orcus | 48db6e9d87ebb481de65aa9fe318139644642b429e7701287c1c136fa96b529d

Analysis

max time kernel
140s
max time network
145s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
12-04-2024 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48db6e9d87ebb481de65aa9fe318139644642b429e7701287c1c136fa96b529d.exe
Size

910KB
MD5

0dc0ab0af7887016e40a9fb1cb8de85e
SHA1

3a6e9c43ec94b4609d825e38a97eb4e76be493ba
SHA256

48db6e9d87ebb481de65aa9fe318139644642b429e7701287c1c136fa96b529d
SHA512

089164fb39657a62a6bda638cd5b06b32227e6a4c91e034ec1febc1434525db1afe96b81738d02c55e99a6e3760605190388038bf77cee4f675ff2bf107af399
SSDEEP

12288:T0XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCg+34ai5V2Xopqi1n07dG1lFlWl:/2C4MROxnFRC8rrcI0AilFEvxHjoQS

Score

10^/10

orcus ligeon rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

ligeon

ligeon.ddns.net:1606

Mutex

b98fb09a59c24a81b9d17a55ccf2c036

Attributes

autostart_method
Disable
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcurs Rat Executable 1 IoCs

resource	yara_rule
behavioral1/memory/2876-0-0x0000000000DB0000-0x0000000000E9A000-memory.dmp	orcus

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	48db6e9d87ebb481de65aa9fe318139644642b429e7701287c1c136fa96b529d.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2876	48db6e9d87ebb481de65aa9fe318139644642b429e7701287c1c136fa96b529d.exe

C:\Users\Admin\AppData\Local\Temp\48db6e9d87ebb481de65aa9fe318139644642b429e7701287c1c136fa96b529d.exe
"C:\Users\Admin\AppData\Local\Temp\48db6e9d87ebb481de65aa9fe318139644642b429e7701287c1c136fa96b529d.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2876-0-0x0000000000DB0000-0x0000000000E9A000-memory.dmp

Filesize
936KB

Download
memory/2876-1-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2876-2-0x000000001AEC0000-0x000000001AF40000-memory.dmp

Filesize
512KB

Download
memory/2876-3-0x000000001A730000-0x000000001A78C000-memory.dmp

Filesize
368KB

Download
memory/2876-4-0x00000000003C0000-0x00000000003CE000-memory.dmp

Filesize
56KB

Download
memory/2876-5-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/2876-6-0x0000000000580000-0x0000000000588000-memory.dmp

Filesize
32KB

Download
memory/2876-7-0x0000000000C20000-0x0000000000C38000-memory.dmp

Filesize
96KB

Download
memory/2876-8-0x0000000000C50000-0x0000000000C60000-memory.dmp

Filesize
64KB

Download
memory/2876-9-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2876-10-0x000000001AEC0000-0x000000001AF40000-memory.dmp

Filesize
512KB

Download