orcus | cf3fcc3aed42efdaa1e4b92b985d582d68376932136797e646f97e13a9383768

General

Target

cf3fcc3aed42efdaa1e4b92b985d582d68376932136797e646f97e13a9383768.exe
Size

142.0MB
MD5

8ec31f21bbd85409821e9ff46905de10
SHA1

73d0917083d30de5c3ef9be8ee9f89911bbba77f
SHA256

cf3fcc3aed42efdaa1e4b92b985d582d68376932136797e646f97e13a9383768
SHA512

a95a59bdf0b8aa2cdbe6089c7a71935c35151757d8624e7e89b4ebe8b9709436c13d40003f9fd882269d67ea0908b19e13f08d1db92159064f5e1d2b968f5ec1
SSDEEP

12288:jvQljshUuGBupksQ7dG1lFlWcYT70pxnnaaoawt7ueuRA8rZNrI0AilFEvxHvBMn:qsw4MROxnFd9vrZlI0AilFEvxHiCS

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

192.168.0.150:8848

Mutex

cc95a8263dac4c43869aeacd03467e30

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Windows Update Check
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcurs Rat Executable 1 IoCs

resource	yara_rule
behavioral1/memory/2788-34-0x0000000000FE0000-0x00000000010CA000-memory.dmp	orcus

Executes dropped EXE 2 IoCs

pid	Process
2788	Orcus.exe
2468	Orcus.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	cf3fcc3aed42efdaa1e4b92b985d582d68376932136797e646f97e13a9383768.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	cf3fcc3aed42efdaa1e4b92b985d582d68376932136797e646f97e13a9383768.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	cf3fcc3aed42efdaa1e4b92b985d582d68376932136797e646f97e13a9383768.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	Orcus.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2788	Orcus.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2788	Orcus.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2788	Orcus.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2348	2264	cf3fcc3aed42efdaa1e4b92b985d582d68376932136797e646f97e13a9383768.exe	28
PID 2264 wrote to memory of 2348	2264	cf3fcc3aed42efdaa1e4b92b985d582d68376932136797e646f97e13a9383768.exe	28
PID 2264 wrote to memory of 2348	2264	cf3fcc3aed42efdaa1e4b92b985d582d68376932136797e646f97e13a9383768.exe	28
PID 2348 wrote to memory of 2640	2348	csc.exe	30
PID 2348 wrote to memory of 2640	2348	csc.exe	30
PID 2348 wrote to memory of 2640	2348	csc.exe	30
PID 2264 wrote to memory of 2788	2264	cf3fcc3aed42efdaa1e4b92b985d582d68376932136797e646f97e13a9383768.exe	32
PID 2264 wrote to memory of 2788	2264	cf3fcc3aed42efdaa1e4b92b985d582d68376932136797e646f97e13a9383768.exe	32
PID 2264 wrote to memory of 2788	2264	cf3fcc3aed42efdaa1e4b92b985d582d68376932136797e646f97e13a9383768.exe	32
PID 2384 wrote to memory of 2468	2384	taskeng.exe	34
PID 2384 wrote to memory of 2468	2384	taskeng.exe	34
PID 2384 wrote to memory of 2468	2384	taskeng.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cf3fcc3aed42efdaa1e4b92b985d582d68376932136797e646f97e13a9383768.exe
"C:\Users\Admin\AppData\Local\Temp\cf3fcc3aed42efdaa1e4b92b985d582d68376932136797e646f97e13a9383768.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hueuthy8.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C67.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1C66.tmp"
    3⤵
    PID:2640
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2788

C:\Windows\system32\taskeng.exe
taskeng.exe {206F3048-C476-45FF-9090-780ECBEDFA2D} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1C67.tmp

Filesize
1KB

MD5
50eb026767057221f41250cd5738efcc

SHA1
0f531ab375e844e6a9fcf9d1b4b080e501451be0

SHA256
a16a854532847fd3486e32ce20243409af33379136da26275623cfd476435040

SHA512
98ac7fe1e93e8e04ce435fbc185064f970e54c68a1b884bde0996705fc1d16e070957ded743156a8ff5d310021c3d6fa63601d4b2cd457621776b13711f4433d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hueuthy8.dll

Filesize
76KB

MD5
2fe5fb903931c864adb61bff8f6b0feb

SHA1
66b7236d7d2712e69afa66a2c39af5de90f86e90

SHA256
72726a8f64b0a8ea1a9bf9d3e5b42b4a52a34a91a6459c4782f4a6213dac1de0

SHA512
799bd26d90b2587fda74872ed82c2966f7137fffb55b67ce61812bdaef4c4c4867e363c30aca1060f38fbb7a41312d4dcb7eeed7175f9d46691e1a36b575548a

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\err_cc95a8263dac4c43869aeacd03467e30.dat

Filesize
1KB

MD5
f462ae45de1eb127d4ad7600b910034b

SHA1
bdad6c7f7179c90836efb6af5c8f5156d1db3f3b

SHA256
623d114754f93929bb08a1447659498b374af2341cab206dbba753ee7f773b55

SHA512
e799b9e8b458908b629871e11035c9fad4b05b9ccd36319a2c4130e79610dd0c5806f3cc351141ef67eb5830b488ca8aac693efeae383369fc531f11cea0f827

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1C66.tmp

Filesize
676B

MD5
340746a3a035341e6a86fa69574666d6

SHA1
c227cfd5ec880a0eaca586078066d4228aae453d

SHA256
136da9c16bdfb5bd65e699f2393a5f82d3b3ebfb46272889d424e75ebc27f72d

SHA512
03d6ac91792da8441b343e654a005b9d8fe65712fecd1e9ed95e0227d016db0e3cbfb73075a5b69e80fd15d53babc8e00ecc0a6de1a004fc6b11dd532b1deb39

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hueuthy8.0.cs

Filesize
208KB

MD5
5444a4e3949772f24dafe2e410b9f987

SHA1
31abcc3fa192d1cb24f5d3205b67f17c6b7f12a0

SHA256
c4aa45ad4b5d153f2e08756bb3fbe4dac8154319f6bf4d58f2be7d6d999fcd1a

SHA512
5c7171b7a90ebf9dc6d4ee53da28e1b171d6bcc17998d808755b467e35a46c8cd22b2e03a55c654ead18cfbc014d05b58fc9a2f87dc5bac482b7653eeff896cf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hueuthy8.cmdline

Filesize
349B

MD5
44ab074a7fda6506beac4386bee59da6

SHA1
4789c31425076ce8b051c2e5d08402686289ea49

SHA256
8b0202fc863f940a8dcffb6471e7e8fc9823e7f1513311029ef3aaec4ae91cdc

SHA512
eb8011415a9659e46566f9ce7ee8e6837b01f988bd888739b63f68b4518b51d2358cadee27715e302a8d79848754b2e7d75d42a2e9a5099a5e38b1411a791435

Download Submit
memory/2264-20-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/2264-1-0x00000000020D0000-0x000000000212C000-memory.dmp

Filesize
368KB

Download
memory/2264-17-0x00000000009F0000-0x0000000000A06000-memory.dmp

Filesize
88KB

Download
memory/2264-2-0x0000000000300000-0x000000000030E000-memory.dmp

Filesize
56KB

Download
memory/2264-3-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/2264-0-0x000007FEF608E000-0x000007FEF608F000-memory.dmp

Filesize
4KB

Download
memory/2264-21-0x00000000007B0000-0x00000000007B8000-memory.dmp

Filesize
32KB

Download
memory/2264-22-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/2264-24-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/2264-4-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/2264-33-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/2348-19-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/2348-42-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/2788-34-0x0000000000FE0000-0x00000000010CA000-memory.dmp

Filesize
936KB

Download
memory/2788-35-0x0000000000410000-0x0000000000422000-memory.dmp

Filesize
72KB

Download
memory/2788-38-0x0000000000D40000-0x0000000000D8E000-memory.dmp

Filesize
312KB

Download
memory/2788-39-0x0000000000B90000-0x0000000000BA8000-memory.dmp

Filesize
96KB

Download
memory/2788-40-0x0000000000F20000-0x0000000000F30000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing