orcus | 071072d35d25a35b3b83cf879c3abec0cbc8b04fd6302c5f6f5380d3576a09da

General

Target

071072d35d25a35b3b83cf879c3abec0cbc8b04fd6302c5f6f5380d3576a09da.exe
Size

924KB
MD5

29afdcfe266af8444aafbc4725d63ae5
SHA1

ed72a7261a22fa5335a8830d757d909b3620a840
SHA256

071072d35d25a35b3b83cf879c3abec0cbc8b04fd6302c5f6f5380d3576a09da
SHA512

4de70d4c4742faaa349ff6aa8908b28825edf90ee32ef27c7a494808c3ca50d12eb0736e6e8c791fa63e03ae08200ca50f58df5f9661756cff3422c3ca2429e2
SSDEEP

24576:CIY4MROxnFE38O3IrrcI0AilFEvxHPwKoob:CaMiuZIrrcI0AilFEvxHPw

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

192.168.0.101:5656

Mutex

33fdee79e66a4cc2b2137624e8250ad4

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
executor
taskscheduler_taskname
Solaras
watchdog_path
AppData\Solara.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0003000000000743-49.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral2/memory/568-1-0x0000000000EC0000-0x0000000000FAE000-memory.dmp	orcus
behavioral2/files/0x0003000000000743-49.dat	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	071072d35d25a35b3b83cf879c3abec0cbc8b04fd6302c5f6f5380d3576a09da.exe

Executes dropped EXE 3 IoCs

pid	Process
1388	WindowsInput.exe
3692	WindowsInput.exe
4188	Orcus.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	071072d35d25a35b3b83cf879c3abec0cbc8b04fd6302c5f6f5380d3576a09da.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	071072d35d25a35b3b83cf879c3abec0cbc8b04fd6302c5f6f5380d3576a09da.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Orcus\Orcus.exe	071072d35d25a35b3b83cf879c3abec0cbc8b04fd6302c5f6f5380d3576a09da.exe
File opened for modification	C:\Program Files (x86)\Orcus\Orcus.exe	071072d35d25a35b3b83cf879c3abec0cbc8b04fd6302c5f6f5380d3576a09da.exe
File created	C:\Program Files (x86)\Orcus\Orcus.exe.config	071072d35d25a35b3b83cf879c3abec0cbc8b04fd6302c5f6f5380d3576a09da.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 568 wrote to memory of 1388	568	071072d35d25a35b3b83cf879c3abec0cbc8b04fd6302c5f6f5380d3576a09da.exe	100
PID 568 wrote to memory of 1388	568	071072d35d25a35b3b83cf879c3abec0cbc8b04fd6302c5f6f5380d3576a09da.exe	100
PID 568 wrote to memory of 4188	568	071072d35d25a35b3b83cf879c3abec0cbc8b04fd6302c5f6f5380d3576a09da.exe	102
PID 568 wrote to memory of 4188	568	071072d35d25a35b3b83cf879c3abec0cbc8b04fd6302c5f6f5380d3576a09da.exe	102
PID 568 wrote to memory of 4188	568	071072d35d25a35b3b83cf879c3abec0cbc8b04fd6302c5f6f5380d3576a09da.exe	102

C:\Users\Admin\AppData\Local\Temp\071072d35d25a35b3b83cf879c3abec0cbc8b04fd6302c5f6f5380d3576a09da.exe
"C:\Users\Admin\AppData\Local\Temp\071072d35d25a35b3b83cf879c3abec0cbc8b04fd6302c5f6f5380d3576a09da.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:568
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1388
- C:\Program Files (x86)\Orcus\Orcus.exe
  "C:\Program Files (x86)\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  PID:4188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:4152

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:3692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Orcus\Orcus.exe

