orcus | a57055364481676e2cf162f4f91be228458c7e03eed0f54d1e5f18a8907a3b62

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a57055364481676e2cf162f4f91be228458c7e03eed0f54d1e5f18a8907a3b62.exe
Size

903KB
MD5

5d29b913273c7abfc589ee8c620f12f6
SHA1

36369b0f2ccc7b50720ed21d607166fac13d6e3a
SHA256

a57055364481676e2cf162f4f91be228458c7e03eed0f54d1e5f18a8907a3b62
SHA512

be0862868f343f394d7597a365aed628a8e71eb4d419196b5a08e5af2065f39b8b0449e56961b2c59fa66d7c497ab2b5f9afab75f1a0a7c275304ab1912183a1
SSDEEP

12288:b0XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCZ3uljipeyKWepvBgw7dG1lFlWz:EW64MROxnFgHrrcI0AilFEvxHPX9ood

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

91.109.186.2:1194

Mutex

60d5f56e0ff9486480153dc7e98d1c84

Attributes

autostart_method
Disable
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcurs Rat Executable 1 IoCs

resource	yara_rule
behavioral1/memory/1152-1-0x00000000013E0000-0x00000000014C8000-memory.dmp	orcus

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1152	a57055364481676e2cf162f4f91be228458c7e03eed0f54d1e5f18a8907a3b62.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1152	a57055364481676e2cf162f4f91be228458c7e03eed0f54d1e5f18a8907a3b62.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2872	2480	taskeng.exe	29
PID 2480 wrote to memory of 2872	2480	taskeng.exe	29
PID 2480 wrote to memory of 2872	2480	taskeng.exe	29
PID 2480 wrote to memory of 2872	2480	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\a57055364481676e2cf162f4f91be228458c7e03eed0f54d1e5f18a8907a3b62.exe
"C:\Users\Admin\AppData\Local\Temp\a57055364481676e2cf162f4f91be228458c7e03eed0f54d1e5f18a8907a3b62.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1152

C:\Windows\system32\taskeng.exe
taskeng.exe {C433745F-1E4C-4363-877D-322178FA64B1} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Local\Temp\a57055364481676e2cf162f4f91be228458c7e03eed0f54d1e5f18a8907a3b62.exe
  C:\Users\Admin\AppData\Local\Temp\a57055364481676e2cf162f4f91be228458c7e03eed0f54d1e5f18a8907a3b62.exe
  2⤵
  PID:2872

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1152-6-0x0000000000D70000-0x0000000000DBE000-memory.dmp

Filesize
312KB

Download
memory/1152-0-0x0000000073ECE000-0x0000000073ECF000-memory.dmp

Filesize
4KB

Download
memory/1152-2-0x0000000000470000-0x000000000047E000-memory.dmp

Filesize
56KB

Download
memory/1152-3-0x0000000073EC0000-0x00000000745AE000-memory.dmp

Filesize
6.9MB

Download
memory/1152-4-0x0000000000BD0000-0x0000000000C2C000-memory.dmp

Filesize
368KB

Download
memory/1152-5-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/1152-1-0x00000000013E0000-0x00000000014C8000-memory.dmp

Filesize
928KB

Download
memory/1152-7-0x0000000001240000-0x0000000001258000-memory.dmp

Filesize
96KB

Download
memory/1152-13-0x0000000073EC0000-0x00000000745AE000-memory.dmp

Filesize
6.9MB

Download
memory/1152-12-0x0000000073ECE000-0x0000000073ECF000-memory.dmp

Filesize
4KB

Download
memory/1152-8-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/2872-11-0x0000000073EC0000-0x00000000745AE000-memory.dmp

Filesize
6.9MB

Download
memory/2872-9-0x0000000073EC0000-0x00000000745AE000-memory.dmp

Filesize
6.9MB

Download
memory/2872-10-0x0000000073EC0000-0x00000000745AE000-memory.dmp

Filesize
6.9MB

Download