orcus | fb84dd4ac25fc62b6eb922badaa84c53d71639c89903d155bc11304bea0df984

General

Target

fb84dd4ac25fc62b6eb922badaa84c53d71639c89903d155bc11304bea0df984.exe
Size

3.1MB
MD5

5f5733f2d10d4c7540cfad004a1a66a3
SHA1

2d937253d9ac339e5d636af50cd8429ccac39977
SHA256

fb84dd4ac25fc62b6eb922badaa84c53d71639c89903d155bc11304bea0df984
SHA512

ee577e31ef7dd5d2a47891d86bfe45a88aba154c6b291b7008f1f8ff8d3dde943b056927dd337c6c74aa0e21f7d9868909f1841686d6306e9bbd14b83512c736
SSDEEP

98304:1VtODUKTslWp2MpbfGGilIJPypSbxEo9JCmV:UUKTtEgNilIJPypSbJCi

Score

10^/10

orcus pdf rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

PDF

C2

192.168.0.100:10134

Mutex

4c02bb39af5f434ea8ccdf8d1d4c4bc9

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\pdf\pdf
reconnect_delay
10000
registry_keyname
pdf
taskscheduler_taskname
pdf
watchdog_path
AppData\PDF

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0024000000015c23-12.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/memory/1500-1-0x0000000001230000-0x0000000001556000-memory.dmp	orcus
behavioral1/files/0x0024000000015c23-12.dat	orcus

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\pdf\pdf	fb84dd4ac25fc62b6eb922badaa84c53d71639c89903d155bc11304bea0df984.exe
File opened for modification	C:\Program Files (x86)\pdf\pdf	fb84dd4ac25fc62b6eb922badaa84c53d71639c89903d155bc11304bea0df984.exe
File created	C:\Program Files (x86)\pdf\pdf.config	fb84dd4ac25fc62b6eb922badaa84c53d71639c89903d155bc11304bea0df984.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2520	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2520	AcroRd32.exe
2520	AcroRd32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 2896	1500	fb84dd4ac25fc62b6eb922badaa84c53d71639c89903d155bc11304bea0df984.exe	28
PID 1500 wrote to memory of 2896	1500	fb84dd4ac25fc62b6eb922badaa84c53d71639c89903d155bc11304bea0df984.exe	28
PID 1500 wrote to memory of 2896	1500	fb84dd4ac25fc62b6eb922badaa84c53d71639c89903d155bc11304bea0df984.exe	28
PID 1500 wrote to memory of 2896	1500	fb84dd4ac25fc62b6eb922badaa84c53d71639c89903d155bc11304bea0df984.exe	28
PID 1500 wrote to memory of 2896	1500	fb84dd4ac25fc62b6eb922badaa84c53d71639c89903d155bc11304bea0df984.exe	28
PID 1500 wrote to memory of 2896	1500	fb84dd4ac25fc62b6eb922badaa84c53d71639c89903d155bc11304bea0df984.exe	28
PID 1500 wrote to memory of 2896	1500	fb84dd4ac25fc62b6eb922badaa84c53d71639c89903d155bc11304bea0df984.exe	28
PID 2896 wrote to memory of 2520	2896	rundll32.exe	29
PID 2896 wrote to memory of 2520	2896	rundll32.exe	29
PID 2896 wrote to memory of 2520	2896	rundll32.exe	29
PID 2896 wrote to memory of 2520	2896	rundll32.exe	29

C:\Users\Admin\AppData\Local\Temp\fb84dd4ac25fc62b6eb922badaa84c53d71639c89903d155bc11304bea0df984.exe
"C:\Users\Admin\AppData\Local\Temp\fb84dd4ac25fc62b6eb922badaa84c53d71639c89903d155bc11304bea0df984.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Program Files (x86)\pdf\pdf
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Program Files (x86)\pdf\pdf"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\pdf\pdf

Filesize
3.1MB

MD5
5f5733f2d10d4c7540cfad004a1a66a3

SHA1
2d937253d9ac339e5d636af50cd8429ccac39977

SHA256
fb84dd4ac25fc62b6eb922badaa84c53d71639c89903d155bc11304bea0df984

SHA512
ee577e31ef7dd5d2a47891d86bfe45a88aba154c6b291b7008f1f8ff8d3dde943b056927dd337c6c74aa0e21f7d9868909f1841686d6306e9bbd14b83512c736

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
afba10c4c7c6fbcf6d1c4f6ea6a1168d

SHA1
b02cf200cc955b7ab1b6bb9e8769121c72c94f8c

SHA256
016d6ff967bc1840ed0a2c951fd68394e017a5b50c3ab189a31639da39688282

SHA512
6ff9f53463adc91bc2cb5ef46bbde7869bcb40628642782b908526c7f05f79ccc8d0e3926a9929fa1a6d4793e5a09cbb90566b5bddb1d4f1ee34e41fc36d9824

Download Submit
memory/1500-0-0x0000000074A4E000-0x0000000074A4F000-memory.dmp

Filesize
4KB

Download
memory/1500-1-0x0000000001230000-0x0000000001556000-memory.dmp

Filesize
3.1MB

Download
memory/1500-2-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/1500-3-0x0000000000280000-0x000000000028E000-memory.dmp

Filesize
56KB

Download
memory/1500-4-0x0000000000C50000-0x0000000000CAC000-memory.dmp

Filesize
368KB

Download
memory/1500-5-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/1500-11-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing