf9b8ad92a54f13973c2c5462da521a9b7c0263.exe N/A
File created C:\Program Files (x86)\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\c31f48204b6a9e9188296864abf9b8ad92a54f13973c2c5462da521a9b7c0263.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c31f48204b6a9e9188296864abf9b8ad92a54f13973c2c5462da521a9b7c0263.exe

"C:\Users\Admin\AppData\Local\Temp\c31f48204b6a9e9188296864abf9b8ad92a54f13973c2c5462da521a9b7c0263.exe"

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

Network

Country Destination Domain Proto
N/A 192.168.0.19:10134 tcp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.134.39.220:11834 0.tcp.ngrok.io tcp

Files

memory/1732-0-0x0000000001020000-0x0000000001108000-memory.dmp

memory/1732-1-0x0000000074970000-0x000000007505E000-memory.dmp

memory/1732-2-0x0000000004AC0000-0x0000000004B00000-memory.dmp

memory/1732-3-0x00000000003C0000-0x00000000003CE000-memory.dmp

memory/1732-4-0x0000000000570000-0x00000000005CC000-memory.dmp

memory/1732-5-0x0000000000A30000-0x0000000000A42000-memory.dmp

\Program Files (x86)\Orcus\Orcus.exe

MD5 16a5e446b2f6d72f5c3b51f2030f0896
SHA1 062a20802a429c2affcf2b2d90307abd3a1a4d42
SHA256 c31f48204b6a9e9188296864abf9b8ad92a54f13973c2c5462da521a9b7c0263
SHA512 53edc505dd50d61b2ff5e40bf3116b337293051d33f04cf8215707710839cf6da1825bdb961a79c99ba30d05c17d0bfa13cf97081af5aebcda87688000b7f9ee

memory/2484-17-0x00000000001F0000-0x00000000002D8000-memory.dmp

memory/2484-16-0x0000000074970000-0x000000007505E000-memory.dmp

memory/2484-18-0x0000000004960000-0x00000000049A0000-memory.dmp

memory/1732-15-0x0000000074970000-0x000000007505E000-memory.dmp

C:\Program Files (x86)\Orcus\Orcus.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2484-19-0x0000000000970000-0x00000000009BE000-memory.dmp

memory/2484-20-0x0000000000410000-0x0000000000428000-memory.dmp

memory/2484-21-0x0000000002030000-0x0000000002040000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab52D3.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2484-38-0x0000000074970000-0x000000007505E000-memory.dmp

memory/2484-39-0x0000000004960000-0x00000000049A0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-21 01:02

Reported

2023-12-21 01:05

Platform

win10v2004-20231215-en

Max time kernel

129s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c31f48204b6a9e9188296864abf9b8ad92a54f13973c2c5462da521a9b7c0263.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c31f48204b6a9e9188296864abf9b8ad92a54f13973c2c5462da521a9b7c0263.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows = "\"C:\\Program Files (x86)\\Orcus\\Orcus.exe\"" C:\Program Files (x86)\Orcus\Orcus.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\c31f48204b6a9e9188296864abf9b8ad92a54f13973c2c5462da521a9b7c0263.exe N/A
File opened for modification C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\c31f48204b6a9e9188296864abf9b8ad92a54f13973c2c5462da521a9b7c0263.exe N/A
File created C:\Program Files (x86)\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\c31f48204b6a9e9188296864abf9b8ad92a54f13973c2c5462da521a9b7c0263.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c31f48204b6a9e9188296864abf9b8ad92a54f13973c2c5462da521a9b7c0263.exe

"C:\Users\Admin\AppData\Local\Temp\c31f48204b6a9e9188296864abf9b8ad92a54f13973c2c5462da521a9b7c0263.exe"

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
N/A 192.168.0.19:10134 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.13.191.225:11834 0.tcp.ngrok.io tcp
US 8.8.8.8:53 225.191.13.3.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp

Files

memory/3996-1-0x00000000746E0000-0x0000000074E90000-memory.dmp

memory/3996-0-0x00000000001B0000-0x0000000000298000-memory.dmp

memory/3996-2-0x0000000004D10000-0x0000000004D20000-memory.dmp

memory/3996-3-0x0000000002690000-0x000000000269E000-memory.dmp

memory/3996-4-0x0000000004C00000-0x0000000004C5C000-memory.dmp

memory/3996-5-0x0000000005300000-0x00000000058A4000-memory.dmp

memory/3996-6-0x0000000004DF0000-0x0000000004E82000-memory.dmp

memory/3996-7-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 7581bdb769809e00ca361b074a6f7014
SHA1 ae862fdae47cbc5bc0f408a0e0735969d129e4f4
SHA256 ef9af9e503ebe08b81e7c7d581f118422087e15b9a25a884d046ecdadaa96221
SHA512 512b6073109f83ab520ef03142ef95b9c47c14d0d7ff1be0663ed5237967b6c4e4a92663dc0e3bf5bffd4cedcfbc6a10e811bcedd7e13ad3ac022ad46882a3e5

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 0018ba2fcd26f60d3b1eb62c16b560f8
SHA1 71cdb996640203f654f646b791057d74a27ba598
SHA256 743f6f848371a03a676f160617d7855fbd4933e177ed13870fb4eb329fbd2f67
SHA512 9e2332f2cbb3f2bb5a7caf6201fff598d085daf936f4912a20593cf66a6872fe0c1eb0c298627634252e7270cf9dbfeb165e7677a3a5615605640a27e7ad2aa7

memory/3996-22-0x00000000746E0000-0x0000000074E90000-memory.dmp

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 030b9ade42a04e0b80ea8e9527325cc2
SHA1 2179aa67a608a1b8dcede916852103876a255d4d
SHA256 f64048ba14a47b973b5dfcb1dcbd6c02c0c170025e70af76ffefea674e82e2a8
SHA512 5015624f73bf9286859cd6eb43c11a21ff661c907f867bee7862b80b28fa4c68ad5d28acf5487091001bd3a9cb05c0417f5aeac37424a0561c2e05d118c6750a

memory/4756-23-0x00000000746E0000-0x0000000074E90000-memory.dmp

memory/4756-24-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

C:\Program Files (x86)\Orcus\Orcus.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/4756-25-0x0000000005580000-0x00000000055CE000-memory.dmp

memory/4756-26-0x00000000055F0000-0x0000000005608000-memory.dmp

memory/4756-27-0x0000000005D10000-0x0000000005D20000-memory.dmp

memory/4756-28-0x0000000006040000-0x000000000604A000-memory.dmp

memory/4756-29-0x00000000068F0000-0x0000000006956000-memory.dmp

memory/4756-30-0x0000000007180000-0x0000000007798000-memory.dmp

memory/4756-31-0x0000000006B80000-0x0000000006B92000-memory.dmp

memory/4756-32-0x0000000006BE0000-0x0000000006C1C000-memory.dmp

memory/4756-33-0x0000000006C20000-0x0000000006C6C000-memory.dmp

memory/4756-34-0x0000000006DA0000-0x0000000006EAA000-memory.dmp

memory/4756-35-0x00000000077A0000-0x0000000007962000-memory.dmp

memory/4756-36-0x00000000746E0000-0x0000000074E90000-memory.dmp

memory/4756-37-0x0000000004EE0000-0x0000000004EF0000-memory.dmp