Filesize
924KB

MD5
29afdcfe266af8444aafbc4725d63ae5

SHA1
ed72a7261a22fa5335a8830d757d909b3620a840

SHA256
071072d35d25a35b3b83cf879c3abec0cbc8b04fd6302c5f6f5380d3576a09da

SHA512
4de70d4c4742faaa349ff6aa8908b28825edf90ee32ef27c7a494808c3ca50d12eb0736e6e8c791fa63e03ae08200ca50f58df5f9661756cff3422c3ca2429e2

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\err_33fdee79e66a4cc2b2137624e8250ad4.dat

Filesize
1KB

MD5
67666124f95befd292821b548fe33e97

SHA1
65eff14fd31fc47b226636be45f22f8d6d0dfe3d

SHA256
8cc8feb97d063a8ff8a609e36b8db036c7f66b8212bdf1de32fc39a849e5c4a3

SHA512
d3fe6ab9d93bebfbad3b04644b9ed005b7428284865d452e948b0d19ae835b6f695cb555fc4a9c60f6282716ac739a16f2f8957c8c8945a2060f2ca94dd66a7f

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
memory/568-16-0x0000000005F60000-0x0000000005FAC000-memory.dmp

Filesize
304KB

Download
memory/568-4-0x0000000005950000-0x00000000059AC000-memory.dmp

Filesize
368KB

Download
memory/568-6-0x0000000005AC0000-0x0000000005B52000-memory.dmp

Filesize
584KB

Download
memory/568-7-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

Filesize
4KB

Download
memory/568-8-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/568-9-0x0000000001770000-0x0000000001782000-memory.dmp

Filesize
72KB

Download
memory/568-10-0x0000000001780000-0x0000000001788000-memory.dmp

Filesize
32KB

Download
memory/568-11-0x0000000001790000-0x0000000001798000-memory.dmp

Filesize
32KB

Download
memory/568-12-0x0000000001950000-0x00000000019B6000-memory.dmp

Filesize
408KB

Download
memory/568-13-0x0000000006C40000-0x0000000007258000-memory.dmp

Filesize
6.1MB

Download
memory/568-14-0x0000000005EC0000-0x0000000005ED2000-memory.dmp

Filesize
72KB

Download
memory/568-15-0x0000000005F20000-0x0000000005F5C000-memory.dmp

Filesize
240KB

Download
memory/568-0-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

Filesize
4KB

Download
memory/568-17-0x0000000006730000-0x000000000683A000-memory.dmp

Filesize
1.0MB

Download
memory/568-19-0x0000000006B70000-0x0000000006B92000-memory.dmp

Filesize
136KB

Download
memory/568-5-0x0000000006070000-0x0000000006614000-memory.dmp

Filesize
5.6MB

Download
memory/568-3-0x00000000033A0000-0x00000000033AE000-memory.dmp

Filesize
56KB

Download
memory/568-62-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/568-1-0x0000000000EC0000-0x0000000000FAE000-memory.dmp

Filesize
952KB

Download
memory/568-2-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/1388-36-0x0000000000FB0000-0x0000000000FC2000-memory.dmp

Filesize
72KB

Download
memory/1388-37-0x0000000001050000-0x000000000108C000-memory.dmp

Filesize
240KB

Download
memory/1388-41-0x00007FFA35860000-0x00007FFA36321000-memory.dmp

Filesize
10.8MB

Download
memory/1388-35-0x00007FFA35860000-0x00007FFA36321000-memory.dmp

Filesize
10.8MB

Download
memory/1388-34-0x00000000006D0000-0x00000000006DC000-memory.dmp

Filesize
48KB

Download
memory/1388-33-0x00007FFA35863000-0x00007FFA35865000-memory.dmp

Filesize
8KB

Download
memory/3692-43-0x00007FFA35860000-0x00007FFA36321000-memory.dmp

Filesize
10.8MB

Download
memory/4188-61-0x0000000006A90000-0x0000000006ADE000-memory.dmp

Filesize
312KB

Download
memory/4188-63-0x0000000006AE0000-0x0000000006AF8000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing