orcus | be235c670fa83853dfdd3c668df58da88289d2a8ef44e734fbc646f27cba9588

Analysis

max time kernel
31s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2024 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Calculator14VGAexe.exe
Size

1.7MB
MD5

4c969f76c5c1150669e1a54cfa20ed1c
SHA1

037f9b972c732222ba259754f75868caaefd03a3
SHA256

be235c670fa83853dfdd3c668df58da88289d2a8ef44e734fbc646f27cba9588
SHA512

5246dd5f6ee9c747360431bc140779a4d316af51186c6bcc0d6d0f3bb20e633cbdee2296432fd08e4f9234089bbcb5c868e8c9d75b05b523af53c5d34cc3ea15
SSDEEP

49152:ODQxkKWUoI8cQFrqxevo2NdQNBwLPVhF6WT:j2KWUoILC3nQDwrVn6WT

Score

10^/10

orcus tg rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

10.0.2.15:6969

Mutex

a867e8d19abf423285769fa6d8e47601

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\Java8update\updaterjava9.exe
reconnect_delay
10000
registry_keyname
RobloxJavaMaster
taskscheduler_taskname
Orcus
watchdog_path
AppData\RobloxUpdater04.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcurs Rat Executable 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4988-3-0x0000000000170000-0x00000000005E4000-memory.dmp	orcus
behavioral2/memory/4988-66-0x0000000000170000-0x00000000005E4000-memory.dmp	orcus
behavioral2/memory/4548-69-0x0000000000D20000-0x0000000001194000-memory.dmp	orcus
behavioral2/memory/4548-67-0x0000000000D20000-0x0000000001194000-memory.dmp	orcus
behavioral2/memory/3232-84-0x0000000000D20000-0x0000000001194000-memory.dmp	orcus
behavioral2/memory/3232-85-0x0000000000D20000-0x0000000001194000-memory.dmp	orcus
behavioral2/memory/3232-108-0x0000000000D20000-0x0000000001194000-memory.dmp	orcus

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Calculator14VGAexe.exe

pid process

4988 Calculator14VGAexe.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Calculator14VGAexe.exe

pid process

4988 Calculator14VGAexe.exe

pid	process
4988	Calculator14VGAexe.exe

pid	process
4988	Calculator14VGAexe.exe

C:\Users\Admin\AppData\Local\Temp\Calculator14VGAexe.exe
"C:\Users\Admin\AppData\Local\Temp\Calculator14VGAexe.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4988

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
2⤵
PID:3060

C:\Program Files (x86)\Java8update\updaterjava9.exe
"C:\Program Files (x86)\Java8update\updaterjava9.exe"
2⤵
PID:4548

C:\Users\Admin\AppData\Roaming\RobloxUpdater04.exe
"C:\Users\Admin\AppData\Roaming\RobloxUpdater04.exe" /launchSelfAndExit "C:\Program Files (x86)\Java8update\updaterjava9.exe" 4548 /protectFile
3⤵
PID:2204

C:\Users\Admin\AppData\Roaming\RobloxUpdater04.exe
"C:\Users\Admin\AppData\Roaming\RobloxUpdater04.exe" /watchProcess "C:\Program Files (x86)\Java8update\updaterjava9.exe" 4548 "/protectFile"
4⤵
PID:2988

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
PID:4336

C:\Program Files (x86)\Java8update\updaterjava9.exe
"C:\Program Files (x86)\Java8update\updaterjava9.exe"
1⤵
PID:3232

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Java8update\updaterjava9.exe
Filesize
149KB

MD5
78344d8aaf68b4680b2ed6e1ef8ba5e1

SHA1
0c492e5b3d3083a8c70bb854dc4af5da0c89c17e

SHA256
4059875be9fb25ede65f963e321987c0e15bf4a004c64f005965bf4de086fa21

SHA512
1a73dde9ceabd54eb39fd693086187d49ab06ca4b4747945a10a2bfc472724550abaff0b0fe4d42bf881cf79ea071b307b87251d04aa3b1b2e66f4c69761bc4e

Download Submit
C:\Program Files (x86)\Java8update\updaterjava9.exe
Filesize
126KB

