Overview

overview

10

Static

static

3

3ab1f51353...b5.exe

windows10-2004-x64

10

Resubmissions

20-05-2024 14:17

240520-rl2x4seb9z 10

30-04-2024 15:26

240430-st6rpshh7y 7

Analysis

  • max time kernel
    295s
  • max time network
    305s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-05-2024 14:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3ab1f51353b630da24938d4c805d67b5.exe

  • Size

    30KB

  • MD5

    3ab1f51353b630da24938d4c805d67b5

  • SHA1

    9e6b132f6353a712f0284510bf8de84bb45613e5

  • SHA256

    ac8df5bc262460d7e9f634c2be53ac9b028c6bf101aecc9545603e3e03c9c3a4

  • SHA512

    f897a7ebffe688a8ca8b7f55012a3bbfcc78fdbc123c7f89ca396c67e30ec1f63faf60a7534fab9c7308075ecfdc1c0f363137e9f13611ec9ad92a5a4b946095

  • SSDEEP

    768:T9qZEbWhPq3K1f0Y5feMA7QOKMsDY6Ze/0kJajZL9c7YrHG:TSJxTyieM6QOKpVgHgy7Yrm

Score
10/10
orcusratspywarestealer

Malware Config

Extracted

Family

orcus

C2

154.19.164.108:446

Mutex

5535f1efc68141d4bd9b45da3cd2f270

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcurs Rat Executable 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ab1f51353b630da24938d4c805d67b5.exe
    "C:\Users\Admin\AppData\Local\Temp\3ab1f51353b630da24938d4c805d67b5.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3708
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c C:\Users\Admin\AppData\Roaming\Google\3ab1f51353b630da24938d4c805d67b5.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5064
      • C:\Users\Admin\AppData\Roaming\Google\3ab1f51353b630da24938d4c805d67b5.exe
        C:\Users\Admin\AppData\Roaming\Google\3ab1f51353b630da24938d4c805d67b5.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4996
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4456 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3652

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Google\3ab1f51353b630da24938d4c805d67b5.exe
      Filesize

      30KB

      MD5

      3ab1f51353b630da24938d4c805d67b5

      SHA1

      9e6b132f6353a712f0284510bf8de84bb45613e5

      SHA256

      ac8df5bc262460d7e9f634c2be53ac9b028c6bf101aecc9545603e3e03c9c3a4

      SHA512

      f897a7ebffe688a8ca8b7f55012a3bbfcc78fdbc123c7f89ca396c67e30ec1f63faf60a7534fab9c7308075ecfdc1c0f363137e9f13611ec9ad92a5a4b946095

      Download Submit

    • memory/3708-0-0x00007FF82DDE3000-0x00007FF82DDE5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3708-1-0x0000012F29610000-0x0000012F2961C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3708-2-0x0000012F2B180000-0x0000012F2B186000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3708-3-0x00007FF82DDE3000-0x00007FF82DDE5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4996-12-0x000001A8D5F90000-0x000001A8D5F96000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4996-10-0x00007FF82DDE0000-0x00007FF82E8A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4996-11-0x00007FF82DDE0000-0x00007FF82E8A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4996-8-0x00007FF82DDE0000-0x00007FF82E8A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4996-13-0x00007FF82DDE0000-0x00007FF82E8A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4996-14-0x000001A8EE940000-0x000001A8EEA28000-memory.dmp

      Filesize

      928KB

      Download

    • memory/4996-15-0x000001A8EEA30000-0x000001A8EEA8C000-memory.dmp

      Filesize

      368KB

      Download

    • memory/4996-16-0x000001A8D5F80000-0x000001A8D5F8E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4996-17-0x000001A8EEAA0000-0x000001A8EEAB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4996-18-0x000001A8EEAB0000-0x000001A8EEAC8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4996-19-0x000001A8EEAD0000-0x000001A8EEAE0000-memory.dmp

      Filesize

      64KB

      Download