orcus | 3aecd39225de5f274e45c1f200754a0d5f98eba87d54328bab30de1f2c629a69

General

Target

3aecd39225de5f274e45c1f200754a0d5f98eba87d54328bab30de1f2c629a69.exe
Size

916KB
MD5

c18aa87310422a593b3f7da5e5bb6484
SHA1

6e91dc3fd926f6eef6c88f94ef06e87cb6a4f29a
SHA256

3aecd39225de5f274e45c1f200754a0d5f98eba87d54328bab30de1f2c629a69
SHA512

e2ee610656e0b5b4610ea5728efbd579811d29e6fb9c0eafa9653fd6df66baca7544294d9f923e643e25007a5375208aa95f52350e64aebfecd929080da42d76
SSDEEP

12288:6XBM21gsgPktzYX7dG1lFlWcYT70pxnnaaoawp7ueuRAKrZNrI0AilFEvxHvBMBL:luQ4MROxnFJ9JrZlI0AilFEvxHiTDp

Score

10^/10

orcus persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

192.168.0.150:8848

Mutex

104ac7067d804737b655e3e0f14f31f4

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00090000000145bc-29.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x00090000000145bc-29.dat	orcus
behavioral1/memory/2560-34-0x0000000000AE0000-0x0000000000BCA000-memory.dmp	orcus

Executes dropped EXE 1 IoCs

pid	Process
2560	Orcus.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files\\Orcus\\Orcus.exe\""	Orcus.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe.config	3aecd39225de5f274e45c1f200754a0d5f98eba87d54328bab30de1f2c629a69.exe
File created	C:\Program Files\Orcus\Orcus.exe	3aecd39225de5f274e45c1f200754a0d5f98eba87d54328bab30de1f2c629a69.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	3aecd39225de5f274e45c1f200754a0d5f98eba87d54328bab30de1f2c629a69.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2560	Orcus.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2560	Orcus.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2560	Orcus.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2560	Orcus.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2204	2148	3aecd39225de5f274e45c1f200754a0d5f98eba87d54328bab30de1f2c629a69.exe	28
PID 2148 wrote to memory of 2204	2148	3aecd39225de5f274e45c1f200754a0d5f98eba87d54328bab30de1f2c629a69.exe	28
PID 2148 wrote to memory of 2204	2148	3aecd39225de5f274e45c1f200754a0d5f98eba87d54328bab30de1f2c629a69.exe	28
PID 2204 wrote to memory of 848	2204	csc.exe	30
PID 2204 wrote to memory of 848	2204	csc.exe	30
PID 2204 wrote to memory of 848	2204	csc.exe	30
PID 2148 wrote to memory of 2560	2148	3aecd39225de5f274e45c1f200754a0d5f98eba87d54328bab30de1f2c629a69.exe	32
PID 2148 wrote to memory of 2560	2148	3aecd39225de5f274e45c1f200754a0d5f98eba87d54328bab30de1f2c629a69.exe	32
PID 2148 wrote to memory of 2560	2148	3aecd39225de5f274e45c1f200754a0d5f98eba87d54328bab30de1f2c629a69.exe	32

C:\Users\Admin\AppData\Local\Temp\3aecd39225de5f274e45c1f200754a0d5f98eba87d54328bab30de1f2c629a69.exe
"C:\Users\Admin\AppData\Local\Temp\3aecd39225de5f274e45c1f200754a0d5f98eba87d54328bab30de1f2c629a69.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qnaghni-.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1121.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1120.tmp"
    3⤵
    PID:848
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
916KB

MD5
c18aa87310422a593b3f7da5e5bb6484

SHA1
6e91dc3fd926f6eef6c88f94ef06e87cb6a4f29a

SHA256
3aecd39225de5f274e45c1f200754a0d5f98eba87d54328bab30de1f2c629a69

SHA512
e2ee610656e0b5b4610ea5728efbd579811d29e6fb9c0eafa9653fd6df66baca7544294d9f923e643e25007a5375208aa95f52350e64aebfecd929080da42d76

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1121.tmp

Filesize
1KB

MD5
bbb36c057af91adab2dcb0a0fb3950e3

SHA1
531cdea8c33872677fd05ae300f0fdff6e7cf5e7

SHA256
ec0266c2c9c7949c78b0d2e97ff659c5195bdf65a34849631d338483fda43920

SHA512
486299b12be0e7c7876a750c6ab468520be386f9da40296c84131c874131a03d4c49dcda1adfcef239463152211fff1846ceaa4ffb7e56794f36c89577955916

Download Submit
C:\Users\Admin\AppData\Local\Temp\qnaghni-.dll

Filesize
76KB

MD5
eeb3b93698d6ed6aeb1dbcdfe194fae9

SHA1
a8325f08199f1f4b3200e8f8d859df1e7e717437

SHA256
0b2cc3fca2cb8d76baed225588c0e51330c753ef8017b4f1076b10f9a2fa641c

SHA512
5f332ee2caa9d4920075d8f548976a5a40badabe31a2bfbbc19a15def35028da384e87d49aaaa3cb594f86cca9921caca8683d338e37ac545f56deb4872a6f49

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\err_104ac7067d804737b655e3e0f14f31f4.dat

Filesize
1KB

MD5
e884e842889db9f41c9b35f079bfffb8

SHA1
e62f66452d7572dde50fd54e075cae8dd4b4f0fd

SHA256
2990d8a9c41b10ec85829e9c7fa468aab5c849838b7ba4eda4b09da0e4a6390f

SHA512
dbbcffb8bb0d7939212ef56c018319b9e5eb9079b39bca645477c38e7f29acd9f5bd2b3f270c48f569ded7481baa10a9da6d1a376c8a2f2bf5463be729e88a1c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1120.tmp

Filesize
676B

MD5
4ffebd19a4968602b61fd73786233092

SHA1
013f19bc8ebaa7581dd6acb90fca29d9c8cb0a8e

SHA256
bafa17caee53b010ddd24954b0b2d79143a229bde2d88346eaf66ced4fd82bbb

SHA512
7a5715bedae588fadb1a937be440a4c617a5f090a1dc3883f09c938c88338a74b85536bb2c60867ebb41e7271627530ab27d870e481ac70d797ed1f1922381ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qnaghni-.0.cs

Filesize
208KB

MD5
6011503497b1b9250a05debf9690e52c

SHA1
897aea61e9bffc82d7031f1b3da12fb83efc6d82

SHA256
08f42b8d57bb61bc8f9628c8a80953b06ca4149d50108083fca6dc26bdd49434

SHA512
604c33e82e8b5bb5c54389c2899c81e5482a06e69db08268173a5b4574327ee5de656d312011d07e50a2e398a4c9b0cd79029013f76e05e18cf67ce5a916ffd9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qnaghni-.cmdline

Filesize
349B

MD5
9f5638474d0a085e50ebbfe6e10b08dc

SHA1
e93c627ac3615d2e7dc3aebe432e3f3a0dddff9f

SHA256
0bdbafb5e52342cd1c76d40cd684a0722a396bd6d49b1f92c582d84591e90d74

SHA512
6c7e82a46195643601b37f0165a29f3294c88e79df94a2cbb05fad7429703a5f8fb52a4c8738167551544d6f880eff54e0c89b404c907851a5172ad179cd3a5d

Download Submit
memory/2148-20-0x0000000000AE0000-0x0000000000AF2000-memory.dmp

Filesize
72KB

Download
memory/2148-2-0x00000000003A0000-0x00000000003AE000-memory.dmp

Filesize
56KB

Download
memory/2148-4-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

Filesize
9.6MB

Download
memory/2148-1-0x0000000000D80000-0x0000000000DDC000-memory.dmp

Filesize
368KB

Download
memory/2148-0-0x000007FEF549E000-0x000007FEF549F000-memory.dmp

Filesize
4KB

Download
memory/2148-21-0x0000000000D60000-0x0000000000D68000-memory.dmp

Filesize
32KB

Download
memory/2148-22-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

Filesize
9.6MB

Download
memory/2148-28-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

Filesize
9.6MB

Download
memory/2148-3-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

Filesize
9.6MB

Download
memory/2148-17-0x00000000012E0000-0x00000000012F6000-memory.dmp

Filesize
88KB

Download
memory/2148-32-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

Filesize
9.6MB

Download
memory/2204-19-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

Filesize
9.6MB

Download
memory/2204-41-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

Filesize
9.6MB

Download
memory/2560-34-0x0000000000AE0000-0x0000000000BCA000-memory.dmp

Filesize
936KB

Download
memory/2560-35-0x0000000000AB0000-0x0000000000AC2000-memory.dmp

Filesize
72KB

Download
memory/2560-38-0x0000000002170000-0x00000000021BE000-memory.dmp

Filesize
312KB

Download
memory/2560-39-0x0000000001FD0000-0x0000000001FE8000-memory.dmp

Filesize
96KB

Download
memory/2560-40-0x0000000002080000-0x0000000002090000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads