Malware Analysis Report

2025-03-15 06:55

Sample ID 231221-ckmz8sfcel
Target 50c1d2e9ca2c339ee1d4dde094dd9680505bb13cba75c53af408dabbc209ecee
SHA256 50c1d2e9ca2c339ee1d4dde094dd9680505bb13cba75c53af408dabbc209ecee
Tags
orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

50c1d2e9ca2c339ee1d4dde094dd9680505bb13cba75c53af408dabbc209ecee

Threat Level: Known bad

The file 50c1d2e9ca2c339ee1d4dde094dd9680505bb13cba75c53af408dabbc209ecee was found to be: Known bad.

Malicious Activity Summary

orcus rat spyware stealer

Orcus family

Orcus

Orcurs Rat Executable

Orcurs Rat Executable

Checks computer location settings

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-21 02:08

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-21 02:08

Reported

2023-12-21 02:10

Platform

win7-20231215-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\50c1d2e9ca2c339ee1d4dde094dd9680505bb13cba75c53af408dabbc209ecee.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\50c1d2e9ca2c339ee1d4dde094dd9680505bb13cba75c53af408dabbc209ecee.exe N/A
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\50c1d2e9ca2c339ee1d4dde094dd9680505bb13cba75c53af408dabbc209ecee.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\50c1d2e9ca2c339ee1d4dde094dd9680505bb13cba75c53af408dabbc209ecee.exe N/A

Enumerates physical storage devices

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\50c1d2e9ca2c339ee1d4dde094dd9680505bb13cba75c53af408dabbc209ecee.exe

"C:\Users\Admin\AppData\Local\Temp\50c1d2e9ca2c339ee1d4dde094dd9680505bb13cba75c53af408dabbc209ecee.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {83968F2D-C64C-4BB6-9F2F-D4AC8E0B8354} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

Network

Country Destination Domain Proto
N/A 192.168.1.95:10134 tcp
US 8.8.8.8:53 following-s.gl.at.ply.gg udp
US 147.185.221.17:46267 following-s.gl.at.ply.gg tcp
US 147.185.221.17:38914 following-s.gl.at.ply.gg tcp
N/A 192.168.1.95:10134 tcp
US 147.185.221.17:46267 following-s.gl.at.ply.gg tcp
US 147.185.221.17:38914 following-s.gl.at.ply.gg tcp
N/A 192.168.1.95:10134 tcp
US 147.185.221.17:46267 following-s.gl.at.ply.gg tcp
US 147.185.221.17:38914 following-s.gl.at.ply.gg tcp
N/A 192.168.1.95:10134 tcp
US 147.185.221.17:46267 following-s.gl.at.ply.gg tcp
US 147.185.221.17:38914 following-s.gl.at.ply.gg tcp

Files

memory/2096-1-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

memory/2096-2-0x000000001B300000-0x000000001B380000-memory.dmp

memory/2096-4-0x0000000000150000-0x000000000015E000-memory.dmp

memory/2096-3-0x0000000000490000-0x00000000004EC000-memory.dmp

memory/2096-0-0x0000000001000000-0x00000000012F8000-memory.dmp

memory/2096-5-0x0000000000A20000-0x0000000000A32000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 7a92fc777de65b1a9cb2476bb4f2cd89
SHA1 b279d466134d17f3e89fc45944d51eb4cfc40223
SHA256 fcd5b5dfcee498978b64f57ed1b80fb1a73d60b623a2acc0ca245cf1dffcefab
SHA512 3c29d3e776dd2cf5295d3ea6ab84f5593bd422d64671529595fb669c693e579477d1d79b64879c4e62b60cf1d89e2988c7fd6fa18acb8597f0aa48e7710689bf

memory/1952-17-0x0000000000750000-0x00000000007D0000-memory.dmp

memory/1952-18-0x000000001A9F0000-0x000000001AA48000-memory.dmp

memory/1952-16-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

memory/2096-15-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

memory/1952-19-0x000000001AA50000-0x000000001AA68000-memory.dmp

memory/1952-20-0x000000001AA80000-0x000000001AA90000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 12e6963054c830f9268d0cd0980e9746
SHA1 d311c64c08d1ee0cab478f88024d98b37f22214b
SHA256 e709a29a05528d0940e87fe106efceba4c5a3c5c3c9f8f160dc56b893a78fb97
SHA512 c347ccff37cdf59e71a56d305a04d63d4ffdcaadfc806c4bfc031c9448b6c90ef358ca64e53df76878bec9d23a89d5a81126ea7e0efe6757052e78e28668e124

memory/2804-23-0x0000000002350000-0x00000000023D0000-memory.dmp

memory/2804-22-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

memory/1952-14-0x0000000000810000-0x0000000000B08000-memory.dmp

C:\Program Files\Orcus\Orcus.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

C:\Program Files\Orcus\Orcus.exe

MD5 8095318e49385d263eaccd8725b004c6
SHA1 e7ab8e9939641bc92b4ceddf4aa7dc98dfcea37e
SHA256 85e9f4413022e0b4f10902a2260b1fcbedf73c988d389b171d00c0469f29d011
SHA512 888508fcad218122d8931a4d0539caf1b3184c58f2882d60293680024a9b8097554e6c86a1d3771c0be3c61c77b2884b0a6ab1536c8e5113db94cdfbb65fc040

memory/2804-24-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

memory/1952-25-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

memory/1952-26-0x0000000000750000-0x00000000007D0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-21 02:08

