orcus | 8112e3c36277f4a24e7f266009825f9ab66452c74d2c594e4d509a3d9521241e

General

Target

dff.exe
Size

907KB
MD5

a5d851ce23b2727cfb5ee692d1f33362
SHA1

206df4f8da2a8f415f44fc3091efd6e554316605
SHA256

8112e3c36277f4a24e7f266009825f9ab66452c74d2c594e4d509a3d9521241e
SHA512

6e137d0448955783839f1963ff04b9fa0d56d5ff6c2f604a56b631d35c79efe8a283c75098b8b6e2f98ab7ddd0dfc97e1011ad17de48a67296b523a9c9e47a4e
SSDEEP

12288:4XBM21gsgPktzYX7dG1lFlWcYT70pxnnaaoawUjKgRRA5rZNrI0AilFEvxHvBMiQ:zuQ4MROxnFSgHWrZlI0AilFEvxHidB

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

lunassworld-50930.portmap.host:50930

Mutex

93eee5181ceb466997ce6ef64c64353f

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000800000001abc5-37.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x000800000001abc5-37.dat	orcus
behavioral1/memory/308-38-0x0000000000A70000-0x0000000000B58000-memory.dmp	orcus

Executes dropped EXE 1 IoCs

pid	Process
308	Orcus.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	dff.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	dff.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	dff.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	dff.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	dff.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	dff.exe
File opened for modification	C:\Windows\assembly	dff.exe
File created	C:\Windows\assembly\Desktop.ini	dff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3668 wrote to memory of 4092	3668	dff.exe	73
PID 3668 wrote to memory of 4092	3668	dff.exe	73
PID 4092 wrote to memory of 4848	4092	csc.exe	75
PID 4092 wrote to memory of 4848	4092	csc.exe	75
PID 3668 wrote to memory of 308	3668	dff.exe	76
PID 3668 wrote to memory of 308	3668	dff.exe	76

C:\Users\Admin\AppData\Local\Temp\dff.exe
"C:\Users\Admin\AppData\Local\Temp\dff.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zbgrihx9.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2D2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD2D1.tmp"
    3⤵
    PID:4848
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  PID:308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
907KB

MD5
a5d851ce23b2727cfb5ee692d1f33362

SHA1
206df4f8da2a8f415f44fc3091efd6e554316605

SHA256
8112e3c36277f4a24e7f266009825f9ab66452c74d2c594e4d509a3d9521241e

SHA512
6e137d0448955783839f1963ff04b9fa0d56d5ff6c2f604a56b631d35c79efe8a283c75098b8b6e2f98ab7ddd0dfc97e1011ad17de48a67296b523a9c9e47a4e

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD2D2.tmp

Filesize
1KB

MD5
593e974aed421f72507bc6fb15a6c6a8

SHA1
7d3116b0ead51a0145be2cc6853932376d3b3e6a

SHA256
d2cb6e198dd17d6edd5911e3ebabdce374a9080d52fe8b58506e2d31e54dbc7b

SHA512
c078583417fd180b4d2e2098c233625c77be2b49c2efac3af307816b8e9f29b35bfe9e737bdeb2705de2f185f5ddc7208cd1308dff772e6a9ea7976641a39e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbgrihx9.dll

Filesize
76KB

MD5
00c7e20f4782f1f3e30039cc41c0a8f9

SHA1
047a0ecdf5c0ad8e48e57f355230ca6709ab9f02

SHA256
9730f205ba1ddc065a72da03465a8c773dd9913762f8721b9ad97a7481263657

SHA512
8817fcde88abef1f58cb4d6c4e7dd0b7f11e723976b43c24641068c6afc10389cad563f041630602d8c4ba79eca55dcb5563ce3863b154cb7580844daadadc1e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCD2D1.tmp

Filesize
676B

MD5
5a133f855e98e6147b70ddee47ba70a2

SHA1
2867ff775206bdc04498f4d63071b073ef73e44e

SHA256
85702f362c179d2764225bbe9c7de418c16cf81e68a8ecbb73360575da267455

SHA512
eb8d5bb7d42f4f037c153ba44f1d219e3beb3f3722a62073a00d318f82ff4882e52b645932e6a09d6ca809d6fdbab89b5f4a51e21d6d9db038da9788dee046cc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zbgrihx9.0.cs

Filesize
208KB

MD5
04892f8ad6fb5bae42b9b26724c18e85

SHA1
d535b2e6e3aa5d7af64ecc25e4df918051ae2ee2

SHA256
b9249c0f005a6b0f670c1505ab8ae97c479f560b6302abb1560102ebac420cc5

SHA512
b02c362655f5efea1805f25404861510c6b8c911a1f2289a8b0ca177dc6cf70b4622b00117574ab5050b9fcd3e73cfd6f868c7f52f5195b6a5718fb43b0bacc2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zbgrihx9.cmdline

Filesize
349B

MD5
754df1a4d1b636f3c58b3c5c1e89d0af

SHA1
12f568944a638294a097d84858cd6212d757ef36

SHA256
06adb4a0645c4c819e8782a4f4286bdde9df1e7d660566bdc2027845dc382722

SHA512
307cbc2518eda0ac1b7d69961f795b3ea47eefd1221d077d63864a180447c0f8c706ecddaab5b19047473c927d6d18ba924eabb2a78c083728f8af1f92ffd5cf

Download Submit
memory/308-42-0x0000000001300000-0x0000000001310000-memory.dmp

Filesize
64KB

Download
memory/308-41-0x0000000001430000-0x0000000001448000-memory.dmp

Filesize
96KB

Download
memory/308-40-0x0000000001310000-0x0000000001322000-memory.dmp

Filesize
72KB

Download
memory/308-38-0x0000000000A70000-0x0000000000B58000-memory.dmp

Filesize
928KB

Download
memory/3668-8-0x000000001BD40000-0x000000001BDDC000-memory.dmp

Filesize
624KB

Download
memory/3668-0-0x00007FFE96635000-0x00007FFE96636000-memory.dmp

Filesize
4KB

Download
memory/3668-1-0x00007FFE96380000-0x00007FFE96D20000-memory.dmp

Filesize
9.6MB

Download
memory/3668-23-0x000000001C210000-0x000000001C226000-memory.dmp

Filesize
88KB

Download
memory/3668-25-0x0000000000A60000-0x0000000000A72000-memory.dmp

Filesize
72KB

Download
memory/3668-26-0x0000000000A30000-0x0000000000A38000-memory.dmp

Filesize
32KB

Download
memory/3668-27-0x00007FFE96380000-0x00007FFE96D20000-memory.dmp

Filesize
9.6MB

Download
memory/3668-2-0x000000001B150000-0x000000001B1AC000-memory.dmp

Filesize
368KB

Download
memory/3668-6-0x00007FFE96380000-0x00007FFE96D20000-memory.dmp

Filesize
9.6MB

Download
memory/3668-7-0x000000001B7D0000-0x000000001BC9E000-memory.dmp

Filesize
4.8MB

Download
memory/3668-39-0x00007FFE96380000-0x00007FFE96D20000-memory.dmp

Filesize
9.6MB

Download
memory/3668-5-0x000000001B2F0000-0x000000001B2FE000-memory.dmp

Filesize
56KB

Download
memory/4092-21-0x00007FFE96380000-0x00007FFE96D20000-memory.dmp

Filesize
9.6MB

Download
memory/4092-17-0x00007FFE96380000-0x00007FFE96D20000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing