Malware Analysis Report

2025-01-22 15:05

Sample ID 240206-bgmpmadfdm
Target b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c
SHA256 b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c
Tags
новый тег orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c

Threat Level: Known bad

The file b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c was found to be: Known bad.

Malicious Activity Summary

новый тег orcus rat spyware stealer

Orcus

Orcus main payload

Orcurs Rat Executable

Orcus family

Orcurs Rat Executable

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-06 01:07

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-06 01:07

Reported

2024-02-06 01:11

Platform

win7-20231215-en

Max time kernel

0s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c.exe

"C:\Users\Admin\AppData\Local\Temp\b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {8DDE8B7B-4EF7-4DF1-8509-BE2675C88193} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe

C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe

C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe

"C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe"

C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe

C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58576.client.sudorat.top udp
RU 31.44.184.52:58576 58576.client.sudorat.top tcp

Files

memory/2572-1-0x00000000741E0000-0x00000000748CE000-memory.dmp

memory/2572-0-0x0000000000F40000-0x000000000123E000-memory.dmp

memory/2572-2-0x0000000000E80000-0x0000000000EC0000-memory.dmp

memory/2572-4-0x0000000000BF0000-0x0000000000C4C000-memory.dmp

memory/2572-3-0x00000000002F0000-0x00000000002FE000-memory.dmp

memory/2572-5-0x00000000003C0000-0x00000000003D2000-memory.dmp

C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe

MD5 2794dea72b9f3133d95c7b85ead090a7
SHA1 9857270851b6e0659fa5721a720a5cfac88eb46e
SHA256 5300e25aa5b4a5f50db8edd222d6ece5de4033d62f5e6d6849ea0024676475a1
SHA512 370ce42f427d7017eb3407247d5f18bd2cad299fc21326014d07c7130ba38d5cb7625eb6ebe6c2b6d397dd9902547fd8aa9e7b8798da0e2fa1a6afd60ffd0ff5

memory/2572-16-0x00000000741E0000-0x00000000748CE000-memory.dmp

memory/1548-19-0x0000000000460000-0x00000000004A0000-memory.dmp

memory/1548-18-0x0000000000C10000-0x0000000000F0E000-memory.dmp

memory/1548-21-0x0000000002370000-0x00000000023BE000-memory.dmp

memory/1548-20-0x0000000000720000-0x0000000000732000-memory.dmp

memory/1548-17-0x00000000741E0000-0x00000000748CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe

MD5 65696ae7f9f46b859b8569b43999d07f
SHA1 bd221e65e2a3deaf259894d503dc523bc5fc37c1
SHA256 a1ec055137a4f5b42fdf16b95c6859bb2bd4fbd6a931347f0fa13b9ec5c92845
SHA512 7b1bd9823ad0effb965c32f6fb90c788c07223c936edaeca6585c6a67c9b69176e773193b8aecb1b6b0be0dc6ff98753ca70c68e81d41a91618780399ecf802b

C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe.config

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe

MD5 19f3cdec267ffcb022a8b6aa43ce2e17
SHA1 166c3ce0546f191dc4ff70d79ed633d6e0d9062c
SHA256 9c9deb62e9e20ec30dad4a6d493643b47c25fef0de90740936921dc6095ac6eb
SHA512 d6897fffefc936d28f18c76a5c71dca325b73f4d161473e86fbd821214d50b1d6920af9228c52bc63d83c9cd3e48af6c99d488fee841710c0a6ad8d75026e9f4

\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe

MD5 ee7052356bbd3afa1ee3c21a4222b55f
SHA1 9e3ecff8b9394c8b3786ad231a08dedc059df354
SHA256 1e6742f6f742d68a6d0fb6647643e6e26058762cc54ef9573f059fd3eb2add30
SHA512 225c2de3ab31ff8927ddf14562222cdaeae26cb6b17545067e3bda305879ab4974c653c8a27dae77b77dcdbe8cf95b6964a745522ecd8110a8ebfa9c648ab620

memory/2884-23-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2884-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2884-31-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2848-36-0x00000000011D0000-0x00000000014CE000-memory.dmp

memory/2848-39-0x00000000741E0000-0x00000000748CE000-memory.dmp

memory/2848-38-0x0000000004CC0000-0x0000000004D00000-memory.dmp

memory/2884-40-0x0000000000CD0000-0x0000000000CE8000-memory.dmp

memory/2884-41-0x0000000000F20000-0x0000000000F30000-memory.dmp

memory/2884-37-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

memory/2884-35-0x00000000741E0000-0x00000000748CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe

MD5 4e7e9a42a051bd0def8039d32d0242de
SHA1 bbcbd0399ae7c403c8a864f5504cf96be9dd06a1
SHA256 cf169c95539b74ea038c48ccfb75e538a97bc54d1dd16a48fcfa40c0e1045a18
SHA512 ff5a2999ec0a0223fce9ede4577dbda09d82495f539d7e9f1cf1dddc165e0a5b943e7a591970db1bdf4a25cd479a835f8693678a74f9af947c560bb1b390d6fe

memory/2884-33-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/1548-30-0x00000000741E0000-0x00000000748CE000-memory.dmp

memory/2884-28-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2884-25-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2884-24-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2884-22-0x0000000000400000-0x00000000006FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab1A94.tmp

MD5 922ce20009f9d164ce954487d373527c
SHA1 8a1942db234c4c8eec8f30f955a9e3ac2f8c58f2
SHA256 d42dd4c42aa9feaa2e2649936e08d954fe57e9d1e75cca2adb0c1e0e19fe147c
SHA512 a35eef341dd309c58a8236298b0ebb845294a13dbbd91d6085b469866bb91bf242858454fd0b2301755faf208e6819796484c49d575b1ec961ba209e23f4d89f

memory/2848-58-0x00000000741E0000-0x00000000748CE000-memory.dmp

memory/2884-59-0x00000000741E0000-0x00000000748CE000-memory.dmp

memory/2884-60-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe

MD5 59b4ef1defad2968fb0d9366566daecf
SHA1 081326ac42537f6f10088cbe03fe84d4c9877f5c
SHA256 054c3323fa6e538f57544206961a5f6f4d937822e4b70d522173fd29ff652314
SHA512 10a6582e7c11b17ce789ebb10d33dc5e47fc38d1b3e902eccb69b46641da7887f24bf08d7c161683b81db32fa2206ff878c2234ffa60122627a4025a4a0b44ca

memory/2800-62-0x00000000741E0000-0x00000000748CE000-memory.dmp

memory/2800-63-0x00000000741E0000-0x00000000748CE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-06 01:07

Reported

2024-02-06 01:11

Platform

win10v2004-20231215-en

Max time kernel

0s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c.exe

"C:\Users\Admin\AppData\Local\Temp\b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c.exe"

C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe

"C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe

C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe

C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe

C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 58576.client.sudorat.top udp
RU 31.44.184.52:58576 58576.client.sudorat.top tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 52.184.44.31.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4744-1-0x0000000000D40000-0x000000000103E000-memory.dmp

memory/4744-2-0x00000000059A0000-0x00000000059B0000-memory.dmp

memory/4744-3-0x0000000005990000-0x000000000599E000-memory.dmp

memory/4744-4-0x0000000005C00000-0x0000000005C5C000-memory.dmp

memory/4744-6-0x0000000005DF0000-0x0000000005E82000-memory.dmp

memory/4744-5-0x0000000006300000-0x00000000068A4000-memory.dmp

memory/4744-0-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/4744-7-0x0000000005DE0000-0x0000000005DF2000-memory.dmp

