orcus | f20585f92942d4406423ebe1257b5eae8a460721e00bea42dc70ec948bd49f2e

Resubmissions

20-05-2024 14:13

240520-rjjzhsdc78 10

Analysis

max time kernel
210s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f20585f92942d4406423ebe1257b5eae8a460721e00bea42dc70ec948bd49f2e.exe
Size

85KB
MD5

958c4f1f63aa4b0916c3443e86ee5c4b
SHA1

94b33d97c41f88a5363688fb753ff21df5dd41e0
SHA256

f20585f92942d4406423ebe1257b5eae8a460721e00bea42dc70ec948bd49f2e
SHA512

b7d12d0d0ce224dca54f1819c485d1e10c53f0d2ce57f9815f9a829770e3dc21697659e0cad3dae426d352a1892d6c8b2cda7a85bc065b07b6254035a0247d0b
SSDEEP

1536:ygLGdUFcYJnl3lU0PY5lZCXS85X2WlDeSdDatDRZl3pZduO+drmM+qckIt33+ld6:ygLGdUFcYJnl3lU0PY5lZCXS85X2WlDA

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

154.212.149.59:446

Mutex

315ff0624fe74021970d128fbc96aa53

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcurs Rat Executable 1 IoCs

resource	yara_rule
behavioral1/memory/1420-15-0x0000000001290000-0x0000000001378000-memory.dmp	orcus

Executes dropped EXE 1 IoCs

pid	Process
1420	f20585f92942d4406423ebe1257b5eae8a460721e00bea42dc70ec948bd49f2e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1420	f20585f92942d4406423ebe1257b5eae8a460721e00bea42dc70ec948bd49f2e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 3336	4936	f20585f92942d4406423ebe1257b5eae8a460721e00bea42dc70ec948bd49f2e.exe	89
PID 4936 wrote to memory of 3336	4936	f20585f92942d4406423ebe1257b5eae8a460721e00bea42dc70ec948bd49f2e.exe	89
PID 3336 wrote to memory of 1420	3336	cmd.exe	91
PID 3336 wrote to memory of 1420	3336	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\f20585f92942d4406423ebe1257b5eae8a460721e00bea42dc70ec948bd49f2e.exe
"C:\Users\Admin\AppData\Local\Temp\f20585f92942d4406423ebe1257b5eae8a460721e00bea42dc70ec948bd49f2e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c C:\Users\Admin\AppData\Roaming\TeamViewer\f20585f92942d4406423ebe1257b5eae8a460721e00bea42dc70ec948bd49f2e.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3336
- - C:\Users\Admin\AppData\Roaming\TeamViewer\f20585f92942d4406423ebe1257b5eae8a460721e00bea42dc70ec948bd49f2e.exe
    C:\Users\Admin\AppData\Roaming\TeamViewer\f20585f92942d4406423ebe1257b5eae8a460721e00bea42dc70ec948bd49f2e.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1420

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\TeamViewer\f20585f92942d4406423ebe1257b5eae8a460721e00bea42dc70ec948bd49f2e.exe

Filesize
85KB

MD5
958c4f1f63aa4b0916c3443e86ee5c4b

SHA1
94b33d97c41f88a5363688fb753ff21df5dd41e0

SHA256
f20585f92942d4406423ebe1257b5eae8a460721e00bea42dc70ec948bd49f2e

SHA512
b7d12d0d0ce224dca54f1819c485d1e10c53f0d2ce57f9815f9a829770e3dc21697659e0cad3dae426d352a1892d6c8b2cda7a85bc065b07b6254035a0247d0b

Download Submit
memory/1420-14-0x0000000001090000-0x0000000001096000-memory.dmp

Filesize
24KB

Download
memory/1420-22-0x000000001CA90000-0x000000001CACC000-memory.dmp

Filesize
240KB

Download
memory/1420-13-0x00007FFBA3160000-0x00007FFBA3C21000-memory.dmp

Filesize
10.8MB

Download
memory/1420-23-0x000000001CBE0000-0x000000001CCEA000-memory.dmp

Filesize
1.0MB

Download
memory/1420-8-0x00007FFBA3160000-0x00007FFBA3C21000-memory.dmp

Filesize
10.8MB

Download
memory/1420-9-0x00007FFBA3160000-0x00007FFBA3C21000-memory.dmp

Filesize
10.8MB

Download
memory/1420-21-0x000000001C510000-0x000000001C522000-memory.dmp

Filesize
72KB

Download
memory/1420-15-0x0000000001290000-0x0000000001378000-memory.dmp

Filesize
928KB

Download
memory/1420-24-0x000000001CEC0000-0x000000001D082000-memory.dmp

Filesize
1.8MB

Download
memory/1420-20-0x0000000001120000-0x0000000001130000-memory.dmp

Filesize
64KB

Download
memory/1420-12-0x00007FFBA3160000-0x00007FFBA3C21000-memory.dmp

Filesize
10.8MB

Download
memory/1420-16-0x00000000011F0000-0x000000000124C000-memory.dmp

Filesize
368KB

Download
memory/1420-17-0x0000000001080000-0x000000000108E000-memory.dmp

Filesize
56KB

Download
memory/1420-18-0x0000000001130000-0x0000000001142000-memory.dmp

Filesize
72KB

Download
memory/1420-19-0x0000000001140000-0x0000000001158000-memory.dmp

Filesize
96KB

Download
memory/4936-2-0x00007FFBA3160000-0x00007FFBA3C21000-memory.dmp

Filesize
10.8MB

Download
memory/4936-11-0x00007FFBA3160000-0x00007FFBA3C21000-memory.dmp

Filesize
10.8MB

Download
memory/4936-0-0x0000000000D40000-0x0000000000D5C000-memory.dmp

Filesize
112KB

Download
memory/4936-1-0x00007FFBA3163000-0x00007FFBA3165000-memory.dmp

Filesize
8KB

Download
memory/4936-3-0x00007FFBA3160000-0x00007FFBA3C21000-memory.dmp

Filesize
10.8MB

Download