MD5
2a0cd606a2fcce371b2bed64028ef376

SHA1
6a603f8f8bfb2766c59948e6ff609226d85efb45

SHA256
d8e988fbece0c4037e38f9121cf75775be571ddd55e22e14f44ba336f5ca8990

SHA512
76e5671e8099667972b841657756956d5d08f8beadba183c096aa5579c3eace611fe625149eae05d578a531917de3c8106f6c3096ca38d2ece931805b1683e6f

Download Submit
C:\Program Files (x86)\Java8update\updaterjava9.exe
Filesize
36KB

MD5
e8b10dc141fd2c5a5850889d5f741b7b

SHA1
74b2acc97a21b97e68cca09d754199788c4ef742

SHA256
00dfdd6c66f06965d5b8ba2c6434dd8964859764a238423f091eb549fd552adb

SHA512
f51e2f6effa0952742b53ee5e6f5aa3c6119c5ac0774459caaaa3facbb9ce6d3d108ca92a76e29f4a024c9e0d324bcf7706269de286887331f12b8b0334370e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RobloxUpdater04.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Roaming\NVIDlA\err_a867e8d19abf423285769fa6d8e47601.dat
Filesize
1KB

MD5
d9d1d25063cec149442c6c83cf5a7915

SHA1
44b05e493f4c95e0737c5935f46d90bfe8d1eab3

SHA256
f00ae670f4eb88d5e7d14d8e70bc8ddd575a3c331904fe3dae7a736dbbe8223f

SHA512
83dcae11160361c70b66ef5b859687eff24f609699c9629022636b9787e6519e72f55b9e79a91a21a58b29f60f2c2d500e38ddb731971db32abb860a478e2882

Download Submit
C:\Users\Admin\AppData\Roaming\RobloxUpdater04.exe
Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe
Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config
Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\program files (x86)\java8update\updaterjava9.exe
Filesize
46KB

MD5
3288ddec3771a143aa6c46943c8e7398

SHA1
d021ce6fbae8e350d5d1945b4f4badf51bfd05a6

SHA256
ad7dd48d72294c8b50c57ce4f63d976e5948f7ff4fc1b6eb2e1ec75e607c62bb

SHA512
f3c59f8eaa7b629eefa0fb29e82ead80e37bfc24296f87673634b281f26ca57335ccebf6ae509b6f69bd30042241d6d35f5a3f44d1208c437c55fb0dc15f0592

Download Submit
memory/2204-99-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/2204-103-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/2204-98-0x0000000000270000-0x0000000000278000-memory.dmp

Filesize
32KB

Download
memory/2988-105-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/2988-116-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/3060-36-0x0000000002DA0000-0x0000000002DB2000-memory.dmp

Filesize
72KB

Download
memory/3060-33-0x0000000000D00000-0x0000000000D0C000-memory.dmp

Filesize
48KB

Download
memory/3060-43-0x00007FFDF61A0000-0x00007FFDF6C61000-memory.dmp

Filesize
10.8MB

Download
memory/3060-37-0x0000000002E30000-0x0000000002E6C000-memory.dmp

Filesize
240KB

Download
memory/3060-39-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/3060-38-0x00007FFDF61A0000-0x00007FFDF6C61000-memory.dmp

Filesize
10.8MB

Download
memory/3232-108-0x0000000000D20000-0x0000000001194000-memory.dmp

Filesize
4.5MB

Download
memory/3232-77-0x0000000000D20000-0x0000000001194000-memory.dmp

Filesize
4.5MB

Download
memory/3232-81-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/3232-85-0x0000000000D20000-0x0000000001194000-memory.dmp

Filesize
4.5MB

Download
memory/3232-84-0x0000000000D20000-0x0000000001194000-memory.dmp

Filesize
4.5MB

Download
memory/3232-87-0x0000000006140000-0x0000000006150000-memory.dmp

Filesize
64KB

Download
memory/3232-109-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/4336-104-0x00007FFDF61A0000-0x00007FFDF6C61000-memory.dmp

