orcus | ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05

General

Target

ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05.exe
Size

907KB
MD5

e724bedeb1fa3ed735249d635f07c63f
SHA1

97da2042297fc775aacb9144ede209ff54e6c285
SHA256

ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05
SHA512

c80ea9df49feffc41520a20f960f0901c84ff4f01d4e57fe22b28efc0723024173caab775457ca334db6f4c28aa88f3fc880f79af3aab2a07c2c2ca4b5d74751
SSDEEP

24576:Feu4MROxnFDgHFrZlI0AilFEvxHiOoWE:FetMi4FrZlI0AilFEvxHi

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

127.0.0.1:80

Mutex

8d5cf256dea346ae86cdf4349684f822

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0003000000022ab7-31.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x0003000000022ab7-31.dat	orcus
behavioral2/memory/4228-41-0x0000000000410000-0x00000000004F8000-memory.dmp	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05.exe

Executes dropped EXE 1 IoCs

pid	Process
4228	Orcus.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05.exe
File created	C:\Windows\assembly\Desktop.ini	ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2968	2172	ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05.exe	86
PID 2172 wrote to memory of 2968	2172	ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05.exe	86
PID 2968 wrote to memory of 3052	2968	csc.exe	88
PID 2968 wrote to memory of 3052	2968	csc.exe	88
PID 2172 wrote to memory of 4228	2172	ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05.exe	89
PID 2172 wrote to memory of 4228	2172	ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05.exe	89

C:\Users\Admin\AppData\Local\Temp\ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05.exe
"C:\Users\Admin\AppData\Local\Temp\ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q8yfa0ee.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E23.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3E22.tmp"
    3⤵
    PID:3052
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  PID:4228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
907KB

MD5
e724bedeb1fa3ed735249d635f07c63f

SHA1
97da2042297fc775aacb9144ede209ff54e6c285

SHA256
ff8c369b9e17986f63b24d523b12b81d078b364dc1490634059c419ba4a0cc05

SHA512
c80ea9df49feffc41520a20f960f0901c84ff4f01d4e57fe22b28efc0723024173caab775457ca334db6f4c28aa88f3fc880f79af3aab2a07c2c2ca4b5d74751

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3E23.tmp

Filesize
1KB

MD5
82bf0486229c774c27d66a51959034af

SHA1
0c99fff7823b154fff11fa4da8c4acc606d65773

SHA256
92fe7b986eaabc9fd21e29a39b1ef3e6705baa7a23021bef3d51714607b1aef2

SHA512
ae420f45a549c9f1737cbbb082121627a0334685a6d2ceaded3eac182ee17497ea46b35e97cc3e21b2acbaf96491a51f675b90d8ae1c0479c1823cbbdcead8ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\q8yfa0ee.dll

Filesize
76KB

MD5
d301c32eb31c408905a953b960c6d456

SHA1
dc49e949593c9a3eedb13e162f8d0e651974ea93

SHA256
21686efa1eff70bccf8646acfe6a18c45f616a97b2221bd0bebe74bb90e01e2c

SHA512
11292ce287a20a23b261c62c88bfef681e57f9cd43eddba15bc190b2de3614d9cefe93979ba4f040f809740571e962f49bd96cff1b521818d3e09191bdc67abb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC3E22.tmp

Filesize
676B

MD5
c062d892e8246631081a27dbecdd02e8

SHA1
760a4ae57ef96a832c69ca72de9752a886e765df

SHA256
d6a0453cbea4ab0aaf119af6279d85edb079d1dd5e375fb9c06aaedf146e7623

SHA512
2f29ff23ede8a6fce00cd7cbeb537f0f41664028b8a92a1471e2ef273cd8d7f772e35145cbf56949062d019eb5673442d4c28e262f49b88e0d8babfc56e279d1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q8yfa0ee.0.cs

Filesize
208KB

MD5
a35d7980d16faa5d80cc20bb931ae7fe

SHA1
543511391b2c8a541a93d17aba039309b641ec2c

SHA256
1166d7857031452a234764166f9b4601a23b9db50d149b82af984399e6121562

SHA512
89871fcf218cecdf68b3f6de2b9106d6d681e828a443d3d3243283457b4df54261e01a2b34078f65336f96253d91b95e246b4151be31b18daa15b3a58807a89c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q8yfa0ee.cmdline

Filesize
349B

MD5
cff74c509e4a47877ef23b179604d2bd

SHA1
be94024fbbebe2cc97fea58b634e4fabbe6b5478

SHA256
7f5f00431e34f36a73944b358bd72c34f85a3dbe08bebce61d5f3aefe471ab7c

SHA512
a559a8888f2a670badd309d810a073fc1bdf0db8bf7f634fe74ba9bac0f18c607fd9bbb5baf10f08ac21e561793035459ae756b295f520458cc898c8544c9ff9

Download Submit
memory/2172-8-0x000000001C440000-0x000000001C4DC000-memory.dmp

Filesize
624KB

Download
memory/2172-1-0x00007FFE2B430000-0x00007FFE2BDD1000-memory.dmp

Filesize
9.6MB

Download
memory/2172-6-0x00007FFE2B430000-0x00007FFE2BDD1000-memory.dmp

Filesize
9.6MB

Download
memory/2172-44-0x00007FFE2B430000-0x00007FFE2BDD1000-memory.dmp

Filesize
9.6MB

Download
memory/2172-7-0x000000001BED0000-0x000000001C39E000-memory.dmp

Filesize
4.8MB

Download
memory/2172-0-0x00007FFE2B6E5000-0x00007FFE2B6E6000-memory.dmp

Filesize
4KB

Download
memory/2172-23-0x000000001C910000-0x000000001C926000-memory.dmp

Filesize
88KB

Download
memory/2172-5-0x000000001B9F0000-0x000000001B9FE000-memory.dmp

Filesize
56KB

Download
memory/2172-25-0x000000001B760000-0x000000001B772000-memory.dmp

Filesize
72KB

Download
memory/2172-2-0x000000001B800000-0x000000001B85C000-memory.dmp

Filesize
368KB

Download
memory/2968-21-0x00007FFE2B430000-0x00007FFE2BDD1000-memory.dmp

Filesize
9.6MB

Download
memory/2968-16-0x00007FFE2B430000-0x00007FFE2BDD1000-memory.dmp

Filesize
9.6MB

Download
memory/4228-40-0x00007FFE28243000-0x00007FFE28245000-memory.dmp

Filesize
8KB

Download
memory/4228-41-0x0000000000410000-0x00000000004F8000-memory.dmp

Filesize
928KB

Download
memory/4228-42-0x0000000000D60000-0x0000000000D72000-memory.dmp

Filesize
72KB

Download
memory/4228-43-0x000000001B070000-0x000000001B088000-memory.dmp

Filesize
96KB

Download
memory/4228-45-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing