Malware Analysis Report

2025-01-22 15:11

Sample ID 240209-bd7wdsfc25
Target 58db1f0299b71c3912d3805ed68879ee55cb52ccbbffa186322beebfba70f1a5
SHA256 58db1f0299b71c3912d3805ed68879ee55cb52ccbbffa186322beebfba70f1a5
Tags
orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

58db1f0299b71c3912d3805ed68879ee55cb52ccbbffa186322beebfba70f1a5

Threat Level: Known bad

The file 58db1f0299b71c3912d3805ed68879ee55cb52ccbbffa186322beebfba70f1a5 was found to be: Known bad.

Malicious Activity Summary

orcus rat spyware stealer

Orcus

Orcurs Rat Executable

Orcus main payload

Orcus family

Orcurs Rat Executable

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-09 01:02

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-09 01:02

Reported

2024-02-09 01:05

Platform

win7-20231215-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\58db1f0299b71c3912d3805ed68879ee55cb52ccbbffa186322beebfba70f1a5.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\System\System C:\Users\Admin\AppData\Local\Temp\58db1f0299b71c3912d3805ed68879ee55cb52ccbbffa186322beebfba70f1a5.exe N/A
File opened for modification C:\Program Files (x86)\System\System C:\Users\Admin\AppData\Local\Temp\58db1f0299b71c3912d3805ed68879ee55cb52ccbbffa186322beebfba70f1a5.exe N/A
File created C:\Program Files (x86)\System\System.config C:\Users\Admin\AppData\Local\Temp\58db1f0299b71c3912d3805ed68879ee55cb52ccbbffa186322beebfba70f1a5.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_Classes\Local Settings C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2784 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\58db1f0299b71c3912d3805ed68879ee55cb52ccbbffa186322beebfba70f1a5.exe C:\Windows\SysWOW64\rundll32.exe
PID 2784 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\58db1f0299b71c3912d3805ed68879ee55cb52ccbbffa186322beebfba70f1a5.exe C:\Windows\SysWOW64\rundll32.exe
PID 2784 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\58db1f0299b71c3912d3805ed68879ee55cb52ccbbffa186322beebfba70f1a5.exe C:\Windows\SysWOW64\rundll32.exe
PID 2784 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\58db1f0299b71c3912d3805ed68879ee55cb52ccbbffa186322beebfba70f1a5.exe C:\Windows\SysWOW64\rundll32.exe
PID 2784 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\58db1f0299b71c3912d3805ed68879ee55cb52ccbbffa186322beebfba70f1a5.exe C:\Windows\SysWOW64\rundll32.exe
PID 2784 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\58db1f0299b71c3912d3805ed68879ee55cb52ccbbffa186322beebfba70f1a5.exe C:\Windows\SysWOW64\rundll32.exe
PID 2784 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\58db1f0299b71c3912d3805ed68879ee55cb52ccbbffa186322beebfba70f1a5.exe C:\Windows\SysWOW64\rundll32.exe
PID 2748 wrote to memory of 1272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2748 wrote to memory of 1272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2748 wrote to memory of 1272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2748 wrote to memory of 1272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\58db1f0299b71c3912d3805ed68879ee55cb52ccbbffa186322beebfba70f1a5.exe

"C:\Users\Admin\AppData\Local\Temp\58db1f0299b71c3912d3805ed68879ee55cb52ccbbffa186322beebfba70f1a5.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Program Files (x86)\System\System

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Program Files (x86)\System\System"

Network

N/A

Files

memory/2784-1-0x0000000074170000-0x000000007485E000-memory.dmp

memory/2784-0-0x0000000000D50000-0x0000000000E38000-memory.dmp

memory/2784-2-0x0000000000BD0000-0x0000000000C10000-memory.dmp

memory/2784-3-0x0000000000470000-0x000000000047E000-memory.dmp

memory/2784-4-0x0000000000C10000-0x0000000000C6C000-memory.dmp

memory/2784-5-0x00000000005B0000-0x00000000005C2000-memory.dmp

memory/2784-11-0x0000000074170000-0x000000007485E000-memory.dmp

C:\Program Files (x86)\System\System

MD5 6b7766d0c0759dd92ee68643e76d711c
SHA1 096fc8582d58e3652b2079687486c2bc17da275f
SHA256 58db1f0299b71c3912d3805ed68879ee55cb52ccbbffa186322beebfba70f1a5
SHA512 8232afa19eb3994db1210ce53142c610857b6664c3d45a342463f85d4674d7b32f81bde621c49208aed77bd06a8d01fa16c75169a269448826d122dfdd5419fb

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 dbaa77400a72af46ad48d22a70e29cf4
SHA1 be3bc1bd4cba5028de8ad36fa6fa94c397af9d40
SHA256 145681a319e8b6195acb569d1c75a8b89998834fb8be9fc35c4a1a03d4fc3356
SHA512 d7c244af6cc38c049e54e65249927687cdb8a694c782cd2aff910adbc5e84cd7bb779b442896702367e48e538027312176c2f7328a3a05c98993e3d22f1d54d5

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-09 01:02

Reported

2024-02-09 01:05

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\58db1f0299b71c3912d3805ed68879ee55cb52ccbbffa186322beebfba70f1a5.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\System\System C:\Users\Admin\AppData\Local\Temp\58db1f0299b71c3912d3805ed68879ee55cb52ccbbffa186322beebfba70f1a5.exe N/A
File opened for modification C:\Program Files (x86)\System\System C:\Users\Admin\AppData\Local\Temp\58db1f0299b71c3912d3805ed68879ee55cb52ccbbffa186322beebfba70f1a5.exe N/A
File created C:\Program Files (x86)\System\System.config C:\Users\Admin\AppData\Local\Temp\58db1f0299b71c3912d3805ed68879ee55cb52ccbbffa186322beebfba70f1a5.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\58db1f0299b71c3912d3805ed68879ee55cb52ccbbffa186322beebfba70f1a5.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\58db1f0299b71c3912d3805ed68879ee55cb52ccbbffa186322beebfba70f1a5.exe

"C:\Users\Admin\AppData\Local\Temp\58db1f0299b71c3912d3805ed68879ee55cb52ccbbffa186322beebfba70f1a5.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

memory/3048-1-0x0000000074C50000-0x0000000075400000-memory.dmp

memory/3048-0-0x0000000000150000-0x0000000000238000-memory.dmp

memory/3048-2-0x0000000004C60000-0x0000000004C70000-memory.dmp

memory/3048-3-0x0000000002590000-0x000000000259E000-memory.dmp

memory/3048-4-0x0000000004A70000-0x0000000004ACC000-memory.dmp

memory/3048-5-0x0000000005220000-0x00000000057C4000-memory.dmp

memory/3048-6-0x0000000004C70000-0x0000000004D02000-memory.dmp

memory/3048-7-0x0000000005110000-0x0000000005122000-memory.dmp

C:\Program Files (x86)\System\System

MD5 eb5a1f3381bda880473959845db38693
SHA1 f98f11377aa4eb775022a71396b4d6b80b860751
SHA256 808c7340f7f5b57266d80fbc66227580f322097fad455c81a3fcaad5d4964249
SHA512 34a3f782265454b22edfe44b23d001b3f00fb597942778ce347faac9de3c84056a820e40c3bd7fec0b0f1bdc06d8b98542823e257122d5f356c034967530c6e9

memory/3048-20-0x0000000074C50000-0x0000000075400000-memory.dmp