Filesize
10.8MB

Download
memory/4336-45-0x00007FFDF61A0000-0x00007FFDF6C61000-memory.dmp

Filesize
10.8MB

Download
memory/4336-46-0x000000001A6F0000-0x000000001A700000-memory.dmp

Filesize
64KB

Download
memory/4336-47-0x000000001AB10000-0x000000001AC1A000-memory.dmp

Filesize
1.0MB

Download
memory/4336-110-0x000000001A6F0000-0x000000001A700000-memory.dmp

Filesize
64KB

Download
memory/4548-79-0x00000000074A0000-0x00000000074B0000-memory.dmp

Filesize
64KB

Download
memory/4548-78-0x0000000007670000-0x0000000007832000-memory.dmp

Filesize
1.8MB

Download
memory/4548-68-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/4548-70-0x0000000005940000-0x0000000005950000-memory.dmp

Filesize
64KB

Download
memory/4548-69-0x0000000000D20000-0x0000000001194000-memory.dmp

Filesize
4.5MB

Download
memory/4548-67-0x0000000000D20000-0x0000000001194000-memory.dmp

Filesize
4.5MB

Download
memory/4548-62-0x0000000000D20000-0x0000000001194000-memory.dmp

Filesize
4.5MB

Download
memory/4548-112-0x0000000000D20000-0x0000000001194000-memory.dmp

Filesize
4.5MB

Download
memory/4548-71-0x0000000005930000-0x0000000005942000-memory.dmp

Filesize
72KB

Download
memory/4548-113-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/4548-74-0x00000000070F0000-0x000000000713E000-memory.dmp

Filesize
312KB

Download
memory/4548-76-0x00000000072D0000-0x00000000072E8000-memory.dmp

Filesize
96KB

Download
memory/4548-80-0x0000000007600000-0x000000000760A000-memory.dmp

Filesize
40KB

Download
memory/4548-114-0x0000000005940000-0x0000000005950000-memory.dmp

Filesize
64KB

Download
memory/4988-17-0x00000000069B0000-0x0000000006ABA000-memory.dmp

Filesize
1.0MB

Download
memory/4988-66-0x0000000000170000-0x00000000005E4000-memory.dmp

Filesize
4.5MB

Download
memory/4988-65-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/4988-35-0x0000000000170000-0x00000000005E4000-memory.dmp

Filesize
4.5MB

Download
memory/4988-19-0x00000000074A0000-0x00000000074C2000-memory.dmp

Filesize
136KB

Download
memory/4988-0-0x0000000000170000-0x00000000005E4000-memory.dmp

Filesize
4.5MB

Download
memory/4988-16-0x0000000006830000-0x000000000687C000-memory.dmp

Filesize
304KB

Download
memory/4988-15-0x00000000067F0000-0x000000000682C000-memory.dmp

Filesize
240KB

Download
memory/4988-14-0x0000000006790000-0x00000000067A2000-memory.dmp

Filesize
72KB

Download
memory/4988-13-0x0000000006D50000-0x0000000007368000-memory.dmp

Filesize
6.1MB

Download
memory/4988-10-0x0000000005F70000-0x0000000005F78000-memory.dmp

Filesize
32KB

Download
memory/4988-12-0x00000000066C0000-0x0000000006726000-memory.dmp

Filesize
408KB

Download
memory/4988-11-0x0000000005F80000-0x0000000005F88000-memory.dmp

Filesize
32KB

Download
memory/4988-9-0x0000000005F60000-0x0000000005F72000-memory.dmp

Filesize
72KB

Download
memory/4988-7-0x0000000006010000-0x00000000065B4000-memory.dmp

Filesize
5.6MB

Download
memory/4988-8-0x0000000005B70000-0x0000000005C02000-memory.dmp

Filesize
584KB

Download
memory/4988-6-0x0000000005A00000-0x0000000005A5C000-memory.dmp

Filesize
368KB

Download
memory/4988-5-0x0000000003740000-0x000000000374E000-memory.dmp

Filesize
56KB

Download
memory/4988-4-0x0000000003770000-0x0000000003780000-memory.dmp

Filesize
64KB

Download
memory/4988-3-0x0000000000170000-0x00000000005E4000-memory.dmp

Filesize
4.5MB

Download
memory/4988-2-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download