Reported

2023-12-21 02:10

Platform

win10v2004-20231215-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\50c1d2e9ca2c339ee1d4dde094dd9680505bb13cba75c53af408dabbc209ecee.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\50c1d2e9ca2c339ee1d4dde094dd9680505bb13cba75c53af408dabbc209ecee.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\50c1d2e9ca2c339ee1d4dde094dd9680505bb13cba75c53af408dabbc209ecee.exe N/A
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\50c1d2e9ca2c339ee1d4dde094dd9680505bb13cba75c53af408dabbc209ecee.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\50c1d2e9ca2c339ee1d4dde094dd9680505bb13cba75c53af408dabbc209ecee.exe N/A

Enumerates physical storage devices

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\50c1d2e9ca2c339ee1d4dde094dd9680505bb13cba75c53af408dabbc209ecee.exe

"C:\Users\Admin\AppData\Local\Temp\50c1d2e9ca2c339ee1d4dde094dd9680505bb13cba75c53af408dabbc209ecee.exe"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

Network

Country Destination Domain Proto
N/A 192.168.1.95:10134 tcp
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 following-s.gl.at.ply.gg udp
US 147.185.221.17:46267 following-s.gl.at.ply.gg tcp
US 147.185.221.17:38914 following-s.gl.at.ply.gg tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
N/A 192.168.1.95:10134 tcp
US 147.185.221.17:46267 following-s.gl.at.ply.gg tcp
US 147.185.221.17:38914 following-s.gl.at.ply.gg tcp
N/A 192.168.1.95:10134 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 147.185.221.17:46267 following-s.gl.at.ply.gg tcp
US 147.185.221.17:38914 following-s.gl.at.ply.gg tcp
N/A 192.168.1.95:10134 tcp
US 147.185.221.17:46267 following-s.gl.at.ply.gg tcp
US 147.185.221.17:38914 following-s.gl.at.ply.gg tcp

Files

memory/3908-0-0x000001C7BAC40000-0x000001C7BAF38000-memory.dmp

memory/3908-1-0x000001C7BCAA0000-0x000001C7BCAFC000-memory.dmp

memory/3908-3-0x00007FFEC2540000-0x00007FFEC3001000-memory.dmp

memory/3908-2-0x000001C7BCB10000-0x000001C7BCB1E000-memory.dmp

memory/3908-4-0x000001C7BCB00000-0x000001C7BCB10000-memory.dmp

memory/3908-5-0x000001C7D53A0000-0x000001C7D53B2000-memory.dmp

C:\Program Files\Orcus\Orcus.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/3908-21-0x00007FFEC2540000-0x00007FFEC3001000-memory.dmp

memory/1868-22-0x00007FFEC2540000-0x00007FFEC3001000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 db02bfd49850ea29336830f1157c8cf1
SHA1 7a9a362f553b9b70875d6690e454c3d6d3aa5a7a
SHA256 e9ff84b377ceb6f5bd54bd2604185e2b6fd320970d39bd3766202a380b8bafd2
SHA512 49587dae4caab58db78884fa4845cec5646ba2a6c28444b0d32f65e7105aec27185d8f7dc96f4941ba680381ed5fd52ccf121d4e8d56bce63760df98c7ebf721

memory/1868-23-0x000002A298550000-0x000002A298560000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 af53965b4cbad610076054d2b2cc61cf
SHA1 a7a39080d14d59f78c01a303eb4061845d923a1a
SHA256 ee3d08c65fe94f175f41435c7580292a7d94e3303285cd6635804a0d90ec70e2
SHA512 fc6780bbccd680ea55f5f9f5e71aee38106a3511d1b3d595f09888bbd25055addb69139c1ec6803de32049cf2da1838314a4d40d9616b9342464d7d5e5c7041d

memory/1868-24-0x000002A29A070000-0x000002A29A0C8000-memory.dmp

memory/1868-26-0x000002A298610000-0x000002A298628000-memory.dmp

memory/1868-27-0x000002A299EF0000-0x000002A299F00000-memory.dmp

memory/2896-28-0x00007FFEC2540000-0x00007FFEC3001000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 f6a8965fdad162c458dbe9a93a9ee6c6
SHA1 e9ac62ad1f75d04ebc86411e1f72f5b6f68fb6b1
SHA256 ed9a758e74f1834a1cbc9b6390823bf3d194a9799d6107d971bf4a8ef4a2d480
SHA512 f77967b31e9c294f01cbf41fd4b02c90702cd8ee971f19e48c0880cc94244c49b68013b4598f9692e38adb408a86b80bf225ebe00d11861fbb56d92882dbaa33

memory/2896-29-0x000002904D620000-0x000002904D630000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 c8fdac86f63309c59f2ea5fa57d7f284
SHA1 ead541cf67de0cd7da3bd4867cbc82d8b9f7b564
SHA256 17bbe08ae8a24305cb413c89009b2582c3fd780e4f7499e21e999d1301df6595
SHA512 4697343c7a54cdb1795501de129deec82ba4dd95e0148c870af052dba55e4ff131bf5f7f83eb653ed6fa92d98082ca38a520e4ebcd3f659f1dc4ff07ee629e79

memory/2896-31-0x00007FFEC2540000-0x00007FFEC3001000-memory.dmp

memory/1868-32-0x00007FFEC2540000-0x00007FFEC3001000-memory.dmp

memory/1868-33-0x000002A298550000-0x000002A298560000-memory.dmp