orcus | 8112e3c36277f4a24e7f266009825f9ab66452c74d2c594e4d509a3d9521241e

General

Target

dff.exe
Size

907KB
MD5

a5d851ce23b2727cfb5ee692d1f33362
SHA1

206df4f8da2a8f415f44fc3091efd6e554316605
SHA256

8112e3c36277f4a24e7f266009825f9ab66452c74d2c594e4d509a3d9521241e
SHA512

6e137d0448955783839f1963ff04b9fa0d56d5ff6c2f604a56b631d35c79efe8a283c75098b8b6e2f98ab7ddd0dfc97e1011ad17de48a67296b523a9c9e47a4e
SSDEEP

12288:4XBM21gsgPktzYX7dG1lFlWcYT70pxnnaaoawUjKgRRA5rZNrI0AilFEvxHvBMiQ:zuQ4MROxnFSgHWrZlI0AilFEvxHidB

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

lunassworld-50930.portmap.host:50930

Mutex

93eee5181ceb466997ce6ef64c64353f

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral2/files/0x00080000000234a0-35.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x00080000000234a0-35.dat	orcus
behavioral2/memory/3472-44-0x0000000000A90000-0x0000000000B78000-memory.dmp	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	dff.exe

Executes dropped EXE 1 IoCs

pid	Process
3472	Orcus.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	dff.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	dff.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	dff.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	dff.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	dff.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	dff.exe
File created	C:\Windows\assembly\Desktop.ini	dff.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	dff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 2280	4980	dff.exe	85
PID 4980 wrote to memory of 2280	4980	dff.exe	85
PID 2280 wrote to memory of 2016	2280	csc.exe	88
PID 2280 wrote to memory of 2016	2280	csc.exe	88
PID 4980 wrote to memory of 3472	4980	dff.exe	97
PID 4980 wrote to memory of 3472	4980	dff.exe	97

C:\Users\Admin\AppData\Local\Temp\dff.exe
"C:\Users\Admin\AppData\Local\Temp\dff.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o0yyuxgj.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E5D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5E5C.tmp"
    3⤵
    PID:2016
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
907KB

MD5
a5d851ce23b2727cfb5ee692d1f33362

SHA1
206df4f8da2a8f415f44fc3091efd6e554316605

SHA256
8112e3c36277f4a24e7f266009825f9ab66452c74d2c594e4d509a3d9521241e

SHA512
6e137d0448955783839f1963ff04b9fa0d56d5ff6c2f604a56b631d35c79efe8a283c75098b8b6e2f98ab7ddd0dfc97e1011ad17de48a67296b523a9c9e47a4e

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5E5D.tmp

Filesize
1KB

MD5
e99f3fa0d7e0a239f07a829bfa624a19

SHA1
103bd6a86d4b9f0d53eeee96c9caab2fc960f652

SHA256
cc4d3f0cea04d26b0cc3f148311f5a5e557dc00b48b6caffbf4c56552aa3d574

SHA512
830b5892e729a60bf8169c9acac141125b618d44ff27d210a4eb3675953972638e5c2e7688c722439fa82638f86a9794a72f4e7cb5999d7fad69ba646a1986cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\o0yyuxgj.dll

Filesize
76KB

MD5
7438e0e693d91a4bbe30ceaca138e752

SHA1
341e44fdf272af4cf697b82b3e9697a376b88fdb

SHA256
3090f036a36b28eec61c47a9f9bded365e88910e047c49b529ef348ef88ed5aa

SHA512
c25eb63e0ef1975522f323953d2d35913fcf7aec9ff489daaa816742dd9d3ea32ca5a0013a7cca9c56491e121fde28071f3a1584bff9ab5185faca51de9ddf5b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5E5C.tmp

Filesize
676B

MD5
e932d53447c62faf5f09471ed0942a25

SHA1
d752c874955391a1355cb9ebbda9f469279c9776

SHA256
134a5bcff85e8f03b6d5401f7a3b5fb90ee2e148f3ee26dbe32736eaab182a08

SHA512
6c716a40d7e68a6b8c9301074ad5882dfcdb109ee2ede33816399890c0ea246a351108ad2c39096bef47af9976940b589b3c9cd81ea28446ddb81d59ee79abe8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o0yyuxgj.0.cs

Filesize
208KB

MD5
dbb2af49b8f7a9691a076ddaeadbbcfc

SHA1
bb87e25fc98e25a93d55440be4eb46dd68af5650

SHA256
9d7a42d207fff984dda8ced0b1ed39808682c5b048b6eb13ffd47607ba80b260

SHA512
fc9ecb646c1e9e3ba53f604bd98be57ac5a3550fd5b431528e885c71f0524ecb2a8095f941d1b1a399b24700304eff32e8fb886924186a24799897be52f868cc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o0yyuxgj.cmdline

Filesize
349B

MD5
f232f7cc2f38dbc9279bb87ebabf24f6

SHA1
a394f3390108728e34d8b99b056636e0bc90c179

SHA256
7268c962199499f27141ca546e59323d8ebb05dc8a4397617a25eecc131bd874

SHA512
3b5cec063f86dbb8bbd2b063093f909d076417f0a6bbbdd10bf2be3381cb259041c08a25ad1dd27f09406983a02305ce67467ed4ebd5e6b76391ba05d90bf733

Download Submit
memory/2280-21-0x00007FFB070A0000-0x00007FFB07A41000-memory.dmp

Filesize
9.6MB

Download
memory/2280-16-0x00007FFB070A0000-0x00007FFB07A41000-memory.dmp

Filesize
9.6MB

Download
memory/3472-44-0x0000000000A90000-0x0000000000B78000-memory.dmp

Filesize
928KB

Download
memory/3472-47-0x000000001B6E0000-0x000000001B6F0000-memory.dmp

Filesize
64KB

Download
memory/3472-46-0x000000001B700000-0x000000001B718000-memory.dmp

Filesize
96KB

Download
memory/4980-0-0x00007FFB07355000-0x00007FFB07356000-memory.dmp

Filesize
4KB

Download
memory/4980-23-0x000000001CDA0000-0x000000001CDB6000-memory.dmp

Filesize
88KB

Download
memory/4980-5-0x000000001BC90000-0x000000001BC9E000-memory.dmp

Filesize
56KB

Download
memory/4980-25-0x000000001B950000-0x000000001B962000-memory.dmp

Filesize
72KB

Download
memory/4980-26-0x000000001B970000-0x000000001B978000-memory.dmp

Filesize
32KB

Download
memory/4980-27-0x00007FFB070A0000-0x00007FFB07A41000-memory.dmp

Filesize
9.6MB

Download
memory/4980-2-0x000000001BAA0000-0x000000001BAFC000-memory.dmp

Filesize
368KB

Download
memory/4980-1-0x00007FFB070A0000-0x00007FFB07A41000-memory.dmp

Filesize
9.6MB

Download
memory/4980-8-0x000000001C6E0000-0x000000001C77C000-memory.dmp

Filesize
624KB

Download
memory/4980-45-0x00007FFB070A0000-0x00007FFB07A41000-memory.dmp

Filesize
9.6MB

Download
memory/4980-6-0x00007FFB070A0000-0x00007FFB07A41000-memory.dmp

Filesize
9.6MB

Download
memory/4980-7-0x000000001C170000-0x000000001C63E000-memory.dmp

Filesize
4.8MB

Download

Analysis

Sharing