orcus | f1682cf8a37398db755990957b830893c37aff88145a8c85e76149bbe0d2c8ba

General

Target

f1682cf8a37398db755990957b830893c37aff88145a8c85e76149bbe0d2c8ba.exe
Size

896KB
MD5

ef9b1b04c34ed4642fa1c5ae2bf7bbb2
SHA1

a945e308b0918ffc74f11d263c4e8215038b27c1
SHA256

f1682cf8a37398db755990957b830893c37aff88145a8c85e76149bbe0d2c8ba
SHA512

f35ac47e5ed6a94bc2205684f3410e99400cb4508ce7eab6effee27bc75c0f92083b2d2bc112dfd5d4911c12ee8ec6460ed06ea32485ed21c2ff40d75a6cfd5d
SSDEEP

12288:sb5pi7mcdxdG1lFlWcYr70RxnnaaoaMnG8nNnjKU05xopHZYwQB3n7FfJIuw69s0:sTO4Mp+xnF+j8Amln7FfJIu99siMK

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

93.157.168.72:27667

Mutex

a78f6cd1f7f343c39d9d711961870c12

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%appdata%\Chrome
reconnect_delay
10000
registry_keyname
Google
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000f000000014698-27.dat	family_orcus

Orcurs Rat Executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000f000000014698-27.dat	orcus

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2576	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2576	AcroRd32.exe
2576	AcroRd32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2960	2656	f1682cf8a37398db755990957b830893c37aff88145a8c85e76149bbe0d2c8ba.exe	28
PID 2656 wrote to memory of 2960	2656	f1682cf8a37398db755990957b830893c37aff88145a8c85e76149bbe0d2c8ba.exe	28
PID 2656 wrote to memory of 2960	2656	f1682cf8a37398db755990957b830893c37aff88145a8c85e76149bbe0d2c8ba.exe	28
PID 2960 wrote to memory of 2684	2960	csc.exe	30
PID 2960 wrote to memory of 2684	2960	csc.exe	30
PID 2960 wrote to memory of 2684	2960	csc.exe	30
PID 2656 wrote to memory of 2760	2656	f1682cf8a37398db755990957b830893c37aff88145a8c85e76149bbe0d2c8ba.exe	31
PID 2656 wrote to memory of 2760	2656	f1682cf8a37398db755990957b830893c37aff88145a8c85e76149bbe0d2c8ba.exe	31
PID 2656 wrote to memory of 2760	2656	f1682cf8a37398db755990957b830893c37aff88145a8c85e76149bbe0d2c8ba.exe	31
PID 2760 wrote to memory of 2576	2760	rundll32.exe	32
PID 2760 wrote to memory of 2576	2760	rundll32.exe	32
PID 2760 wrote to memory of 2576	2760	rundll32.exe	32
PID 2760 wrote to memory of 2576	2760	rundll32.exe	32

C:\Users\Admin\AppData\Local\Temp\f1682cf8a37398db755990957b830893c37aff88145a8c85e76149bbe0d2c8ba.exe
"C:\Users\Admin\AppData\Local\Temp\f1682cf8a37398db755990957b830893c37aff88145a8c85e76149bbe0d2c8ba.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rfwurxon.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82B8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC82B7.tmp"
    3⤵
    PID:2684
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Chrome
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Chrome"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES82B8.tmp

Filesize
1KB

MD5
32824a0b14aa58f0ac3f99c9943b7484

SHA1
675a240da8753db905523a2d671610e41c3d1ce1

SHA256
31c88f4eb3090cdba1e5fa80829eb645d7bff1e5bec4c9ae131d62edb77cfbd4

SHA512
707e07bc43be7d194e11fd24e2eb972aa56792fbd8a984d8a3621ea31ba78ba922653c2d6dfdb8af707a7b3b64bcec38d1af7b2dae8ec356358a44067386fc08

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfwurxon.dll

Filesize
76KB

MD5
761bf3222e9d8954e9d247f8b108e97a

SHA1
9a2036ac5d74d4b45aa7ce46705ba74aec7c72ef

SHA256
2705665854acd3bd8670106f12865cf05b8389f6e033109317eaf969efc516e7

SHA512
14ddec4fa6b168deb454762effed808d6b8b9691a54f2142aaced162eaf9753bdbc564896abab2cdc255c17b0ebf4f358d7fe938a48a261df5351e9fa34e579f

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
36c32643de62112373a880ec819f1d68

SHA1
9df42556048239de942099d05a3ca8cda38175ff

SHA256
98d7ef34330911f1d16a115edd8c2761765625f89fc2a4ae6bc342ebd0d77e5b

SHA512
4f554fe9cfc78c51b16315b0814be4f38032a891b6f3fcad6955d5299dcde8ce4d7c3795f5b1256389bfb45344b8e10d57b325ced1f7b94745c8f3b889366547

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome

Filesize
896KB

MD5
ef9b1b04c34ed4642fa1c5ae2bf7bbb2

SHA1
a945e308b0918ffc74f11d263c4e8215038b27c1

SHA256
f1682cf8a37398db755990957b830893c37aff88145a8c85e76149bbe0d2c8ba

SHA512
f35ac47e5ed6a94bc2205684f3410e99400cb4508ce7eab6effee27bc75c0f92083b2d2bc112dfd5d4911c12ee8ec6460ed06ea32485ed21c2ff40d75a6cfd5d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC82B7.tmp

Filesize
676B

MD5
942baedb287aeb11b3ff57d895bf7445

SHA1
b4f49a3af19b05e9e621a38bae3419c21643e073

SHA256
523f58f830188d7463993d2205e451bf50463d82bba5e111a3e51b331dd4a529

SHA512
f046fcca510ce5ff85edb91cbd6aeb505f47a87ecc0372a39185808e824ccf61538a1f4f0785aa7c31c88f2624c66297c0e312732cd43a85bffd1ce2f631004d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rfwurxon.0.cs

Filesize
208KB

MD5
250321226bbc2a616d91e1c82cb4ab2b

SHA1
7cffd0b2e9c842865d8961386ab8fcfac8d04173

SHA256
ef2707f83a0c0927cfd46b115641b9cae52a41123e4826515b9eeb561785218d

SHA512
bda59ca04cdf254f837f2cec6da55eff5c3d2af00da66537b9ebaa3601c502ae63772f082fd12663b63d537d2e03efe87a3b5746ef25e842aaf1c7d88245b4e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rfwurxon.cmdline

Filesize
349B

MD5
639c420a90981e95a45e288122ce61b2

SHA1
2abd7f630bd870f4e9df0df0d367c945cf1d1a91

SHA256
dea66726f9bfc8a53560dadb10caf8b8033b240cc41ee49803a54fbac203c716

SHA512
0c1651e025c5c2b1ccea7ff68f503c74355febb957fa50a53191e6fef55df4d53b7a0c9547fa73b6985c1793fdccfe328dcf20373bd36ee736aff6d5c94e32c3

Download Submit
memory/2656-4-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

Filesize
9.6MB

Download
memory/2656-0-0x000007FEF5B1E000-0x000007FEF5B1F000-memory.dmp

Filesize
4KB

Download
memory/2656-3-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

Filesize
9.6MB

Download
memory/2656-19-0x0000000000650000-0x0000000000666000-memory.dmp

Filesize
88KB

Download
memory/2656-21-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2656-22-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/2656-26-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

Filesize
9.6MB

Download
memory/2656-2-0x0000000000380000-0x000000000038E000-memory.dmp

Filesize
56KB

Download
memory/2656-1-0x0000000002320000-0x000000000237C000-memory.dmp

Filesize
368KB

Download
memory/2960-10-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

Filesize
9.6MB

Download
memory/2960-17-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing