Malware Analysis Report

2025-03-15 06:51

Sample ID 240105-nz5pdabaep
Target 33347922f0194249dd77537608b6642e9bf4de23aff518eb7703fbba3488aecb.exe
SHA256 33347922f0194249dd77537608b6642e9bf4de23aff518eb7703fbba3488aecb
Tags
orcus telagay rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

33347922f0194249dd77537608b6642e9bf4de23aff518eb7703fbba3488aecb

Threat Level: Known bad

The file 33347922f0194249dd77537608b6642e9bf4de23aff518eb7703fbba3488aecb.exe was found to be: Known bad.

Malicious Activity Summary

orcus telagay rat spyware stealer

Orcus family

Orcurs Rat Executable

Orcus

Orcus main payload

Orcurs Rat Executable

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-05 11:51

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-05 11:51

Reported

2024-01-05 11:59

Platform

win7-20231215-en

Max time kernel

10s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\33347922f0194249dd77537608b6642e9bf4de23aff518eb7703fbba3488aecb.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsInput.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\33347922f0194249dd77537608b6642e9bf4de23aff518eb7703fbba3488aecb.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\33347922f0194249dd77537608b6642e9bf4de23aff518eb7703fbba3488aecb.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\ChromeUpdater\Updt.exe C:\Users\Admin\AppData\Local\Temp\33347922f0194249dd77537608b6642e9bf4de23aff518eb7703fbba3488aecb.exe N/A
File created C:\Program Files (x86)\ChromeUpdater\Updt.exe.config C:\Users\Admin\AppData\Local\Temp\33347922f0194249dd77537608b6642e9bf4de23aff518eb7703fbba3488aecb.exe N/A
File created C:\Program Files (x86)\ChromeUpdater\Updt.exe C:\Users\Admin\AppData\Local\Temp\33347922f0194249dd77537608b6642e9bf4de23aff518eb7703fbba3488aecb.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\33347922f0194249dd77537608b6642e9bf4de23aff518eb7703fbba3488aecb.exe

"C:\Users\Admin\AppData\Local\Temp\33347922f0194249dd77537608b6642e9bf4de23aff518eb7703fbba3488aecb.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files (x86)\ChromeUpdater\Updt.exe

"C:\Program Files (x86)\ChromeUpdater\Updt.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {BCD3BCAF-76BA-4FA3-A01F-DF8D13A89128} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]

C:\Program Files (x86)\ChromeUpdater\Updt.exe

"C:\Program Files (x86)\ChromeUpdater\Updt.exe"

C:\Users\Admin\AppData\Roaming\svchosts.exe

"C:\Users\Admin\AppData\Roaming\svchosts.exe" /watchProcess "C:\Program Files (x86)\ChromeUpdater\Updt.exe" 2632 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchosts.exe

"C:\Users\Admin\AppData\Roaming\svchosts.exe" /launchSelfAndExit "C:\Program Files (x86)\ChromeUpdater\Updt.exe" 2632 /protectFile

Network

Country Destination Domain Proto
CA 15.235.3.1:2000 tcp
CA 15.235.3.1:2000 tcp

Files

memory/1624-1-0x0000000074730000-0x0000000074E1E000-memory.dmp

memory/1624-0-0x00000000009D0000-0x0000000000ABC000-memory.dmp

memory/1624-2-0x0000000004940000-0x0000000004980000-memory.dmp

memory/1624-3-0x00000000002F0000-0x00000000002FE000-memory.dmp

memory/1624-4-0x0000000000950000-0x00000000009AC000-memory.dmp

memory/1624-5-0x0000000000340000-0x0000000000352000-memory.dmp

memory/1624-6-0x0000000000760000-0x0000000000768000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

\Windows\SysWOW64\WindowsInput.exe

MD5 2982003895bc08019fe9517d0741e360
SHA1 8cb9540ad4dc5b6ca9c19ce4dce23c8f1dd52455
SHA256 7f990de9f32841046b4f02c2df88889309b7fadaf0cf094db4558c67c05fd4ce
SHA512 de5300789a9e685e4cd82506ebddb5dce2572580894c59f513d83cef55711cfec793faa48a9b1bebc2a410054cd1d45cbb5996cf518247b7dc94d10eb7322139

memory/2776-15-0x00000000009F0000-0x00000000009FC000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 3c45d7def8de43778f02650b50ae94e8
SHA1 427fd4c079470226ee8279017900682dbb06956f
SHA256 e70ad0585f403fb01204d93a0653f2d2780e48387ea9ee7d0a0b4890793bbc50
SHA512 5a36ef48617cbfe20aaf995a621699b5bda20a6d433da89148298e3afc6ae5e3783d0d285e4024d799abf4d6da4fbc65910c171e3d2ef815b8b90dac68426d90

memory/2776-16-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

memory/2776-17-0x00000000021C0000-0x0000000002240000-memory.dmp

memory/2752-22-0x0000000000350000-0x000000000035C000-memory.dmp

memory/2752-23-0x000007FEF4F00000-0x000007FEF58EC000-memory.dmp

memory/2752-24-0x0000000019BF0000-0x0000000019C70000-memory.dmp

memory/2776-20-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

\Program Files (x86)\ChromeUpdater\Updt.exe

MD5 a3da70b9fa7ca8a39e846f305f64ed34
SHA1 b87136d342c11e2a4cbff0a5e8660bfb29bd0bea
SHA256 b9f1b7b017a713cb7448dafc3050bfb06f2b0545ded63662dc67b80ea2a41df3
SHA512 ee58667aaed1367eb789baa036c33d6cd08dc2020456a4f596100d863793e99e2af3a8dd5c66b1cb8857263c131875516df161172707c82304cf5254e3e5a375

C:\Program Files (x86)\ChromeUpdater\Updt.exe

MD5 b3875c92c26710cfa38252ea6c1b10ee
SHA1 c19cd8345c96571f49e6490c67281308c41373d0
SHA256 e0762036048c74579c9ef1421388ab0afdb2c715560846d5021c572535284b9d
SHA512 c181c86fc7db6792a516b472e47aec7b678fb3384dca6dba8f0f6834b4d3c6aa50701ee7c69683a0a8e2f7dc542811b16002d305af38995327672d3c8ba96ef6

memory/2632-35-0x00000000012C0000-0x00000000013AC000-memory.dmp

memory/2632-37-0x0000000074730000-0x0000000074E1E000-memory.dmp

memory/2632-38-0x0000000000E00000-0x0000000000E40000-memory.dmp

memory/1624-36-0x0000000074730000-0x0000000074E1E000-memory.dmp

C:\Program Files (x86)\ChromeUpdater\Updt.exe

MD5 5f42c598c25453fb4e45b8c4cacf5147
SHA1 6300c198fa709a1fbcbd08dbb4e3753a8e6bb582
SHA256 02e52f4e6d63e3570ef1bfb4c00066afeae97f35fb11f467fd6bb180904d7799
SHA512 c8c233ea2f27fd0c4ee2e8362b93e57dec205881fe1e3a9240252b3130453dc8634a6adcd5b95ed5fb2c85d39268ddaeab4fd1d7cd5cc1509c9e44476f684153

memory/2632-39-0x0000000000630000-0x000000000067E000-memory.dmp

C:\Program Files (x86)\ChromeUpdater\Updt.exe

MD5 2d33cb56cbe3edd8b9cafe1074cf51c0
SHA1 678ad3775aa16e5859d91444e4255a1d2a01b5ef
SHA256 62914c54b5508bc1c4c986d829a56f331c512ea8b5240020fa2860da482b1ec7
SHA512 abde89363395325b823f1d27cf9e1f472bbd404ea9a1cc3ca920a9d8c0fcc02f161d486baadc4eae42995ab53787e55dce1dbabc1d49568256eabe60eefef9ce

memory/2632-40-0x0000000000750000-0x0000000000768000-memory.dmp

C:\Program Files (x86)\ChromeUpdater\Updt.exe

MD5 afa783210959574ae367b50705c552bc
SHA1 8b2174b239c6802eaf837808aed95819352c107c
SHA256 766dea447e7a1abf5f60ae1e5d8103dd3442292268dcd28bb3e67e98c0438244
SHA512 1ae7eb704b10c0d02f14c531010f0263b1a15bdff218ee21bca1d69193b7a5d90e9cea28a90bc5514a3847f0bc776887c6fd048d19b0fd019c8ea2e5d1c1e403

memory/2632-41-0x0000000000960000-0x0000000000970000-memory.dmp

memory/2920-45-0x0000000074730000-0x0000000074E1E000-memory.dmp

memory/2632-47-0x0000000000E00000-0x0000000000E40000-memory.dmp

\Users\Admin\AppData\Roaming\svchosts.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/2164-56-0x0000000074730000-0x0000000074E1E000-memory.dmp

memory/2164-55-0x00000000003C0000-0x00000000003C8000-memory.dmp

memory/2164-66-0x0000000074730000-0x0000000074E1E000-memory.dmp

memory/1940-65-0x0000000074730000-0x0000000074E1E000-memory.dmp

memory/2920-46-0x0000000004C60000-0x0000000004CA0000-memory.dmp

memory/2920-67-0x0000000074730000-0x0000000074E1E000-memory.dmp

memory/2752-68-0x000007FEF4F00000-0x000007FEF58EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabF0E6.tmp

MD5 75f0654f980e64c6d62b29b41571a412
SHA1 0616f705d4b96ea5f5370049b492cb2c3c557d4b
SHA256 699632e73a43592ee5cc7bbf17f59194033d49a188e9bdc936cba402857fe5c2
SHA512 333e9bb3386ea2ac97970599b3d254759e457f38696b6f70d8d1e81ea88a3d0b2c9a3cfc59f9fdbe848dcbeea5e809caa166f35b766b55e33d527a3cab70047c

memory/2632-78-0x0000000074730000-0x0000000074E1E000-memory.dmp

memory/2632-79-0x0000000000E00000-0x0000000000E40000-memory.dmp

memory/2632-80-0x0000000000E00000-0x0000000000E40000-memory.dmp

memory/1940-81-0x0000000074730000-0x0000000074E1E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar4BB5.tmp

MD5 79d09bc306d99d2949d3bf7eb44341ba
SHA1 31c15ff2501abe8060f0e6feec6231e1126404d9
SHA256 05dee51d7aeb1367bb160a2f2449518eb45c84345e9aa8313bd8a01978ff56b9
SHA512 22f4df16dc3abf96b1d59bde4c60844d23e49c4485dffac87789bc9dd515aab696103544b50880e8d3833b0f609b44df625507adbfe6aa12eeffe501304b42e6

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-05 11:51

Reported

2024-01-05 11:58

Platform

win10v2004-20231222-en

Max time kernel

0s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\33347922f0194249dd77537608b6642e9bf4de23aff518eb7703fbba3488aecb.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\33347922f0194249dd77537608b6642e9bf4de23aff518eb7703fbba3488aecb.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\33347922f0194249dd77537608b6642e9bf4de23aff518eb7703fbba3488aecb.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\33347922f0194249dd77537608b6642e9bf4de23aff518eb7703fbba3488aecb.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\33347922f0194249dd77537608b6642e9bf4de23aff518eb7703fbba3488aecb.exe

"C:\Users\Admin\AppData\Local\Temp\33347922f0194249dd77537608b6642e9bf4de23aff518eb7703fbba3488aecb.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Users\Admin\AppData\Roaming\svchosts.exe

"C:\Users\Admin\AppData\Roaming\svchosts.exe" /watchProcess "C:\Program Files (x86)\ChromeUpdater\Updt.exe" 3868 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchosts.exe

"C:\Users\Admin\AppData\Roaming\svchosts.exe" /launchSelfAndExit "C:\Program Files (x86)\ChromeUpdater\Updt.exe" 3868 /protectFile

C:\Program Files (x86)\ChromeUpdater\Updt.exe

"C:\Program Files (x86)\ChromeUpdater\Updt.exe"

C:\Program Files (x86)\ChromeUpdater\Updt.exe

"C:\Program Files (x86)\ChromeUpdater\Updt.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
CA 15.235.3.1:2000 tcp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 1.3.235.15.in-addr.arpa udp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
NL 20.73.194.208:443 tcp
GB 96.16.110.41:443 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
GB 96.17.178.211:80 tcp
GB 88.221.135.211:80 tcp

Files

memory/2392-2-0x0000000005A70000-0x0000000005A80000-memory.dmp

memory/2392-4-0x0000000005790000-0x00000000057EC000-memory.dmp

memory/2392-6-0x0000000005960000-0x00000000059F2000-memory.dmp

memory/2392-5-0x0000000006030000-0x00000000065D4000-memory.dmp

memory/2392-9-0x0000000005E80000-0x0000000005EA2000-memory.dmp

memory/2392-8-0x0000000005A00000-0x0000000005A08000-memory.dmp

memory/2392-7-0x0000000005950000-0x0000000005962000-memory.dmp

memory/4848-23-0x0000000000FD0000-0x0000000000FDC000-memory.dmp

memory/4848-24-0x00000000017A0000-0x00000000017B2000-memory.dmp

memory/4848-26-0x00007FFB05D20000-0x00007FFB067E1000-memory.dmp

memory/4848-27-0x000000001BCD0000-0x000000001BCE0000-memory.dmp

memory/4848-31-0x00007FFB05D20000-0x00007FFB067E1000-memory.dmp

memory/3192-34-0x0000000001510000-0x0000000001520000-memory.dmp

memory/3192-33-0x00007FFB05D20000-0x00007FFB067E1000-memory.dmp

memory/3192-35-0x000000001B270000-0x000000001B37A000-memory.dmp

memory/4848-25-0x0000000003210000-0x000000000324C000-memory.dmp

memory/3868-51-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/3868-52-0x0000000005810000-0x0000000005820000-memory.dmp

memory/3868-54-0x0000000005CB0000-0x0000000005CFE000-memory.dmp

memory/3868-53-0x0000000005750000-0x0000000005762000-memory.dmp

memory/3868-56-0x0000000005D70000-0x0000000005D88000-memory.dmp

memory/3868-59-0x00000000064D0000-0x00000000064E0000-memory.dmp

memory/3868-61-0x0000000006A10000-0x0000000006A1A000-memory.dmp

memory/3436-60-0x0000000005530000-0x0000000005540000-memory.dmp

memory/2068-75-0x0000000000390000-0x0000000000398000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchosts.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/2068-80-0x0000000074820000-0x0000000074FD0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchosts.exe.log

MD5 4eaca4566b22b01cd3bc115b9b0b2196
SHA1 e743e0792c19f71740416e7b3c061d9f1336bf94
SHA256 34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512 bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

memory/1668-81-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/2392-76-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/3868-58-0x0000000006800000-0x00000000069C2000-memory.dmp

memory/3436-57-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/2392-3-0x0000000003270000-0x000000000327E000-memory.dmp

memory/2392-1-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/2392-0-0x0000000000E40000-0x0000000000F2C000-memory.dmp

memory/3868-84-0x0000000007B40000-0x0000000007BA6000-memory.dmp

memory/3868-86-0x0000000007BB0000-0x0000000007BC2000-memory.dmp

memory/3868-88-0x0000000007C50000-0x0000000007C9C000-memory.dmp

memory/3868-87-0x0000000007C10000-0x0000000007C4C000-memory.dmp

memory/3868-85-0x00000000081D0000-0x00000000087E8000-memory.dmp

memory/3868-89-0x0000000007DD0000-0x0000000007EDA000-memory.dmp

memory/3436-91-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/3192-92-0x00007FFB05D20000-0x00007FFB067E1000-memory.dmp

memory/3192-93-0x0000000001510000-0x0000000001520000-memory.dmp

memory/3868-94-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/3868-95-0x0000000005810000-0x0000000005820000-memory.dmp

memory/2068-96-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/1668-97-0x0000000074820000-0x0000000074FD0000-memory.dmp