Overview

overview

10

Static

static

10

03bd0ad29d...bb.exe

windows7-x64

10

03bd0ad29d...bb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-07-2024 01:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    03bd0ad29d1b3efb2c876d5f4dbf800dd61df2e1b850c5f08c18cd14d39a97bb.exe

  • Size

    907KB

  • MD5

    2276a582ae9828473bd9d75de4bb5ee7

  • SHA1

    bda02bec26b3e29044dd0a26ad9abab9a46b4bd3

  • SHA256

    03bd0ad29d1b3efb2c876d5f4dbf800dd61df2e1b850c5f08c18cd14d39a97bb

  • SHA512

    802b88660e4c75b69bbdb71dcae39cb4eef9440e1631ff2112317e08bcea2535e69401535cbef6413ff3500e72c622be19792ac08f44bca7f10376adff98b726

  • SSDEEP

    24576:QNL34MROxnFpkptJSarrcI0AilFEvxHP1ooI:QWMiETSarrcI0AilFEvxHP

Score
10/10
orcusratspywarestealer

Malware Config

Extracted

Family

orcus

C2

indi.dynamic-dns.net:10131

Mutex

f0fe7471fd9d446590c2f17aa5f38be0

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcurs Rat Executable 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03bd0ad29d1b3efb2c876d5f4dbf800dd61df2e1b850c5f08c18cd14d39a97bb.exe
    "C:\Users\Admin\AppData\Local\Temp\03bd0ad29d1b3efb2c876d5f4dbf800dd61df2e1b850c5f08c18cd14d39a97bb.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1848

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1848-0-0x0000000074E6E000-0x0000000074E6F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1848-1-0x0000000000C20000-0x0000000000D08000-memory.dmp

    Filesize

    928KB

    Download

  • memory/1848-2-0x0000000002FC0000-0x0000000002FCE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1848-3-0x0000000005560000-0x00000000055BC000-memory.dmp

    Filesize

    368KB

    Download

  • memory/1848-4-0x0000000074E60000-0x0000000075610000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1848-5-0x0000000005D20000-0x00000000062C4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1848-6-0x0000000005770000-0x0000000005802000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1848-7-0x0000000005BE0000-0x0000000005BF2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1848-8-0x0000000005BF0000-0x0000000005BF8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1848-9-0x0000000005C10000-0x0000000005C28000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1848-10-0x00000000065A0000-0x0000000006762000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1848-11-0x0000000005CB0000-0x0000000005CC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1848-12-0x0000000006870000-0x000000000687A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1848-13-0x0000000074E6E000-0x0000000074E6F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1848-14-0x0000000074E60000-0x0000000075610000-memory.dmp

    Filesize

    7.7MB

    Download