Malware Analysis Report

2025-03-15 06:53

Sample ID 231221-cbbwlshge8
Target 956f76cb591026fc6db238d0887eb0f8bd262ba37dfa23b903d0a5d1645e7811
SHA256 956f76cb591026fc6db238d0887eb0f8bd262ba37dfa23b903d0a5d1645e7811
Tags
orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

956f76cb591026fc6db238d0887eb0f8bd262ba37dfa23b903d0a5d1645e7811

Threat Level: Known bad

The file 956f76cb591026fc6db238d0887eb0f8bd262ba37dfa23b903d0a5d1645e7811 was found to be: Known bad.

Malicious Activity Summary

orcus rat spyware stealer

Orcus family

Orcus

Orcurs Rat Executable

Orcurs Rat Executable

Executes dropped EXE

Checks computer location settings

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-21 01:53

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-21 01:53

Reported

2023-12-21 01:56

Platform

win7-20231129-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\956f76cb591026fc6db238d0887eb0f8bd262ba37dfa23b903d0a5d1645e7811.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\956f76cb591026fc6db238d0887eb0f8bd262ba37dfa23b903d0a5d1645e7811.exe N/A
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\956f76cb591026fc6db238d0887eb0f8bd262ba37dfa23b903d0a5d1645e7811.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\956f76cb591026fc6db238d0887eb0f8bd262ba37dfa23b903d0a5d1645e7811.exe N/A

Enumerates physical storage devices

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\956f76cb591026fc6db238d0887eb0f8bd262ba37dfa23b903d0a5d1645e7811.exe

"C:\Users\Admin\AppData\Local\Temp\956f76cb591026fc6db238d0887eb0f8bd262ba37dfa23b903d0a5d1645e7811.exe"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {289CFF34-D2C2-4031-912F-0CB7C7927654} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

Network

Country Destination Domain Proto
N/A 192.168.1.95:10134 tcp
US 8.8.8.8:53 following-s.gl.at.ply.gg udp
US 147.185.221.17:46267 following-s.gl.at.ply.gg tcp
US 147.185.221.17:38914 following-s.gl.at.ply.gg tcp
N/A 192.168.1.95:10134 tcp
US 147.185.221.17:46267 following-s.gl.at.ply.gg tcp
US 147.185.221.17:38914 following-s.gl.at.ply.gg tcp
N/A 192.168.1.95:10134 tcp
US 147.185.221.17:46267 following-s.gl.at.ply.gg tcp
US 147.185.221.17:38914 following-s.gl.at.ply.gg tcp
N/A 192.168.1.95:10134 tcp
US 147.185.221.17:46267 following-s.gl.at.ply.gg tcp
US 147.185.221.17:38914 following-s.gl.at.ply.gg tcp

Files

memory/2960-0-0x00000000003B0000-0x00000000006A8000-memory.dmp

memory/2960-1-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

memory/2960-2-0x000000001B1E0000-0x000000001B260000-memory.dmp

memory/2960-4-0x00000000003A0000-0x00000000003AE000-memory.dmp

memory/2960-3-0x0000000000850000-0x00000000008AC000-memory.dmp

memory/2960-5-0x00000000008C0000-0x00000000008D2000-memory.dmp

C:\Program Files\Orcus\Orcus.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2960-13-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 270d0e6cc8569fd68cbb7bb1a542725f
SHA1 35cad5cfd8ac87d2e29fd22215338f207518fab0
SHA256 ec260c890c36a922569d817abbd749d46d6c82f46c4b0b7e181de858f8e97338
SHA512 9382eaffc944f6d1b9c9ec506fbc5fb66c4073b94fd635edea654cfb40d32ba704addb9eb91f9c94c2befd4ea02088ea5c4ae5e273a77db869537d8332905775

memory/2852-15-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

memory/2852-16-0x0000000001330000-0x0000000001628000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 2a21acc654eb745928798da5f3e2ffb0
SHA1 7b5a25e169faf3fd8f3dbdb2446069c304220044
SHA256 3d77f78e4355afdb1a30f5de846efe2a91c6d17c1a1119cdf4db7a811ec150b3
SHA512 1fa98d6eae3c57463d349eedfac5bfad859671fc37375f29e64075c39587c5200c899960622db8baaaf3098433e2ebd5e48b0f6db50cb105558831fcd8aaf68d

memory/2852-17-0x000000001B100000-0x000000001B180000-memory.dmp

memory/2852-19-0x00000000011A0000-0x00000000011F8000-memory.dmp

memory/2852-18-0x00000000004F0000-0x0000000000502000-memory.dmp

memory/2852-20-0x0000000001200000-0x0000000001218000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 af2cfef2d9feaedb46b777a24c127237
SHA1 82e3dc2141e866382ee47f243c97b1331e230cd9
SHA256 32a2668c464f6dfb7a67158f54b62726229fb2c58e4ea436086981ff01ff0270
SHA512 ab7250347273c37178814018bd82e217d736dcba5e74e5dbeb4706fc06a3700659b4201489d3d39fc92abb5c7fd2489df48896ce80dcf22b639f5ce4f286bbce

memory/2852-21-0x0000000000C80000-0x0000000000C90000-memory.dmp

memory/2584-23-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

memory/2584-24-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

memory/2852-25-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

memory/2852-26-0x000000001B100000-0x000000001B180000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-21 01:53

Reported

2023-12-21 01:56

Platform

win10v2004-20231215-en

Max time kernel

145s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\956f76cb591026fc6db238d0887eb0f8bd262ba37dfa23b903d0a5d1645e7811.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\956f76cb591026fc6db238d0887eb0f8bd262ba37dfa23b903d0a5d1645e7811.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\956f76cb591026fc6db238d0887eb0f8bd262ba37dfa23b903d0a5d1645e7811.exe N/A
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\956f76cb591026fc6db238d0887eb0f8bd262ba37dfa23b903d0a5d1645e7811.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\956f76cb591026fc6db238d0887eb0f8bd262ba37dfa23b903d0a5d1645e7811.exe N/A

Enumerates physical storage devices

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\956f76cb591026fc6db238d0887eb0f8bd262ba37dfa23b903d0a5d1645e7811.exe

"C:\Users\Admin\AppData\Local\Temp\956f76cb591026fc6db238d0887eb0f8bd262ba37dfa23b903d0a5d1645e7811.exe"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

Network

Country Destination Domain Proto
N/A 192.168.1.95:10134 tcp
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 following-s.gl.at.ply.gg udp
US 147.185.221.17:46267 following-s.gl.at.ply.gg tcp
US 147.185.221.17:38914 following-s.gl.at.ply.gg tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
N/A 192.168.1.95:10134 tcp
US 147.185.221.17:46267 following-s.gl.at.ply.gg tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 147.185.221.17:38914 following-s.gl.at.ply.gg tcp
N/A 192.168.1.95:10134 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 147.185.221.17:46267 following-s.gl.at.ply.gg tcp
US 147.185.221.17:38914 following-s.gl.at.ply.gg tcp
N/A 192.168.1.95:10134 tcp
US 147.185.221.17:46267 following-s.gl.at.ply.gg tcp
US 147.185.221.17:38914 following-s.gl.at.ply.gg tcp

Files

memory/5028-0-0x00000299B2D10000-0x00000299B3008000-memory.dmp

memory/5028-1-0x00007FF931760000-0x00007FF932221000-memory.dmp

memory/5028-4-0x00000299B4D50000-0x00000299B4D5E000-memory.dmp

memory/5028-3-0x00000299CD7C0000-0x00000299CD7D0000-memory.dmp

memory/5028-2-0x00000299B3420000-0x00000299B347C000-memory.dmp

memory/5028-5-0x00000299B4D90000-0x00000299B4DA2000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 6e69ce2a2c2af1f584faf14aafd8116c
SHA1 5d60497ae4600b18cd8b421d6f0996723bdd75e7
SHA256 7903f323d9712fa31e8f53f2d7e2150188fdb51d5564fdf799e06fb5bdf97b8d
SHA512 448309a9008a50dd303a90d51785c50386c5a6301376194a25c1cfb36f4af6de84ce2b3cc45ec2dbb0006fd8090cd98e3746d5d69ea0cb9b6058ea925e54d476

C:\Program Files\Orcus\Orcus.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

C:\Program Files\Orcus\Orcus.exe

MD5 c86dedabc4f7470c542099426d904d52
SHA1 cf50d6260cbe3a214b93082c8a4602abc8b37949
SHA256 d4554da06326a1a65143437cd373ebe47e15d05d45a641487275fcbfe7578453
SHA512 8d17efdb478d246e209d98671d10451e693a444293251ed0cbfab75dfd0096b5c2d52da089e71d4837f0abced0434aa2ba7573d16f840c3bc88ed40ee9d5911a

memory/620-22-0x00007FF931760000-0x00007FF932221000-memory.dmp

memory/5028-21-0x00007FF931760000-0x00007FF932221000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 3fa13f0fd067c4dea947c3558e9c0cfd
SHA1 478a708a66c08d5207d0dd0138b44d25cbf34732
SHA256 d654773cff5053be91c893b3cda8f20032ae4a822c4af0af9d5bc8b0d9d2d0c8
SHA512 ee11dbe6d26a904cc65031b35f8a9c17f8ecce3e36e04de3f67aa8ef709cecb7242ed8e25f561e2fad444930f6be5929780ae1108952ea2e93dc7a77c8d43c3a

memory/620-23-0x0000027A092C0000-0x0000027A092D0000-memory.dmp

memory/620-24-0x0000027A234F0000-0x0000027A23548000-memory.dmp

memory/620-26-0x0000027A0AB70000-0x0000027A0AB88000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 1bf3980346ae7ece8d1732585b503b9c
SHA1 6909d77c76d265415ae3f51b43c90492ffaa4a32
SHA256 8dc8a69329b9691ecdcdf60342a0b9974bf4ca91fad754b57664f34065b96e7c
SHA512 aceb876e0ae68c5239861f5cd7d424c300a5834b972636a197c176bb26c1cf3dde6c7c55c0d28f304b82466e03db928155fd7bb3a41239636acdbf21f8f89bc6

memory/4900-27-0x00007FF931760000-0x00007FF932221000-memory.dmp

memory/620-28-0x0000027A0AC00000-0x0000027A0AC10000-memory.dmp

memory/4900-29-0x0000018A3CEE0000-0x0000018A3CEF0000-memory.dmp

memory/4900-31-0x00007FF931760000-0x00007FF932221000-memory.dmp

memory/620-32-0x00007FF931760000-0x00007FF932221000-memory.dmp

memory/620-33-0x0000027A092C0000-0x0000027A092D0000-memory.dmp