orcus | 9963f8b42627725045115b76ed179f43468d4dfbfb26837e114fcdcd59e7d336

Analysis

max time kernel
149s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-04-2024 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9963f8b42627725045115b76ed179f43468d4dfbfb26837e114fcdcd59e7d336.exe
Size

914KB
MD5

382b5ec3d08f531a34b67c3d37851f93
SHA1

18fcf2c3f7756b5cc9f43ff41dde700c5326c2a8
SHA256

9963f8b42627725045115b76ed179f43468d4dfbfb26837e114fcdcd59e7d336
SHA512

e4b89d38ea971d666c95297872363d855500e1c553bbceb83768137b3b50243423f50b563aefb0c3b18200ffcf3d283e6b2568dcbe68300ffabb78fa8e0a0ce6
SSDEEP

24576:P6A4MROxnFR3aTnXrZlI0AilFEvxHiXv:P6jMijkrZlI0AilFEvxHi

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

178.20.45.159:7777

Mutex

0987a51eb44e4803863e149ff474a3f6

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%appdata%\Discord\Telegram.exe
reconnect_delay
10000
registry_keyname
tg
taskscheduler_taskname
tg
watchdog_path
Temp\Telegram.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000c000000015cff-26.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x000c000000015cff-26.dat	orcus
behavioral1/memory/2632-30-0x0000000000AB0000-0x0000000000B9A000-memory.dmp	orcus

Executes dropped EXE 3 IoCs

pid	Process
2632	Telegram.exe
2700	Telegram.exe
2504	Telegram.exe

Loads dropped DLL 1 IoCs

pid	Process
2700	Telegram.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2504	Telegram.exe
2504	Telegram.exe
2632	Telegram.exe
2632	Telegram.exe
2632	Telegram.exe
2504	Telegram.exe
2632	Telegram.exe
2504	Telegram.exe
2632	Telegram.exe
2504	Telegram.exe
2504	Telegram.exe
2632	Telegram.exe
2632	Telegram.exe
2504	Telegram.exe
2504	Telegram.exe
2632	Telegram.exe
2632	Telegram.exe
2504	Telegram.exe
2632	Telegram.exe
2504	Telegram.exe
2632	Telegram.exe
2504	Telegram.exe
2632	Telegram.exe
2504	Telegram.exe
2632	Telegram.exe
2504	Telegram.exe
2632	Telegram.exe
2504	Telegram.exe
2504	Telegram.exe
2632	Telegram.exe
2504	Telegram.exe
2632	Telegram.exe
2632	Telegram.exe
2504	Telegram.exe
2504	Telegram.exe
2632	Telegram.exe
2632	Telegram.exe
2504	Telegram.exe
2632	Telegram.exe
2504	Telegram.exe
2504	Telegram.exe
2632	Telegram.exe
2504	Telegram.exe
2632	Telegram.exe
2632	Telegram.exe
2504	Telegram.exe
2632	Telegram.exe
2504	Telegram.exe
2504	Telegram.exe
2632	Telegram.exe
2504	Telegram.exe
2632	Telegram.exe
2632	Telegram.exe
2504	Telegram.exe
2504	Telegram.exe
2632	Telegram.exe
2632	Telegram.exe
2504	Telegram.exe
2632	Telegram.exe
2504	Telegram.exe
2632	Telegram.exe
2504	Telegram.exe
2504	Telegram.exe
2632	Telegram.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2632	Telegram.exe
Token: SeDebugPrivilege	2700	Telegram.exe
Token: SeDebugPrivilege	2504	Telegram.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2372	2972	9963f8b42627725045115b76ed179f43468d4dfbfb26837e114fcdcd59e7d336.exe	28
PID 2972 wrote to memory of 2372	2972	9963f8b42627725045115b76ed179f43468d4dfbfb26837e114fcdcd59e7d336.exe	28
PID 2972 wrote to memory of 2372	2972	9963f8b42627725045115b76ed179f43468d4dfbfb26837e114fcdcd59e7d336.exe	28
PID 2372 wrote to memory of 2732	2372	csc.exe	30
PID 2372 wrote to memory of 2732	2372	csc.exe	30
PID 2372 wrote to memory of 2732	2372	csc.exe	30
PID 2972 wrote to memory of 2632	2972	9963f8b42627725045115b76ed179f43468d4dfbfb26837e114fcdcd59e7d336.exe	31
PID 2972 wrote to memory of 2632	2972	9963f8b42627725045115b76ed179f43468d4dfbfb26837e114fcdcd59e7d336.exe	31
PID 2972 wrote to memory of 2632	2972	9963f8b42627725045115b76ed179f43468d4dfbfb26837e114fcdcd59e7d336.exe	31
PID 2632 wrote to memory of 2700	2632	Telegram.exe	32
PID 2632 wrote to memory of 2700	2632	Telegram.exe	32
PID 2632 wrote to memory of 2700	2632	Telegram.exe	32
PID 2632 wrote to memory of 2700	2632	Telegram.exe	32
PID 2700 wrote to memory of 2504	2700	Telegram.exe	33
PID 2700 wrote to memory of 2504	2700	Telegram.exe	33
PID 2700 wrote to memory of 2504	2700	Telegram.exe	33
PID 2700 wrote to memory of 2504	2700	Telegram.exe	33

C:\Users\Admin\AppData\Local\Temp\9963f8b42627725045115b76ed179f43468d4dfbfb26837e114fcdcd59e7d336.exe
"C:\Users\Admin\AppData\Local\Temp\9963f8b42627725045115b76ed179f43468d4dfbfb26837e114fcdcd59e7d336.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\idk8wtu9.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F06.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1F05.tmp"
    3⤵
    PID:2732
- C:\Users\Admin\AppData\Roaming\Discord\Telegram.exe
  "C:\Users\Admin\AppData\Roaming\Discord\Telegram.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Users\Admin\AppData\Local\Temp\Telegram.exe
    "C:\Users\Admin\AppData\Local\Temp\Telegram.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Roaming\Discord\Telegram.exe" 2632 /protectFile
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Users\Admin\AppData\Local\Temp\Telegram.exe
      "C:\Users\Admin\AppData\Local\Temp\Telegram.exe" /watchProcess "C:\Users\Admin\AppData\Roaming\Discord\Telegram.exe" 2632 "/protectFile"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1F06.tmp

Filesize
1KB

MD5
eebbc6ee747c83872556875adbab8481

SHA1
e23df05f0c0c19f447887f8a2e8f78df0368e9d1

SHA256
ca9f3abd68ceaae997f77d2bc0e41ad666d8bacf0f84c8cb3e9304cba4520067

SHA512
647058fd1a3479e9000719299f4e475e7ce39af46fd56f54a4cbeb0e0fa6f1dc60f4304c8150dbb5b7f859fe2b101de4d8989a7a636433eda14fd08374e4f169

Download Submit
C:\Users\Admin\AppData\Local\Temp\Telegram.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\idk8wtu9.dll

Filesize
76KB

MD5
e690d2a5bbb38e019fbe2196c56c6537

SHA1
1c80fde1381b7950890709784df003784ba6c698

SHA256
9fdc663d7fb3043f36c382efd1a4ccb83849be6cd5c022648b19d4d91bef0c6e

SHA512
0a2ba5003a33ff21af2627b68efae48e45bbc9275f3a8d136f5a0ea339fe5c8074ce7cbe31543e0e70d56a9eb43c065a48e34da13a3d14f75b2ebb88493cd23e

Download Submit
C:\Users\Admin\AppData\Roaming\Discord\Telegram.exe

Filesize
914KB

MD5
382b5ec3d08f531a34b67c3d37851f93

SHA1
18fcf2c3f7756b5cc9f43ff41dde700c5326c2a8

SHA256
9963f8b42627725045115b76ed179f43468d4dfbfb26837e114fcdcd59e7d336

SHA512
e4b89d38ea971d666c95297872363d855500e1c553bbceb83768137b3b50243423f50b563aefb0c3b18200ffcf3d283e6b2568dcbe68300ffabb78fa8e0a0ce6

Download Submit
C:\Users\Admin\AppData\Roaming\Discord\Telegram.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1F05.tmp

Filesize
676B

MD5
30c2711b7c49fbe8740030d5b3cdbe97

SHA1
907f12a61869db49879ed8c13b5d83a39f1375e4

SHA256
b8d5f7bc1c390cee444a52bbb5eaf681c64c89de1b274d79ec9eda6a0c4487bd

SHA512
137bffaefa1ed5e161d2660257cf18d00f6508642366d677b3961aaa8cfa55ac023f332a100dc2be3463affb34d45bf532d65fc919b6b4c22541dc36992bbd26

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\idk8wtu9.0.cs

Filesize
208KB

MD5
de3cc3f6089fa0a7343fda4699c2ae32

SHA1
8cce0e33f0b974ee87378e4fb8f9d4ae489a02fa

SHA256
5e353090ffde8113bb9c8baea5595f4c64d1ab20ebe295e21f423d2d862c2583

SHA512
613f417e58d127e009004c160c92c344c5add758c75dad1f3b13af6c33e436f26dc5c1d0c370b21d052363203e101d9f553592efc64af1366185b5fa9527224e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\idk8wtu9.cmdline

Filesize
349B

MD5
e79a4b1b38b8e169fd9ef12893a6c485

SHA1
90d65525173a9b3c86750d5f1f4df3edecab0df5

SHA256
385c94e8940ae04e44b1bf00e364b2774b028cf5b926dae377f61737c718009f

SHA512
8c0c05373d01c3597436547ad6cf21ac342c1272c47ce1a2d04f7e1a9c10718a294c3534842d15428d921faa1fec7e57ebd0c3ee980de0f9b24ac6db7a17e607

Download Submit
memory/2504-72-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/2504-50-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/2632-30-0x0000000000AB0000-0x0000000000B9A000-memory.dmp

Filesize
936KB

Download
memory/2632-35-0x0000000000430000-0x0000000000448000-memory.dmp

Filesize
96KB

Download
memory/2632-71-0x000000001B010000-0x000000001B090000-memory.dmp

Filesize
512KB

Download
memory/2632-70-0x000000001B010000-0x000000001B090000-memory.dmp

Filesize
512KB

Download
memory/2632-69-0x000007FEEE7A0000-0x000007FEEF18C000-memory.dmp

Filesize
9.9MB

Download
memory/2632-36-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/2632-37-0x000000001B010000-0x000000001B090000-memory.dmp

Filesize
512KB

Download
memory/2632-32-0x000000001B010000-0x000000001B090000-memory.dmp

Filesize
512KB

Download
memory/2632-31-0x000007FEEE7A0000-0x000007FEEF18C000-memory.dmp

Filesize
9.9MB

Download
memory/2632-33-0x0000000000280000-0x0000000000292000-memory.dmp

Filesize
72KB

Download
memory/2632-34-0x0000000002180000-0x00000000021CE000-memory.dmp

Filesize
312KB

Download
memory/2700-47-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/2700-46-0x0000000001060000-0x0000000001068000-memory.dmp

Filesize
32KB

Download
memory/2700-51-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/2972-0-0x00000000021C0000-0x000000000221C000-memory.dmp

Filesize
368KB

Download
memory/2972-29-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

Filesize
9.6MB

Download
memory/2972-2-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

Filesize
9.6MB

Download
memory/2972-19-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/2972-3-0x0000000002230000-0x00000000022B0000-memory.dmp

Filesize
512KB

Download
memory/2972-4-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

Filesize
9.6MB

Download
memory/2972-17-0x0000000000BB0000-0x0000000000BC6000-memory.dmp

Filesize
88KB

Download
memory/2972-20-0x0000000000B80000-0x0000000000B88000-memory.dmp

Filesize
32KB

Download
memory/2972-1-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download