Malware Analysis Report

2025-01-22 15:03

Sample ID 240220-j79k3sed34
Target ezrat.exe
SHA256 de338e0379af8619e9d16f1e6a5e756e2edf89ae76454b35bdd6a27206f54383
Tags
orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de338e0379af8619e9d16f1e6a5e756e2edf89ae76454b35bdd6a27206f54383

Threat Level: Known bad

The file ezrat.exe was found to be: Known bad.

Malicious Activity Summary

orcus rat spyware stealer

Orcus

Orcurs Rat Executable

Orcus main payload

Orcus family

Orcurs Rat Executable

Checks computer location settings

Executes dropped EXE

Drops desktop.ini file(s)

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-20 08:19

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-20 08:19

Reported

2024-02-20 08:20

Platform

win10v2004-20231215-en

Max time kernel

38s

Max time network

39s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ezrat.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ezrat.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ezrat.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ezrat.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\ezrat.exe N/A
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\ezrat.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\ezrat.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\ezrat.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ezrat.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ezrat.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ezrat.exe

"C:\Users\Admin\AppData\Local\Temp\ezrat.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gddzsh4r.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4315.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4314.tmp"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 centre-shaped.gl.at.ply.gg udp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 8.8.8.8:53 18.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/3652-0-0x00007FFFD69E0000-0x00007FFFD7381000-memory.dmp

memory/3652-2-0x0000000000FB0000-0x0000000000FC0000-memory.dmp

memory/3652-1-0x000000001B6F0000-0x000000001B74C000-memory.dmp

memory/3652-5-0x000000001B7F0000-0x000000001B7FE000-memory.dmp

memory/3652-7-0x000000001BE10000-0x000000001C2DE000-memory.dmp

memory/3652-6-0x00007FFFD69E0000-0x00007FFFD7381000-memory.dmp

memory/3652-8-0x000000001C380000-0x000000001C41C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\gddzsh4r.cmdline

MD5 dfb8ae07c190217e0c70e7a46683e340
SHA1 2dc5c0f0c63d64775035aafce95c2182bcd8463f
SHA256 59514e3eec63312b81b9bc803d22ca9523a019eade3cd258269be841fc002ef2
SHA512 e50c2acd9b358d10f75f6f88fd7c69234ad11d9a0edf7343052e1d06c4bdc98cb4953236bc90c468ee32fa8c0be68d98a4672cb2f019fbeda3806b1e6699c04f

\??\c:\Users\Admin\AppData\Local\Temp\gddzsh4r.0.cs

MD5 f13553fde49006cf6bde713569ba89ea
SHA1 3f5128d819f2344831ee62eea067ea922ec1c339
SHA256 ef2573fdb7107d29cdb7acddd6e99d8736dca2a4bc58ad84d771817f4a51611f
SHA512 c68dbecdea485ffc980a2f22b1ec971a32accd52d07c34acc2ef059889583c2e8b4739de316ac244fbacd1949d8841a535dc0ed5657e32d0517229f9cf1441c6

memory/1980-14-0x0000000000A60000-0x0000000000A70000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC4314.tmp

MD5 26cf559c676d3964803e3bc50b7434e0
SHA1 a9957517f4cbbf9c0e5c73b1a7fe5cb5378ddba0
SHA256 ba4fe192a950de857721f4eb9ef872488a5e984c6bba6df87b72e32c6a25738c
SHA512 be0684454752b0ba0327eced1c1bf191f728e6a474e2e3c566c9d825ba8994867590dcdae61997c6e9767a0e85353e6c8446b1c0801f5b830d24d27c38bd4e48

C:\Users\Admin\AppData\Local\Temp\RES4315.tmp

MD5 fc32eccd1a47d6c0dff4dd051c1affcc
SHA1 ef343a15d064ca2879597f688812c47b26ae7bf6
SHA256 53e285d6883e820e14dea09a108d5c6ebe6d5c8b7a5b39740e7f64a10bff7e05
SHA512 c5396c322f7a58640ffa0fc2767cf41376cd41da75e72c0df0c02a5e7a81588d3d314544764970f062da5d387a3a85fa827e587d3427b1e6bcf50b404a4ee605

C:\Users\Admin\AppData\Local\Temp\gddzsh4r.dll

MD5 d71be8a0214134dbfa6fa91dbde7b534
SHA1 2a5d33409ac208e9bba5cad4db447c63caf05b05
SHA256 0b2163888b962d77d0c46c990ed342395dd079e4c796d34fcc36edf51c02abd9
SHA512 efc02b70e9cc0e1a0e826ed0af1ad2d2f6a198ccdf5a6d40216818238b7884c0e0f396f37d46b99756961803851310b329b9e11623eb43888ba00e6f3ee56352

memory/3652-22-0x000000001C820000-0x000000001C836000-memory.dmp

memory/3652-24-0x0000000001220000-0x0000000001232000-memory.dmp

memory/3652-25-0x0000000001200000-0x0000000001208000-memory.dmp

memory/3652-26-0x00000000011F0000-0x00000000011F8000-memory.dmp

memory/3652-27-0x0000000000FB0000-0x0000000000FC0000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 789a48413608ca25fbfa0c89494b70fc
SHA1 95dbad2f6d28614abf7b5e9199aff94ee6724ca7
SHA256 de338e0379af8619e9d16f1e6a5e756e2edf89ae76454b35bdd6a27206f54383
SHA512 b9203b039df11c56d17ee9f9f07ad15f0eaadc0ff13bfa9dbd727e7baf9704d41602586575d65573aad8592789e6b4183cbe0b194d63046b303f4e5c4417b1e8

C:\Program Files\Orcus\Orcus.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2176-44-0x0000000000050000-0x000000000013A000-memory.dmp

memory/2176-46-0x00007FFFD3A40000-0x00007FFFD4501000-memory.dmp

memory/3652-45-0x00007FFFD69E0000-0x00007FFFD7381000-memory.dmp

memory/2176-47-0x0000000002250000-0x0000000002260000-memory.dmp

memory/2176-48-0x0000000002240000-0x0000000002252000-memory.dmp

memory/2176-49-0x0000000002260000-0x0000000002278000-memory.dmp

memory/2176-50-0x0000000002290000-0x00000000022A0000-memory.dmp

memory/2176-53-0x000000001AD20000-0x000000001AD32000-memory.dmp

memory/2176-54-0x000000001BAF0000-0x000000001BB2C000-memory.dmp

memory/2176-55-0x000000001BF00000-0x000000001C00A000-memory.dmp

memory/2176-56-0x000000001C1E0000-0x000000001C3A2000-memory.dmp

memory/2176-57-0x00007FFFD3A40000-0x00007FFFD4501000-memory.dmp