Malware Analysis Report

2025-03-15 06:51

Sample ID 231222-qshx5shebl
Target afawefwfwf.exe
SHA256 4fcaede2ca7b6ac97d4d9896b10c16f45e9f57d39a60a6bc597d7e8882841adb
Tags
orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4fcaede2ca7b6ac97d4d9896b10c16f45e9f57d39a60a6bc597d7e8882841adb

Threat Level: Known bad

The file afawefwfwf.exe was found to be: Known bad.

Malicious Activity Summary

orcus rat spyware stealer

Orcurs Rat Executable

Orcus main payload

Orcus

Orcus family

Orcurs Rat Executable

Executes dropped EXE

Checks computer location settings

Drops desktop.ini file(s)

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 13:31

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 13:31

Reported

2023-12-22 13:34

Platform

win10v2004-20231215-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\afawefwfwf.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\afawefwfwf.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\afawefwfwf.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\afawefwfwf.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\afawefwfwf.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\afawefwfwf.exe N/A
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\afawefwfwf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\afawefwfwf.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\afawefwfwf.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\afawefwfwf.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\afawefwfwf.exe

"C:\Users\Admin\AppData\Local\Temp\afawefwfwf.exe"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3F4C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3F4B.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\_7gofuvi.cmdline"

Network

Country Destination Domain Proto
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
DE 84.145.55.225:5061 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
DE 84.145.55.225:5061 tcp
DE 84.145.55.225:5061 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
DE 84.145.55.225:5061 tcp
DE 84.145.55.225:5061 tcp
DE 84.145.55.225:5061 tcp
DE 84.145.55.225:5061 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 84.145.55.225:5061 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
DE 84.145.55.225:5061 tcp
US 8.8.8.8:53 udp
DE 84.145.55.225:5061 tcp
DE 84.145.55.225:5061 tcp
DE 84.145.55.225:5061 tcp

Files

memory/4852-1-0x0000000001960000-0x0000000001970000-memory.dmp

memory/4852-6-0x000000001BF00000-0x000000001BF0E000-memory.dmp

memory/4852-3-0x00007FFA82A10000-0x00007FFA833B1000-memory.dmp

memory/4852-8-0x000000001C950000-0x000000001C9EC000-memory.dmp

memory/4852-7-0x000000001C3E0000-0x000000001C8AE000-memory.dmp

memory/4852-2-0x000000001BD00000-0x000000001BD5C000-memory.dmp

memory/4852-0-0x00007FFA82A10000-0x00007FFA833B1000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\_7gofuvi.cmdline

MD5 ff4d17ccefd824ca838405f662f639ed
SHA1 f7d5b7eb219d124099e49030809db9ce362c1131
SHA256 ae667f0598920400e2fe4435f5ca5500f521772a3e6cb45abd10a4eed1847741
SHA512 0ea06ce7191b2443a35dcb04c57f492ad41debe971fb5ba2f5c1a5f96ecd085059aa559314212216d43d0e0ccc6ce6316c13cc8c365925856c29f2f02ab62c46

memory/4784-14-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

memory/4852-22-0x000000001D010000-0x000000001D026000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_7gofuvi.dll

MD5 6e01ee3765789932025c051bcdc7de8c
SHA1 29f8c74df84ab126c7d14ea20d24c31a191e0225
SHA256 f683d7a1ae2e4c3940f8f6e0e0485df62cc8490f239616461957e8bc550356d8
SHA512 26ea5191bdd84d8f4970788580d764c556ea35972e0f39e4e7e9e76eb823ea53b304cea7390ad84678220917f209ee40dcfb40a565828c50c9bc067d0a1e232a

C:\Users\Admin\AppData\Local\Temp\RES3F4C.tmp

MD5 e7a4cf4b70da1a21a1bdddd0ec47e784
SHA1 78980da17c74e955bad70db04e4f386302769227
SHA256 40c0cea81f09a045581a4c45b6840d7c7d1480edcaf8a028386bef2d5115d8bb
SHA512 cf6cebd82d54c93b8ea5be972d626afb55622b7a3b4bbf1f0c1d830b5323c1421f53ccc2ffe13957656d7afec95dc7be1d4123e220c99fb1a6cf1745a6885c07

memory/4852-24-0x0000000001910000-0x0000000001922000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC3F4B.tmp

MD5 e2d03861b85dc58c37a7b6ec35cf39bb
SHA1 9b5784e9653e874f726d00f4058a6131147799b9
SHA256 61398304a249d247c1958340d9a8ef3ecb784dca8892a582c4b3007b55c595ec
SHA512 4f87842c1447d3afee418a7ad7685298d8384dcf5538a05223aea5d70b0828cca551ea0f7d030a271210bb742da33479c42e09767a0945d6921b22ee5793ef74

C:\Program Files\Orcus\Orcus.exe

MD5 3a1805303ae012a619c81c7a7e9d4ad7
SHA1 b6273513ddd844a5efe11804a84a7394181ec888
SHA256 ee1c36bb37f306371f1c38040a29e05ce1c0863302af95208bdd4a8554caee56
SHA512 4e142f89b7ffc2f1b69a1390dd963249806c0eed094c273a53206547af114eb98599ed67271bd66bd780d3e33f1717c7b390e524d707a33e88f8ae34ed458aba

memory/4852-40-0x00007FFA82A10000-0x00007FFA833B1000-memory.dmp

memory/3700-41-0x00007FFA7F770000-0x00007FFA80231000-memory.dmp

memory/3700-42-0x000000001B220000-0x000000001B230000-memory.dmp

memory/3700-39-0x0000000000440000-0x0000000000528000-memory.dmp

memory/3700-44-0x00000000027C0000-0x00000000027D8000-memory.dmp

memory/3700-45-0x0000000000E00000-0x0000000000E10000-memory.dmp

memory/3700-43-0x0000000000E10000-0x0000000000E22000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 f42314248fba99edf4140849f11bfa14
SHA1 12d05c4499045715c8f6c2892a39051aab32b13c
SHA256 f74cee7d55f870af442299183b50ab8fcae8b5301740ba8cf5aadb195008bd07
SHA512 9b2914958ea3986a380ed7c33065224a0da98ac59fc0529aabe0268ca4cbcab42e9d61b259df6a7775335aea445efc31964f171ff8e03e388746e117d76ad98c

C:\Program Files\Orcus\Orcus.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

C:\Program Files\Orcus\Orcus.exe

MD5 d6747f3ba10a59b188d6efb0a3f6c9c3
SHA1 c0290ffad0767dbe544d1dbfe5d84e151522a12a
SHA256 1c182ab4ea8cd06f408c07c0b63ffdbbc7bb48b9eb373e3a8da7b18f1627bcc5
SHA512 1396114466dc811deda5c056b9badb909a87838237a38628a1495c5172089b39c35d0b101af8a223cea91a72933c384099cf45b0219b305bd62fa9cba10746cd

\??\c:\Users\Admin\AppData\Local\Temp\_7gofuvi.0.cs

MD5 7e833977120b5f0776fe190d300b4ced
SHA1 713bbf0f154a24799138e0af680063e8cec94d2e
SHA256 7dd8e3132d67841092e21cbcfa17c77cde1c3dab98026ad27bc385a458a3d2f7
SHA512 78ab423968801cc68a6460c3cf9bb207ce22cb35e7a84c55a68702d8f4904f82077ce5b1d1e7224db4fd4c5689ae485fa703a928beeb803535b0f1132f0201c8

memory/3700-46-0x00007FFA7F770000-0x00007FFA80231000-memory.dmp