orcus | 4346e01001903432c6da8a05fa653030081379a9d4c648b22cdd318b5b165788

General

Target

4346e01001903432c6da8a05fa653030081379a9d4c648b22cdd318b5b165788.exe
Size

5.0MB
MD5

f1ba7a7f631a21d3c5967dcabd56864f
SHA1

098faa39a5eeeaad11b73ccf51b4bae6e9ab88bc
SHA256

4346e01001903432c6da8a05fa653030081379a9d4c648b22cdd318b5b165788
SHA512

c764b7bc0646fdbe1ae3687a0f08dad7bc724e308c7cd7fb993f7933686cef8b4b9c2be1248061d36733ac3224e3e003edb59736a783bc2f6e59ddc51fbd2bb6
SSDEEP

12288:s0XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNC7JsLdn48F1IepdkRI7dG1lFlWQ:nIY4MROxnFtMrrcI0AilFEvxHP6Xoon

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

192.168.0.150:5553

Mutex

9df0748f400a43fd822ce4ad25dd540c

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023405-21.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral2/memory/3360-1-0x0000000000C60000-0x0000000000D4A000-memory.dmp	orcus
behavioral2/files/0x0007000000023405-21.dat	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	4346e01001903432c6da8a05fa653030081379a9d4c648b22cdd318b5b165788.exe

Executes dropped EXE 2 IoCs

pid	Process
4224	Orcus.exe
2820	Orcus.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Orcus\Orcus.exe	4346e01001903432c6da8a05fa653030081379a9d4c648b22cdd318b5b165788.exe
File opened for modification	C:\Program Files (x86)\Orcus\Orcus.exe	4346e01001903432c6da8a05fa653030081379a9d4c648b22cdd318b5b165788.exe
File created	C:\Program Files (x86)\Orcus\Orcus.exe.config	4346e01001903432c6da8a05fa653030081379a9d4c648b22cdd318b5b165788.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4224	Orcus.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4224	Orcus.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4224	Orcus.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4224	Orcus.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3360 wrote to memory of 4224	3360	4346e01001903432c6da8a05fa653030081379a9d4c648b22cdd318b5b165788.exe	82
PID 3360 wrote to memory of 4224	3360	4346e01001903432c6da8a05fa653030081379a9d4c648b22cdd318b5b165788.exe	82
PID 3360 wrote to memory of 4224	3360	4346e01001903432c6da8a05fa653030081379a9d4c648b22cdd318b5b165788.exe	82

C:\Users\Admin\AppData\Local\Temp\4346e01001903432c6da8a05fa653030081379a9d4c648b22cdd318b5b165788.exe
"C:\Users\Admin\AppData\Local\Temp\4346e01001903432c6da8a05fa653030081379a9d4c648b22cdd318b5b165788.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3360
- C:\Program Files (x86)\Orcus\Orcus.exe
  "C:\Program Files (x86)\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4224

C:\Program Files (x86)\Orcus\Orcus.exe
"C:\Program Files (x86)\Orcus\Orcus.exe"
1⤵
- Executes dropped EXE
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Orcus\Orcus.exe

Filesize
5.0MB

MD5
f1ba7a7f631a21d3c5967dcabd56864f

SHA1
098faa39a5eeeaad11b73ccf51b4bae6e9ab88bc

SHA256
4346e01001903432c6da8a05fa653030081379a9d4c648b22cdd318b5b165788

SHA512
c764b7bc0646fdbe1ae3687a0f08dad7bc724e308c7cd7fb993f7933686cef8b4b9c2be1248061d36733ac3224e3e003edb59736a783bc2f6e59ddc51fbd2bb6

Download Submit
C:\Program Files (x86)\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\err_9df0748f400a43fd822ce4ad25dd540c.dat

Filesize
1KB

MD5
1c3c2fb671b8b7d6d3c93b22090c4161

SHA1
f01d4f0851c122335905d735ad48fa289b577fce

SHA256
91c7a456012d9fc365ddc7488dc7a29b6a2befd828989f77378624faa18a92f5

SHA512
71582686f2c47da607b38af52aba1509fe72059dbc91fec3f84040e81e1367cd57fe2d99dff5a018c52b93883af52b0c1e1c86b3860a207f079e50828bffaa70

Download Submit
memory/2820-45-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/2820-43-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/2820-41-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/3360-14-0x00000000066A0000-0x00000000067AA000-memory.dmp

Filesize
1.0MB

Download
memory/3360-13-0x0000000006520000-0x000000000656C000-memory.dmp

Filesize
304KB

Download
memory/3360-8-0x0000000005890000-0x0000000005898000-memory.dmp

Filesize
32KB

Download
memory/3360-9-0x0000000005D00000-0x0000000005D66000-memory.dmp

Filesize
408KB

Download
memory/3360-10-0x0000000006980000-0x0000000006F98000-memory.dmp

Filesize
6.1MB

Download
memory/3360-11-0x0000000006380000-0x0000000006392000-memory.dmp

Filesize
72KB

Download
memory/3360-12-0x00000000064E0000-0x000000000651C000-memory.dmp

Filesize
240KB

Download
memory/3360-4-0x00000000056D0000-0x000000000572C000-memory.dmp

Filesize
368KB

Download
memory/3360-0-0x00000000746FE000-0x00000000746FF000-memory.dmp

Filesize
4KB

Download
memory/3360-6-0x00000000058A0000-0x0000000005932000-memory.dmp

Filesize
584KB

Download
memory/3360-5-0x0000000005DB0000-0x0000000006354000-memory.dmp

Filesize
5.6MB

Download
memory/3360-1-0x0000000000C60000-0x0000000000D4A000-memory.dmp

Filesize
936KB

Download
memory/3360-31-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/3360-7-0x0000000005880000-0x0000000005892000-memory.dmp

Filesize
72KB

Download
memory/3360-3-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/3360-2-0x0000000003000000-0x000000000300E000-memory.dmp

Filesize
56KB

Download
memory/4224-32-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/4224-37-0x00000000073E0000-0x00000000073F8000-memory.dmp

Filesize
96KB

Download
memory/4224-40-0x0000000007580000-0x0000000007590000-memory.dmp

Filesize
64KB

Download
memory/4224-39-0x0000000007740000-0x0000000007902000-memory.dmp

Filesize
1.8MB

Download
memory/4224-36-0x0000000006BF0000-0x0000000006C08000-memory.dmp

Filesize
96KB

Download
memory/4224-42-0x00000000076E0000-0x00000000076EA000-memory.dmp

Filesize
40KB

Download
memory/4224-35-0x0000000006BA0000-0x0000000006BEE000-memory.dmp

Filesize
312KB

Download
memory/4224-30-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/4224-46-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing