orcus | 2e6e4938bd45ac55dfc1b0c4a7766d1aa622e626cd4a18249600fe1392c788d6

Resubmissions

20-05-2024 14:18

240520-rmd8fadd88 10

Analysis

max time kernel
223s
max time network
290s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e6e4938bd45ac55dfc1b0c4a7766d1aa622e626cd4a18249600fe1392c788d6.exe
Size

85KB
MD5

ea992313f3c2893aa165dbc9f2a1c166
SHA1

a8d9662dfd1167a234cfb37c70cde26564c428d2
SHA256

2e6e4938bd45ac55dfc1b0c4a7766d1aa622e626cd4a18249600fe1392c788d6
SHA512

28bdf6ef4948152ee07a84588cda847a8fd8fda897e725f0f6271cc8414d42913ca7dd5432cd6a5aefb5afd6ffe496e03a1a4adf11ac908813bed565c82685d7
SSDEEP

1536:BIJNZCSa6mouFlxtQdRTDP5Q8OA1BQclg1DnkN6UlpmR4rNlkIlsEl9yq1RX2MJU:iJNZCSa6mouFlxtQdRTDP5Q8OA1BQcls

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

154.212.149.59:446

Mutex

315ff0624fe74021970d128fbc96aa53

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcurs Rat Executable 1 IoCs

resource	yara_rule
behavioral1/memory/4744-15-0x00000000008E0000-0x00000000009C8000-memory.dmp	orcus

Executes dropped EXE 1 IoCs

pid	Process
4744	2e6e4938bd45ac55dfc1b0c4a7766d1aa622e626cd4a18249600fe1392c788d6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4744	2e6e4938bd45ac55dfc1b0c4a7766d1aa622e626cd4a18249600fe1392c788d6.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 3176	1232	2e6e4938bd45ac55dfc1b0c4a7766d1aa622e626cd4a18249600fe1392c788d6.exe	97
PID 1232 wrote to memory of 3176	1232	2e6e4938bd45ac55dfc1b0c4a7766d1aa622e626cd4a18249600fe1392c788d6.exe	97
PID 3176 wrote to memory of 4744	3176	cmd.exe	99
PID 3176 wrote to memory of 4744	3176	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\2e6e4938bd45ac55dfc1b0c4a7766d1aa622e626cd4a18249600fe1392c788d6.exe
"C:\Users\Admin\AppData\Local\Temp\2e6e4938bd45ac55dfc1b0c4a7766d1aa622e626cd4a18249600fe1392c788d6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c C:\Users\Admin\AppData\Roaming\TeamViewer\2e6e4938bd45ac55dfc1b0c4a7766d1aa622e626cd4a18249600fe1392c788d6.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Users\Admin\AppData\Roaming\TeamViewer\2e6e4938bd45ac55dfc1b0c4a7766d1aa622e626cd4a18249600fe1392c788d6.exe
    C:\Users\Admin\AppData\Roaming\TeamViewer\2e6e4938bd45ac55dfc1b0c4a7766d1aa622e626cd4a18249600fe1392c788d6.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\TeamViewer\2e6e4938bd45ac55dfc1b0c4a7766d1aa622e626cd4a18249600fe1392c788d6.exe

Filesize
85KB

MD5
ea992313f3c2893aa165dbc9f2a1c166

SHA1
a8d9662dfd1167a234cfb37c70cde26564c428d2

SHA256
2e6e4938bd45ac55dfc1b0c4a7766d1aa622e626cd4a18249600fe1392c788d6

SHA512
28bdf6ef4948152ee07a84588cda847a8fd8fda897e725f0f6271cc8414d42913ca7dd5432cd6a5aefb5afd6ffe496e03a1a4adf11ac908813bed565c82685d7

Download Submit
memory/1232-11-0x00007FFC40BD0000-0x00007FFC41691000-memory.dmp

Filesize
10.8MB

Download
memory/1232-0-0x00007FFC40BD3000-0x00007FFC40BD5000-memory.dmp

Filesize
8KB

Download
memory/1232-2-0x00007FFC40BD0000-0x00007FFC41691000-memory.dmp

Filesize
10.8MB

Download
memory/1232-3-0x00007FFC40BD0000-0x00007FFC41691000-memory.dmp

Filesize
10.8MB

Download
memory/1232-1-0x0000000000640000-0x000000000065C000-memory.dmp

Filesize
112KB

Download
memory/4744-14-0x00000000009F0000-0x00000000009F6000-memory.dmp

Filesize
24KB

Download
memory/4744-17-0x00000000009D0000-0x00000000009DE000-memory.dmp

Filesize
56KB

Download
memory/4744-12-0x00007FFC40BD0000-0x00007FFC41691000-memory.dmp

Filesize
10.8MB

Download
memory/4744-13-0x00007FFC40BD0000-0x00007FFC41691000-memory.dmp

Filesize
10.8MB

Download
memory/4744-8-0x00007FFC40BD0000-0x00007FFC41691000-memory.dmp

Filesize
10.8MB

Download
memory/4744-15-0x00000000008E0000-0x00000000009C8000-memory.dmp

Filesize
928KB

Download
memory/4744-16-0x0000000000B30000-0x0000000000B8C000-memory.dmp

Filesize
368KB

Download
memory/4744-9-0x00007FFC40BD0000-0x00007FFC41691000-memory.dmp

Filesize
10.8MB

Download
memory/4744-18-0x0000000000A80000-0x0000000000A92000-memory.dmp

Filesize
72KB

Download
memory/4744-19-0x0000000000A90000-0x0000000000AA8000-memory.dmp

Filesize
96KB

Download
memory/4744-20-0x0000000000A70000-0x0000000000A80000-memory.dmp

Filesize
64KB

Download
memory/4744-22-0x000000001AF60000-0x000000001AF9C000-memory.dmp

Filesize
240KB

Download
memory/4744-21-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/4744-23-0x000000001C7F0000-0x000000001C8FA000-memory.dmp

Filesize
1.0MB

Download
memory/4744-24-0x000000001CAD0000-0x000000001CC92000-memory.dmp

Filesize
1.8MB

Download