Malware Analysis Report

2025-03-15 06:49

Sample ID 240108-bdx17ahdfj
Target f17191e2e45cf27f2688a5cb7f7b090eeae426da8f7e82fb0bb61d4c85a46311
SHA256 f17191e2e45cf27f2688a5cb7f7b090eeae426da8f7e82fb0bb61d4c85a46311
Tags
orcus persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f17191e2e45cf27f2688a5cb7f7b090eeae426da8f7e82fb0bb61d4c85a46311

Threat Level: Known bad

The file f17191e2e45cf27f2688a5cb7f7b090eeae426da8f7e82fb0bb61d4c85a46311 was found to be: Known bad.

Malicious Activity Summary

orcus persistence rat spyware stealer

Orcus

Orcus main payload

Orcus family

Orcurs Rat Executable

Orcurs Rat Executable

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-08 01:02

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-08 01:02

Reported

2024-01-08 01:04

Platform

win7-20231215-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f17191e2e45cf27f2688a5cb7f7b090eeae426da8f7e82fb0bb61d4c85a46311.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\welovechina = "\"C:\\Program Files (x86)\\welovechina\\welovechina.exe\"" C:\Program Files (x86)\welovechina\welovechina.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\f17191e2e45cf27f2688a5cb7f7b090eeae426da8f7e82fb0bb61d4c85a46311.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\f17191e2e45cf27f2688a5cb7f7b090eeae426da8f7e82fb0bb61d4c85a46311.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\welovechina\welovechina.exe C:\Users\Admin\AppData\Local\Temp\f17191e2e45cf27f2688a5cb7f7b090eeae426da8f7e82fb0bb61d4c85a46311.exe N/A
File opened for modification C:\Program Files (x86)\welovechina\welovechina.exe C:\Users\Admin\AppData\Local\Temp\f17191e2e45cf27f2688a5cb7f7b090eeae426da8f7e82fb0bb61d4c85a46311.exe N/A
File created C:\Program Files (x86)\welovechina\welovechina.exe.config C:\Users\Admin\AppData\Local\Temp\f17191e2e45cf27f2688a5cb7f7b090eeae426da8f7e82fb0bb61d4c85a46311.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\welovechina.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\welovechina\welovechina.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1096 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\f17191e2e45cf27f2688a5cb7f7b090eeae426da8f7e82fb0bb61d4c85a46311.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1096 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\f17191e2e45cf27f2688a5cb7f7b090eeae426da8f7e82fb0bb61d4c85a46311.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1096 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\f17191e2e45cf27f2688a5cb7f7b090eeae426da8f7e82fb0bb61d4c85a46311.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1096 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\f17191e2e45cf27f2688a5cb7f7b090eeae426da8f7e82fb0bb61d4c85a46311.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1096 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\f17191e2e45cf27f2688a5cb7f7b090eeae426da8f7e82fb0bb61d4c85a46311.exe C:\Program Files (x86)\welovechina\welovechina.exe
PID 1096 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\f17191e2e45cf27f2688a5cb7f7b090eeae426da8f7e82fb0bb61d4c85a46311.exe C:\Program Files (x86)\welovechina\welovechina.exe
PID 1096 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\f17191e2e45cf27f2688a5cb7f7b090eeae426da8f7e82fb0bb61d4c85a46311.exe C:\Program Files (x86)\welovechina\welovechina.exe
PID 1096 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\f17191e2e45cf27f2688a5cb7f7b090eeae426da8f7e82fb0bb61d4c85a46311.exe C:\Program Files (x86)\welovechina\welovechina.exe
PID 2628 wrote to memory of 1100 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\welovechina\welovechina.exe
PID 2628 wrote to memory of 1100 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\welovechina\welovechina.exe
PID 2628 wrote to memory of 1100 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\welovechina\welovechina.exe
PID 2628 wrote to memory of 1100 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\welovechina\welovechina.exe
PID 2632 wrote to memory of 3020 N/A C:\Program Files (x86)\welovechina\welovechina.exe C:\Users\Admin\AppData\Roaming\welovechina.exe
PID 2632 wrote to memory of 3020 N/A C:\Program Files (x86)\welovechina\welovechina.exe C:\Users\Admin\AppData\Roaming\welovechina.exe
PID 2632 wrote to memory of 3020 N/A C:\Program Files (x86)\welovechina\welovechina.exe C:\Users\Admin\AppData\Roaming\welovechina.exe
PID 2632 wrote to memory of 3020 N/A C:\Program Files (x86)\welovechina\welovechina.exe C:\Users\Admin\AppData\Roaming\welovechina.exe
PID 3020 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\welovechina.exe C:\Users\Admin\AppData\Roaming\welovechina.exe
PID 3020 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\welovechina.exe C:\Users\Admin\AppData\Roaming\welovechina.exe
PID 3020 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\welovechina.exe C:\Users\Admin\AppData\Roaming\welovechina.exe
PID 3020 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\welovechina.exe C:\Users\Admin\AppData\Roaming\welovechina.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f17191e2e45cf27f2688a5cb7f7b090eeae426da8f7e82fb0bb61d4c85a46311.exe

"C:\Users\Admin\AppData\Local\Temp\f17191e2e45cf27f2688a5cb7f7b090eeae426da8f7e82fb0bb61d4c85a46311.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files (x86)\welovechina\welovechina.exe

"C:\Program Files (x86)\welovechina\welovechina.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {DA495631-E027-462D-B29B-BB4BC73EBD83} S-1-5-21-452311807-3713411997-1028535425-1000:OZEMQECW\Admin:Interactive:[1]

C:\Program Files (x86)\welovechina\welovechina.exe

"C:\Program Files (x86)\welovechina\welovechina.exe"

C:\Users\Admin\AppData\Roaming\welovechina.exe

"C:\Users\Admin\AppData\Roaming\welovechina.exe" /watchProcess "C:\Program Files (x86)\welovechina\welovechina.exe" 2632 "/protectFile"

C:\Users\Admin\AppData\Roaming\welovechina.exe

"C:\Users\Admin\AppData\Roaming\welovechina.exe" /launchSelfAndExit "C:\Program Files (x86)\welovechina\welovechina.exe" 2632 /protectFile

Network

Country Destination Domain Proto
BG 91.92.244.15:6969 tcp
BG 91.92.244.15:6969 tcp

Files

memory/1096-0-0x00000000008E0000-0x00000000009CC000-memory.dmp

memory/1096-1-0x0000000074690000-0x0000000074D7E000-memory.dmp

memory/1096-2-0x0000000004D90000-0x0000000004DD0000-memory.dmp

memory/1096-3-0x0000000000200000-0x000000000020E000-memory.dmp

memory/1096-4-0x0000000000450000-0x00000000004AC000-memory.dmp

memory/1096-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1096-6-0x0000000000540000-0x0000000000548000-memory.dmp

\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2452-15-0x0000000000340000-0x000000000034C000-memory.dmp

memory/2452-16-0x000007FEF5850000-0x000007FEF623C000-memory.dmp

memory/2452-17-0x000000001AF90000-0x000000001B010000-memory.dmp

memory/2452-20-0x000007FEF5850000-0x000007FEF623C000-memory.dmp

memory/2824-22-0x00000000003B0000-0x00000000003BC000-memory.dmp

memory/2824-23-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

memory/2824-24-0x0000000000150000-0x00000000001D0000-memory.dmp

C:\Program Files (x86)\welovechina\welovechina.exe

MD5 c3a45c7d07dca4b00d98fec2c14ef027
SHA1 5d252ccb757ffb6b85b92a3ddd09bd54470037c6
SHA256 1685172aa7f53648352dabf107c5002b58685eb9d9b6b12bcfb884e87fda10e6
SHA512 9b9a0dc436741e80fd30faa41454df5025bfd4fbbebe5a51ef512f78f2732381995fc94c3c2cddab97b739193bb0408257073ad4928c67e7356f8428792ee44c

C:\Program Files (x86)\welovechina\welovechina.exe

MD5 5c54b946253e4f245c8c6df3989867db
SHA1 5d5500153f0d7eefc52d128d7e1d90284ab696b3
SHA256 f6a1f4991e429548b51a623688c0c1742786006c904c793858517423871ff2f4
SHA512 211729980937d009b0f13261832398861ed824d677ccdb2b6d311b1cb1de2f7470456047fd3359768522eef50f9f1d356b5ebe425fa5d37ea9d2cc126aab12b3

memory/2632-35-0x0000000000CB0000-0x0000000000D9C000-memory.dmp

memory/2632-36-0x0000000074690000-0x0000000074D7E000-memory.dmp

C:\Program Files (x86)\welovechina\welovechina.exe

MD5 09ec1dfc1bb6d62eed2a4358d4640a58
SHA1 edae7180c7d2dc34d10432255b07014a783f7933
SHA256 2c479cad6f0b5a51d8c2c82aa60e37135dcf84420414d49e9ecf96f065fc2d81
SHA512 ddcf5f640f45237be77f3ea1fd6cd70318f40067ed9f4af6570ae0a9793f6d87c9569ad760cba671a756badfac7084e1e447f77e2a3f38b919de3c004e433211

memory/2632-37-0x0000000004AD0000-0x0000000004B10000-memory.dmp

\Program Files (x86)\welovechina\welovechina.exe

MD5 85e63fcacce996ede0a877c71c27ce2b
SHA1 2b54291599696672f88f51ffd82106fe916aa564
SHA256 878f97f516fe7e0f22f0b9ef7c34a6b398b72ba3bbda471159723dca68f5f016
SHA512 adf2ebcd95aacd38eb1be6411bf066e1a0a4ef23362cf57f3d0d6ed1c65973b30abda2329ff7347a4dd60788c050fd5a24a747f6c71473afb03641e233f371c9

memory/2632-38-0x0000000000C30000-0x0000000000C7E000-memory.dmp

memory/2632-39-0x0000000000AC0000-0x0000000000AD8000-memory.dmp

C:\Program Files (x86)\welovechina\welovechina.exe

MD5 c0e830ae9fe06311f31462c59e14ec76
SHA1 1748980861aa817bf72a25211cf703399640f1f5
SHA256 1093d64111d74e8abe1e53bab0b633f1c0671e31e0b28c3838ce9b3b90e8bc6d
SHA512 b81b2e081176a1a497f8d79acb482a1506e69d76b2116a275db73c6b6cfcdef411e0ac96927e65dcf61cb4d91fb97e8665a3d1c1799489fb1e190c37a76a249d

memory/2632-41-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

memory/1100-42-0x0000000074690000-0x0000000074D7E000-memory.dmp

memory/1100-43-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

memory/1096-46-0x0000000074690000-0x0000000074D7E000-memory.dmp

memory/2632-47-0x0000000004AD0000-0x0000000004B10000-memory.dmp

C:\Users\Admin\AppData\Roaming\welovechina.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/3020-55-0x0000000000B50000-0x0000000000B58000-memory.dmp

memory/3020-56-0x0000000074690000-0x0000000074D7E000-memory.dmp

memory/2432-59-0x0000000074690000-0x0000000074D7E000-memory.dmp

memory/3020-58-0x0000000074690000-0x0000000074D7E000-memory.dmp

memory/2824-60-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

memory/1100-61-0x0000000074690000-0x0000000074D7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab7A21.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2632-78-0x0000000074690000-0x0000000074D7E000-memory.dmp

memory/2632-79-0x0000000004AD0000-0x0000000004B10000-memory.dmp

memory/2632-80-0x0000000004AD0000-0x0000000004B10000-memory.dmp

memory/2432-81-0x0000000074690000-0x0000000074D7E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-08 01:02

Reported

2024-01-08 01:05

Platform

win10v2004-20231222-en

Max time kernel

1s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f17191e2e45cf27f2688a5cb7f7b090eeae426da8f7e82fb0bb61d4c85a46311.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f17191e2e45cf27f2688a5cb7f7b090eeae426da8f7e82fb0bb61d4c85a46311.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\f17191e2e45cf27f2688a5cb7f7b090eeae426da8f7e82fb0bb61d4c85a46311.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\f17191e2e45cf27f2688a5cb7f7b090eeae426da8f7e82fb0bb61d4c85a46311.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\f17191e2e45cf27f2688a5cb7f7b090eeae426da8f7e82fb0bb61d4c85a46311.exe

"C:\Users\Admin\AppData\Local\Temp\f17191e2e45cf27f2688a5cb7f7b090eeae426da8f7e82fb0bb61d4c85a46311.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Program Files (x86)\welovechina\welovechina.exe

"C:\Program Files (x86)\welovechina\welovechina.exe"

C:\Users\Admin\AppData\Roaming\welovechina.exe

"C:\Users\Admin\AppData\Roaming\welovechina.exe" /watchProcess "C:\Program Files (x86)\welovechina\welovechina.exe" 964 "/protectFile"

C:\Users\Admin\AppData\Roaming\welovechina.exe

"C:\Users\Admin\AppData\Roaming\welovechina.exe" /launchSelfAndExit "C:\Program Files (x86)\welovechina\welovechina.exe" 964 /protectFile

C:\Program Files (x86)\welovechina\welovechina.exe

"C:\Program Files (x86)\welovechina\welovechina.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 2.181.190.20.in-addr.arpa udp
BG 91.92.244.15:6969 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 15.244.92.91.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 52.165.165.26:443 tcp
US 13.85.23.206:443 tcp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
GB 104.91.71.134:80 tcp
GB 104.91.71.134:80 tcp
GB 88.221.135.211:80 tcp
GB 104.91.71.134:80 tcp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
GB 88.221.135.211:80 tcp

Files

memory/4908-0-0x00000000747A0000-0x0000000074F50000-memory.dmp

memory/4908-2-0x00000000055E0000-0x00000000055F0000-memory.dmp

memory/4908-1-0x0000000000970000-0x0000000000A5C000-memory.dmp

memory/4908-3-0x00000000053B0000-0x00000000053BE000-memory.dmp

memory/4908-4-0x00000000053C0000-0x000000000541C000-memory.dmp

memory/4908-6-0x00000000055F0000-0x0000000005682000-memory.dmp

memory/4908-5-0x0000000005BA0000-0x0000000006144000-memory.dmp

memory/4908-8-0x00000000055D0000-0x00000000055D8000-memory.dmp

memory/4908-9-0x0000000005AD0000-0x0000000005AF2000-memory.dmp

memory/4908-7-0x00000000055C0000-0x00000000055D2000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 37a75295a2dcadb92c6649bad9ebbe23
SHA1 31bf85cd977672155185a7cc239db3886d8a3a70
SHA256 290d3d4696a70d3708fc89363741702e958f1f4f27a1740ab8e9802a5e00eae1
SHA512 61f2b7734be6f9a35f0f23237f617743a9f61b27d761ba9dd6d9f77d4c0949887d501c7f51e2b0bf6c929d65a43164f8fd66c4ecb3453b13bb7068b8572085f5

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/3252-23-0x0000000000820000-0x000000000082C000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3252-24-0x00000000028D0000-0x00000000028E2000-memory.dmp

memory/3252-26-0x00007FFB94510000-0x00007FFB94FD1000-memory.dmp

memory/3252-27-0x0000000002940000-0x0000000002950000-memory.dmp

memory/3252-25-0x0000000002950000-0x000000000298C000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 68bf4a3bf0b6a93106a06b3aa27b9a3d
SHA1 cad266b91193963f900a03082287944c1bef28ad
SHA256 aa0d096df4d286241aaf658262d16f1d0166e06abea0fc83e3a7aeeb11238a4b
SHA512 238090e85184c8c65913d572e3dc0b4c8d717830a1b4637c2aa9ff71dbed6c78c6181e28116f266d6a0c38a5d353b1658efbef3abe82dc35b8399d5f881176df

memory/512-33-0x00007FFB94510000-0x00007FFB94FD1000-memory.dmp

memory/512-34-0x000000001A980000-0x000000001A990000-memory.dmp

memory/3252-31-0x00007FFB94510000-0x00007FFB94FD1000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 0c4688eb293c3f51ba22ab0c8237c710
SHA1 e4113a3998f783f6677a1dc1132804adfe0b1649
SHA256 d2e379e0cc4cc667079a33444c59e2116eca3665f0ce70ed49854a7ee5fbe050
SHA512 6b010d8ba44fd3a0e2497bb4adb32a4d23876ad3cf2682a34f4f58e24967162a2c10cdb089bcc10fddb532f91fee0809191b8f74a1a5978f9f88ce34e40eba64

memory/512-35-0x000000001ADA0000-0x000000001AEAA000-memory.dmp

memory/4908-51-0x00000000747A0000-0x0000000074F50000-memory.dmp

memory/964-52-0x00000000747A0000-0x0000000074F50000-memory.dmp

C:\Program Files (x86)\welovechina\welovechina.exe

MD5 88c8cf41a68e8bec713c543f7ba40472
SHA1 c0f364f8a56df9fc56165195f7cd4e82c132aa59
SHA256 5e3ba496ed398e151dc5a4da50cc658dc87a951100c14962021c10a86764bcb8
SHA512 bc4fe1f40fada720b043975f5d59b5a0150ccb94354869842c53e7514e08c0c7c8e94949d1403912518b48c0da810ac703d380b85ddd2e6e2b4cba28ce3153d6

C:\Program Files (x86)\welovechina\welovechina.exe

MD5 d748fe9039aa7745c962b8cf03c48c92
SHA1 4b9902818d0f70f8f965572bedd331e50162da8f
SHA256 a6269348fd64cc3c9b6674ad03f5a8e52d74933afa2b3fddc2c3afad9b1d470d
SHA512 f24d12ddf2b4e17d09651a38ee88fdd09a30c89ab0b072f9897a0c79db691acc34d8b09270d2b3b1ca806b2b23b3d1eb89e07c07df307347b03e6ac4baf264b1

memory/964-53-0x0000000005AB0000-0x0000000005AFE000-memory.dmp

C:\Program Files (x86)\welovechina\welovechina.exe

MD5 5ade6aa9b26d0ac9c90254184f5a83cd
SHA1 a31b9dff2a646a0c0bb2ae401d0bd2d9adae2166
SHA256 84dad176cf96619611eec1e9b65a8e76ed9320bbded11dc47ac75553e2e423ce
SHA512 8bc22a21a168af35aa6a7ba0b4acdf933273d42ee3a440fd03b6ea01c9a3d397a6a042d5b9e035ec4bd7f8ee4d87fc1b90d18eade5dcd182053ea38aa19a633c

memory/964-55-0x0000000005C70000-0x0000000005C88000-memory.dmp

memory/964-56-0x0000000005E40000-0x0000000005E50000-memory.dmp

memory/4484-58-0x00000000747A0000-0x0000000074F50000-memory.dmp

memory/964-57-0x0000000006020000-0x00000000061E2000-memory.dmp

memory/964-59-0x0000000006520000-0x000000000652A000-memory.dmp

C:\Program Files (x86)\welovechina\welovechina.exe

MD5 7f527268c2d08a6e1257b0acdc72d130
SHA1 c99658426ee47b591b8a03506c84816eaa80281f
SHA256 101c17e905345a61256ae610f71c3476bff54c976623a273894e36b4ec6c249e
SHA512 c786b138f9d9ff0078dced2ec37449ee28ffdf59beefa51506d7a1a94ad0facad58bbdd66ad401e9f8e9a67ab10a00cbf100ed6d79667711288357c07ead78e5

C:\Users\Admin\AppData\Roaming\welovechina.exe

MD5 ea87d59e910053753e8a8c082bd63258
SHA1 9c8a7647d909de255f444e2b8e550d23501defb2
SHA256 eac25a3a4fc9542e91b3a84b6daf91c6619b79faef51d4616bc580fe17ee16c7
SHA512 5778143556b1e75ad47ec934c5c65770ff5414e882c51992b117c7bf3029941b7c5e25f73d1eea143d2cb676702173866c0ff69e9825541052d22671ee1e165f

C:\Users\Admin\AppData\Roaming\welovechina.exe

MD5 d3ea3f306e737d3521d6cd2dd54d9c9b
SHA1 bf540ec262dd83f3f395f46491eac985eadad803
SHA256 dd96b05a11e229ee3242494be672add8dc8439fa6a2e8a905292770d15c1c58e
SHA512 eccd37500a829591e3114b7099053301804dc860ae115673fbfc9b3b608b61b23d1892c63b4007aaa8608a0fb2009eb61a2f4466edcf78afdda013da642007e1

memory/4808-73-0x0000000000B30000-0x0000000000B38000-memory.dmp

memory/4808-74-0x00000000747A0000-0x0000000074F50000-memory.dmp

memory/4808-78-0x00000000747A0000-0x0000000074F50000-memory.dmp

memory/2868-79-0x00000000747A0000-0x0000000074F50000-memory.dmp

memory/964-82-0x0000000006CF0000-0x0000000006D56000-memory.dmp

memory/964-83-0x00000000078C0000-0x0000000007ED8000-memory.dmp

memory/964-85-0x00000000072E0000-0x000000000731C000-memory.dmp

memory/964-86-0x0000000007320000-0x000000000736C000-memory.dmp

memory/964-84-0x0000000006D90000-0x0000000006DA2000-memory.dmp

memory/964-87-0x00000000074A0000-0x00000000075AA000-memory.dmp

memory/4484-89-0x00000000747A0000-0x0000000074F50000-memory.dmp

memory/512-88-0x00007FFB94510000-0x00007FFB94FD1000-memory.dmp

memory/512-90-0x000000001A980000-0x000000001A990000-memory.dmp

memory/964-91-0x00000000747A0000-0x0000000074F50000-memory.dmp

memory/964-92-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

memory/2868-93-0x00000000747A0000-0x0000000074F50000-memory.dmp