C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe

MD5 7efee619e783d06d8d526cc763ccb994
SHA1 38f32a260d01d1c0a8b0840dea4c7c7404784137
SHA256 e79045493be7f0d7c9604eb49d4c15a883aa0c08cfa4ef721a1d70fe4ac89b84
SHA512 c249861f4dde01199e62126840e2481f16c6ae776e643ddbecaa9a15d048da136a6e86c5493f9c823a08cdc5f187694fd5016904f7d5cb10bf5efd69a897bbbd

memory/4744-24-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/668-25-0x0000000005850000-0x0000000005860000-memory.dmp

memory/668-23-0x0000000074CA0000-0x0000000075450000-memory.dmp

C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe

MD5 2b0e9a26e54cee4ffda0c920d5fadd1c
SHA1 99b532aa4ddc76b292cf7f98fb7231d0bf21fdcc
SHA256 c5d08f7fc7901991889b37de648d5b7a4db50229894fc75181c692f10414fe42
SHA512 ab50b106af07d04feb66de744765f3f4ad3da6bb85af4fa3e1140d2b8ba62e532ac1d22f999238cf811594473b27735a5cc8a7a116c18258780fcc76c73a3b04

memory/668-27-0x0000000006180000-0x00000000061CE000-memory.dmp

memory/668-26-0x0000000006160000-0x0000000006172000-memory.dmp

memory/4472-34-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/4472-35-0x0000000001960000-0x0000000001970000-memory.dmp

memory/668-33-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/4472-37-0x0000000006430000-0x0000000006440000-memory.dmp

memory/4472-39-0x0000000006770000-0x000000000677A000-memory.dmp

memory/3580-38-0x0000000005450000-0x0000000005460000-memory.dmp

memory/4472-36-0x0000000005610000-0x0000000005628000-memory.dmp

memory/3580-31-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/668-29-0x0000000006AE0000-0x0000000006B7C000-memory.dmp

C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe

MD5 0339e4143a8c2cd99acdbf7c41533a70
SHA1 722e2e3c8fae4d1941ddee805b10d8a82540ced9
SHA256 ddcd8d53e3276b1077c1c3c225db89e48323a85733be0bc4ee79d4f4aeb86f5a
SHA512 578ff57699bc65a1ea7ae2b9bcd4ccde588733c234d28b68dbe9b60bbf7f0cb873655efe5a4c75941472ac32f1f2d180233707fc28d1129a79f0028212f57911

C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe

MD5 f0b5b7471116c984a131ba59102aa893
SHA1 8de0255b5704ff3bbd2b1c65d9deff87bbbbaf6e
SHA256 31e77bfeaad9c2591ade00a28e8a53337b789094e431521d26ab06cbe9992ed2
SHA512 61f1938e8a457e6a3a4ea31bd23ebd5c6bc04189869ac1787fb3b6bf4cd37f91bbf44356cda90a0c5133f69735425afb45a1ab07ea2f25f8b7fda2cd15415c07

memory/4472-42-0x0000000006ED0000-0x0000000006F36000-memory.dmp

memory/4472-44-0x0000000006FE0000-0x0000000006FF2000-memory.dmp

memory/4472-45-0x0000000007040000-0x000000000707C000-memory.dmp

memory/4472-46-0x0000000007080000-0x00000000070CC000-memory.dmp

memory/4472-43-0x0000000007560000-0x0000000007B78000-memory.dmp

memory/4472-47-0x0000000007210000-0x000000000731A000-memory.dmp

memory/4472-48-0x0000000007B80000-0x0000000007D42000-memory.dmp

memory/3580-50-0x0000000074CA0000-0x0000000075450000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lowbase.exe.log

MD5 663b8d5469caa4489d463aa9bc18124f
SHA1 e57123a7d969115853ea631a3b33826335025d28
SHA256 7b4fa505452f0b8ac74bb31f5a03b13342836318018fb18d224ae2ff11b1a7e8
SHA512 45e373295125a629fcc0b19609608d969c9106514918bfac5d6b8e340e407434577b825741b8fa6a043c8f3f5c1a030ba8857da5f4e8ef15a551ce3c5fe03b55

memory/4472-51-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/4472-52-0x0000000001960000-0x0000000001970000-memory.dmp

C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3664-54-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/3664-55-0x0000000005350000-0x0000000005360000-memory.dmp

memory/3664-56-0x0000000074CA0000-0x0000000075450000-memory.dmp