Malware Analysis Report

2025-03-15 06:56

Sample ID 231225-gk1zbaaagk
Target tmp
SHA256 aa28eef3f1833b566a0873b39dd07288422c0d982bfdfbd9e841ad48bc136f8d
Tags
orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa28eef3f1833b566a0873b39dd07288422c0d982bfdfbd9e841ad48bc136f8d

Threat Level: Known bad

The file tmp was found to be: Known bad.

Malicious Activity Summary

orcus rat spyware stealer

Orcus

Orcurs Rat Executable

Unsigned PE

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-25 05:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-25 05:52

Reported

2023-12-25 05:55

Platform

win7-20231215-en

Max time kernel

121s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Network

Country Destination Domain Proto
HK 45.204.82.103:6606 tcp

Files

memory/2916-0-0x000000013FBD0000-0x000000013FCF6000-memory.dmp

memory/2916-1-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

memory/2916-2-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

memory/2916-3-0x00000000774C0000-0x0000000077669000-memory.dmp

memory/2916-4-0x000000001BB20000-0x000000001BC08000-memory.dmp

memory/2916-5-0x000000001BCB0000-0x000000001BD30000-memory.dmp

memory/2916-6-0x00000000009B0000-0x0000000000A0C000-memory.dmp

memory/2916-7-0x00000000005C0000-0x00000000005CE000-memory.dmp

memory/2916-8-0x0000000000800000-0x0000000000812000-memory.dmp

memory/2916-9-0x0000000000810000-0x0000000000828000-memory.dmp

memory/2916-10-0x0000000000A10000-0x0000000000A20000-memory.dmp

memory/2916-11-0x00000000774C0000-0x0000000077669000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab8CE6.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2916-28-0x000000001BCB0000-0x000000001BD30000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-25 05:52

Reported

2023-12-25 05:55

Platform

win10v2004-20231222-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
HK 45.204.82.103:6606 tcp
US 8.8.8.8:53 103.82.204.45.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

memory/4840-0-0x00000205D3270000-0x00000205D3396000-memory.dmp

memory/4840-1-0x00007FF9ADD80000-0x00007FF9AE841000-memory.dmp

memory/4840-2-0x00007FF9ADD80000-0x00007FF9AE841000-memory.dmp

memory/4840-3-0x00000205ED880000-0x00000205ED968000-memory.dmp

memory/4840-4-0x00000205ED9D0000-0x00000205ED9E0000-memory.dmp

memory/4840-6-0x00000205D3820000-0x00000205D382E000-memory.dmp

memory/4840-5-0x00000205D3740000-0x00000205D379C000-memory.dmp

memory/4840-8-0x00000205D5140000-0x00000205D5158000-memory.dmp

memory/4840-9-0x00000205D5120000-0x00000205D5130000-memory.dmp

memory/4840-7-0x00000205D5130000-0x00000205D5142000-memory.dmp

memory/4840-10-0x00000205ED990000-0x00000205ED9A2000-memory.dmp

memory/4840-11-0x00000205EEF30000-0x00000205EEF6C000-memory.dmp

memory/4840-12-0x00000205EF080000-0x00000205EF18A000-memory.dmp

memory/4840-13-0x00000205EF360000-0x00000205EF522000-memory.dmp

memory/4840-14-0x00000205ED9D0000-0x00000205ED9E0000-memory.dmp