orcus | ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05

General

Target

ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05.exe
Size

907KB
MD5

e724bedeb1fa3ed735249d635f07c63f
SHA1

97da2042297fc775aacb9144ede209ff54e6c285
SHA256

ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05
SHA512

c80ea9df49feffc41520a20f960f0901c84ff4f01d4e57fe22b28efc0723024173caab775457ca334db6f4c28aa88f3fc880f79af3aab2a07c2c2ca4b5d74751
SSDEEP

24576:Feu4MROxnFDgHFrZlI0AilFEvxHiOoWE:FetMi4FrZlI0AilFEvxHi

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

127.0.0.1:80

Mutex

8d5cf256dea346ae86cdf4349684f822

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x003300000001630b-25.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x003300000001630b-25.dat	orcus
behavioral1/memory/2644-29-0x0000000000DF0000-0x0000000000ED8000-memory.dmp	orcus

Executes dropped EXE 1 IoCs

pid	Process
2644	Orcus.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe.config	ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05.exe
File created	C:\Program Files\Orcus\Orcus.exe	ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2968	2684	ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05.exe	28
PID 2684 wrote to memory of 2968	2684	ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05.exe	28
PID 2684 wrote to memory of 2968	2684	ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05.exe	28
PID 2968 wrote to memory of 2504	2968	csc.exe	30
PID 2968 wrote to memory of 2504	2968	csc.exe	30
PID 2968 wrote to memory of 2504	2968	csc.exe	30
PID 2684 wrote to memory of 2644	2684	ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05.exe	31
PID 2684 wrote to memory of 2644	2684	ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05.exe	31
PID 2684 wrote to memory of 2644	2684	ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05.exe	31

C:\Users\Admin\AppData\Local\Temp\ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05.exe
"C:\Users\Admin\AppData\Local\Temp\ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\monqih6w.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3296.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3295.tmp"
    3⤵
    PID:2504
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
907KB

MD5
e724bedeb1fa3ed735249d635f07c63f

SHA1
97da2042297fc775aacb9144ede209ff54e6c285

SHA256
ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05

SHA512
c80ea9df49feffc41520a20f960f0901c84ff4f01d4e57fe22b28efc0723024173caab775457ca334db6f4c28aa88f3fc880f79af3aab2a07c2c2ca4b5d74751

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3296.tmp

Filesize
1KB

MD5
c19c87a3cd365a2f6ec09065b12f4297

SHA1
0f0f98c28ee72a532626a361c8494bd9b089b893

SHA256
518f650cf794abdc8b95e704b792c43c827292f00fae180a427f534650f0d45c

SHA512
361a1f215d30a4461bab4b9239bf6d614b81361b99c10a1c2501c517b939c77a900919b9beaf545cc7a095b750102a2e40beb954cd1d5077b43034187273da62

Download Submit
C:\Users\Admin\AppData\Local\Temp\monqih6w.dll

Filesize
76KB

MD5
f890b038dfefa6e4c46f4cc98166037f

SHA1
5f4f355e65805405a31aba93208be554b5875139

SHA256
6e7e24533bd28c2fdb683f02491ff003a2f7a233e526f53556e9a10ac3b4ca87

SHA512
def0b670c006fb5ab5172cf4f6c85c859d888fbd238fad5ced076393f9211cd563c8d5d24d9a09705f9413f459a2f17fc5429545ee8a8b203911d7c572585d03

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC3295.tmp

Filesize
676B

MD5
41f8fb1bafeea6044c635aa62a1501a9

SHA1
4a49289169ae9e64ab42a95a90c19c80c55a8ebd

SHA256
b19ed3836f29a4bf300327c446ea69fc7f93c547ccfc6af10f3ce3226ce5c477

SHA512
6a4bed0dc2f7110750c2da1914abc0978f396ab606a44a422c6458a69ff580f3f7f06645e698b3910ee1e81228d43b42f8f225a320d6fa3be8ea7a9bebfed9ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\monqih6w.0.cs

Filesize
208KB

MD5
c2db7144bf776feb11696a402fd71473

SHA1
ee8da40163317164184ceb3aca5f9fa52d9f1611

SHA256
5a9afcd9feb57e52ac513c7d25729f0e08f5e1a71281351392b96f74bae47e19

SHA512
dcfb46f2b8a3d020e4072795a93f537fd87e5e9ea8205f5e37175c3d7c14fc591ab74e1d5388ae847a90d75ef97ae96145b702189abe6006253e0a2ab0f9b1eb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\monqih6w.cmdline

Filesize
349B

MD5
e91b31771e22f96e11d673f76ddee3c7

SHA1
b146f4d631f82a6bedbe54983aca93a96c5f54bb

SHA256
2cb6b3cd42832c6b241dc6bdfd12ec88ff95e4067518b81ce8ca7874eb4c938a

SHA512
137d8a9ee589b16e5c9ba9628a0b8cb17faba305a8063336e66f4d46f5d4b25c89560fa56bfefd3f2352a33777ae6760ca268d2c5ea507bbba912f25ae6acd92

Download Submit
memory/2644-29-0x0000000000DF0000-0x0000000000ED8000-memory.dmp

Filesize
928KB

Download
memory/2644-30-0x0000000000300000-0x0000000000312000-memory.dmp

Filesize
72KB

Download
memory/2644-32-0x00000000004C0000-0x00000000004D0000-memory.dmp

Filesize
64KB

Download
memory/2644-31-0x0000000000420000-0x0000000000438000-memory.dmp

Filesize
96KB

Download
memory/2684-2-0x0000000000180000-0x000000000018E000-memory.dmp

Filesize
56KB

Download
memory/2684-20-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/2684-27-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/2684-4-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/2684-3-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/2684-1-0x00000000007F0000-0x000000000084C000-memory.dmp

Filesize
368KB

Download
memory/2684-0-0x000007FEF5E4E000-0x000007FEF5E4F000-memory.dmp

Filesize
4KB

Download
memory/2684-17-0x0000000000850000-0x0000000000866000-memory.dmp

Filesize
88KB

Download
memory/2968-19-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/2968-33-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing