orcus | 75af63185c79dbface5db3bebe13b2e457a764b520cf6da9678eb8501c3e61d1

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75af63185c79dbface5db3bebe13b2e457a764b520cf6da9678eb8501c3e61d1.exe
Size

914KB
MD5

8f4a262076a343c306b3e45a01c0a532
SHA1

ffd57f1068cf5f7acb5f359b5e1a947ab04ab186
SHA256

75af63185c79dbface5db3bebe13b2e457a764b520cf6da9678eb8501c3e61d1
SHA512

4fae8619281c39c729ce787536a3013377b74005d299666ec615e125be28c2505721d7a33c802c07a461f3e76180c7eac99c46c608818b439eb90f8dbef3ff8e
SSDEEP

24576:vk84MROxnFR3NRirZlI0AilFEvxHi985o:vkPMijirZlI0AilFEvxHi

Score

10^/10

orcus lox rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

lox

8.tcp.ngrok.io:14334

Mutex

97a795082d1b4d009c62ffc5af327057

Attributes

autostart_method
TaskScheduler
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x002e0000000144e9-27.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x002e0000000144e9-27.dat	orcus
behavioral1/memory/2644-31-0x0000000000B80000-0x0000000000C6A000-memory.dmp	orcus

Executes dropped EXE 4 IoCs

pid	Process
2644	Orcus.exe
1952	Orcus.exe
2468	OrcusWatchdog.exe
2996	OrcusWatchdog.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	8.tcp.ngrok.io
9	8.tcp.ngrok.io
16	8.tcp.ngrok.io

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Orcus\Orcus.exe	75af63185c79dbface5db3bebe13b2e457a764b520cf6da9678eb8501c3e61d1.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	75af63185c79dbface5db3bebe13b2e457a764b520cf6da9678eb8501c3e61d1.exe
File created	C:\Program Files\Orcus\Orcus.exe	75af63185c79dbface5db3bebe13b2e457a764b520cf6da9678eb8501c3e61d1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2644	Orcus.exe
2644	Orcus.exe
2644	Orcus.exe
2996	OrcusWatchdog.exe
2996	OrcusWatchdog.exe
2996	OrcusWatchdog.exe
2644	Orcus.exe
2996	OrcusWatchdog.exe
2644	Orcus.exe
2996	OrcusWatchdog.exe
2644	Orcus.exe
2996	OrcusWatchdog.exe
2644	Orcus.exe
2996	OrcusWatchdog.exe
2644	Orcus.exe
2996	OrcusWatchdog.exe
2644	Orcus.exe
2996	OrcusWatchdog.exe
2644	Orcus.exe
2996	OrcusWatchdog.exe
2644	Orcus.exe
2996	OrcusWatchdog.exe
2644	Orcus.exe
2996	OrcusWatchdog.exe
2644	Orcus.exe
2996	OrcusWatchdog.exe
2644	Orcus.exe
2996	OrcusWatchdog.exe
2644	Orcus.exe
2996	OrcusWatchdog.exe
2644	Orcus.exe
2996	OrcusWatchdog.exe
2644	Orcus.exe
2996	OrcusWatchdog.exe
2644	Orcus.exe
2996	OrcusWatchdog.exe
2644	Orcus.exe
2996	OrcusWatchdog.exe
2644	Orcus.exe
2996	OrcusWatchdog.exe
2644	Orcus.exe
2996	OrcusWatchdog.exe
2644	Orcus.exe
2996	OrcusWatchdog.exe
2644	Orcus.exe
2996	OrcusWatchdog.exe
2644	Orcus.exe
2996	OrcusWatchdog.exe
2644	Orcus.exe
2996	OrcusWatchdog.exe
2644	Orcus.exe
2996	OrcusWatchdog.exe
2644	Orcus.exe
2996	OrcusWatchdog.exe
2644	Orcus.exe
2996	OrcusWatchdog.exe
2644	Orcus.exe
2996	OrcusWatchdog.exe
2644	Orcus.exe
2996	OrcusWatchdog.exe
2644	Orcus.exe
2996	OrcusWatchdog.exe
2644	Orcus.exe
2996	OrcusWatchdog.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	Orcus.exe
Token: SeDebugPrivilege	2468	OrcusWatchdog.exe
Token: SeDebugPrivilege	2996	OrcusWatchdog.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2644	Orcus.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2644	Orcus.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2096	2940	75af63185c79dbface5db3bebe13b2e457a764b520cf6da9678eb8501c3e61d1.exe	28
PID 2940 wrote to memory of 2096	2940	75af63185c79dbface5db3bebe13b2e457a764b520cf6da9678eb8501c3e61d1.exe	28
PID 2940 wrote to memory of 2096	2940	75af63185c79dbface5db3bebe13b2e457a764b520cf6da9678eb8501c3e61d1.exe	28
PID 2096 wrote to memory of 2880	2096	csc.exe	30
PID 2096 wrote to memory of 2880	2096	csc.exe	30
PID 2096 wrote to memory of 2880	2096	csc.exe	30
PID 2940 wrote to memory of 2644	2940	75af63185c79dbface5db3bebe13b2e457a764b520cf6da9678eb8501c3e61d1.exe	31
PID 2940 wrote to memory of 2644	2940	75af63185c79dbface5db3bebe13b2e457a764b520cf6da9678eb8501c3e61d1.exe	31
PID 2940 wrote to memory of 2644	2940	75af63185c79dbface5db3bebe13b2e457a764b520cf6da9678eb8501c3e61d1.exe	31
PID 2756 wrote to memory of 1952	2756	taskeng.exe	33
PID 2756 wrote to memory of 1952	2756	taskeng.exe	33
PID 2756 wrote to memory of 1952	2756	taskeng.exe	33
PID 2644 wrote to memory of 2468	2644	Orcus.exe	34
PID 2644 wrote to memory of 2468	2644	Orcus.exe	34
PID 2644 wrote to memory of 2468	2644	Orcus.exe	34
PID 2644 wrote to memory of 2468	2644	Orcus.exe	34
PID 2468 wrote to memory of 2996	2468	OrcusWatchdog.exe	35
PID 2468 wrote to memory of 2996	2468	OrcusWatchdog.exe	35
PID 2468 wrote to memory of 2996	2468	OrcusWatchdog.exe	35
PID 2468 wrote to memory of 2996	2468	OrcusWatchdog.exe	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\75af63185c79dbface5db3bebe13b2e457a764b520cf6da9678eb8501c3e61d1.exe
"C:\Users\Admin\AppData\Local\Temp\75af63185c79dbface5db3bebe13b2e457a764b520cf6da9678eb8501c3e61d1.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wsmimut2.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF1F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF1E.tmp"
    3⤵
    PID:2880
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
    "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 2644
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
      "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 2644
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2996

C:\Windows\system32\taskeng.exe
taskeng.exe {2DBE0A76-0775-4DC2-8D68-94BB841EE7DB} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
914KB

MD5
8f4a262076a343c306b3e45a01c0a532

SHA1
ffd57f1068cf5f7acb5f359b5e1a947ab04ab186

SHA256
75af63185c79dbface5db3bebe13b2e457a764b520cf6da9678eb8501c3e61d1

SHA512
4fae8619281c39c729ce787536a3013377b74005d299666ec615e125be28c2505721d7a33c802c07a461f3e76180c7eac99c46c608818b439eb90f8dbef3ff8e

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF1F.tmp

Filesize
1KB

MD5
dd7122ead13212fbc63c003c90e5454d

SHA1
8937ef0ec889ae3cdfcdf819d2fb3d86c3ee61d1

SHA256
ba1a64723ca40fdbfc0672545b8ecd5b9a33a6b77eecef552609a6217f0aa272

SHA512
6eb88bd4a12c9480ce610fd265489438880aa39bd10592d789e3fe18c32a76625b8f882c9dd297ba79448930b22fd8d942a76a491ff5c3963840c22bbcfb66f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsmimut2.dll

Filesize
76KB

MD5
ab6c836dd0f3d70c74ba2dcf350dde98

SHA1
6e558ba17031c8e2a2a52c8984af933c9880d04f

SHA256
9cf88f723f23b593d13c52f94b4e04672ab21f6796467ce462b6b6dc82b71b06

SHA512
575b9e69622c6500eeedc90605e74ba15a04d74c7ae142193b844e7e69c867de796a52a09205143cd350e1ef479fa36d4381148b2ab51a238380f2231863fdc0

Download Submit
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCF1E.tmp

Filesize
676B

MD5
73c3832b13b402b99c69b436d56e2167

SHA1
ebfbe343552199a60d52dd4ac35c3ff946dc71df

SHA256
697d4308dce10e382bd86b92a74ea89438cbd450c5fed4133757959e429129e8

SHA512
a1231c296cf8d97bbf6673c1ca05d5b4da833eb94150db00a6f43fa4338f4ec5af9e405eab86cbe160ede869e9839a333dcab3ea86fbe17f30935befde838a57

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wsmimut2.0.cs

Filesize
208KB

MD5
250321226bbc2a616d91e1c82cb4ab2b

SHA1
7cffd0b2e9c842865d8961386ab8fcfac8d04173

SHA256
ef2707f83a0c0927cfd46b115641b9cae52a41123e4826515b9eeb561785218d

SHA512
bda59ca04cdf254f837f2cec6da55eff5c3d2af00da66537b9ebaa3601c502ae63772f082fd12663b63d537d2e03efe87a3b5746ef25e842aaf1c7d88245b4e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wsmimut2.cmdline

Filesize
349B

MD5
32e454e14c476091af670166065e9375

SHA1
bef802bb267aded4433d3bf08ad0ca0266ad6a37

SHA256
c7a30c8950f8f4f3e433d04d943196031e8b75ccb337af7bf7adcef993adfa52

SHA512
951903982e03814a334f866ce3dc648105f606130ec0ebb9476573a5ace38b0bf3543d07a111c5b74d11f2578fd78482d1d2bd6f015224fa3a77b92295a371ad

Download Submit
memory/2096-46-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmp

Filesize
9.6MB

Download
memory/2096-19-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmp

Filesize
9.6MB

Download
memory/2468-44-0x0000000001060000-0x0000000001068000-memory.dmp

Filesize
32KB

Download
memory/2644-32-0x0000000000580000-0x00000000005CE000-memory.dmp

Filesize
312KB

Download
memory/2644-31-0x0000000000B80000-0x0000000000C6A000-memory.dmp

Filesize
936KB

Download
memory/2644-33-0x00000000020D0000-0x00000000020E8000-memory.dmp

Filesize
96KB

Download
memory/2644-34-0x0000000002100000-0x0000000002110000-memory.dmp

Filesize
64KB

Download
memory/2940-20-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/2940-21-0x0000000000660000-0x0000000000668000-memory.dmp

Filesize
32KB

Download
memory/2940-17-0x0000000000A90000-0x0000000000AA6000-memory.dmp

Filesize
88KB

Download
memory/2940-4-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmp

Filesize
9.6MB

Download
memory/2940-29-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmp

Filesize
9.6MB

Download
memory/2940-0-0x000007FEF5D6E000-0x000007FEF5D6F000-memory.dmp

Filesize
4KB

Download
memory/2940-3-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmp

Filesize
9.6MB

Download
memory/2940-1-0x0000000000A30000-0x0000000000A8C000-memory.dmp

Filesize
368KB

Download
memory/2940-2-0x0000000000510000-0x000000000051E000-memory.dmp

Filesize
56KB

Download