orcus | 52d3a605d6d2542fc5bdd50d1e60318fbba19ea0774210de5ea4b7c2724fc581

General

Target

ez.exe
Size

903KB
MD5

360d22ae0477099e74b169afdd835fa3
SHA1

28d0961a0c4681530d1894fab03182af873cc249
SHA256

52d3a605d6d2542fc5bdd50d1e60318fbba19ea0774210de5ea4b7c2724fc581
SHA512

934172a9d987f9c06f134145b414b1e230198bc5a3799b6e3f8bf954ab8b8811c426772135e4399fed8f6c3fe879a329f9353f8f84a6c02e431840308267d7c4
SSDEEP

12288:KTUZ/Y95eo6L4ce7dG1lFlWcYT70pxnnaaoawZRVcTqSA+9rZNrI0AilFEvxHvBc:cqI4MROxnFMLqrZlI0AilFEvxHiLB

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

188.212.101.97:10134

Mutex

ee94bd16e34c4afb97e0bbe05badecb5

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000800000001ac42-33.dat	family_orcus

Orcurs Rat Executable 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000800000001ac42-33.dat	orcus
behavioral1/memory/1856-37-0x0000000000030000-0x0000000000118000-memory.dmp	orcus

Executes dropped EXE 1 IoCs

Processes:

Orcus.exe

pid	Process
1856	Orcus.exe

Loads dropped DLL 1 IoCs

Processes:

Orcus.exe

pid	Process
1856	Orcus.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

ez.exe

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	ez.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	ez.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cmd.exe

description	ioc	Process
File opened (read-only)	\??\U:	cmd.exe

Drops file in Program Files directory 3 IoCs

Processes:

ez.exe

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	ez.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	ez.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	ez.exe

Drops file in Windows directory 3 IoCs

Processes:

ez.exe

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	ez.exe
File opened for modification	C:\Windows\assembly	ez.exe
File created	C:\Windows\assembly\Desktop.ini	ez.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid	Process
2204	vlc.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Orcus.exe

pid	Process
1856	Orcus.exe
1856	Orcus.exe
1856	Orcus.exe
1856	Orcus.exe
1856	Orcus.exe
1856	Orcus.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid	Process
2204	vlc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Orcus.exeAUDIODG.EXE

description	pid	Process
Token: SeDebugPrivilege	1856	Orcus.exe
Token: 33	924	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	924	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 19 IoCs

Processes:

Orcus.exevlc.exe

pid	Process
1856	Orcus.exe
2204	vlc.exe
2204	vlc.exe
2204	vlc.exe
2204	vlc.exe
2204	vlc.exe
2204	vlc.exe
2204	vlc.exe
2204	vlc.exe
2204	vlc.exe
2204	vlc.exe
2204	vlc.exe
2204	vlc.exe
2204	vlc.exe
2204	vlc.exe
2204	vlc.exe
2204	vlc.exe
1856	Orcus.exe
1856	Orcus.exe

Suspicious use of SendNotifyMessage 15 IoCs

Processes:

Orcus.exevlc.exe

pid	Process
1856	Orcus.exe
2204	vlc.exe
2204	vlc.exe
2204	vlc.exe
2204	vlc.exe
2204	vlc.exe
2204	vlc.exe
2204	vlc.exe
2204	vlc.exe
2204	vlc.exe
2204	vlc.exe
2204	vlc.exe
2204	vlc.exe
2204	vlc.exe
2204	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vlc.exe

pid	Process
2204	vlc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ez.execsc.exe

description	pid	Process	procid_target
PID 4092 wrote to memory of 2892	4092	ez.exe	73
PID 4092 wrote to memory of 2892	4092	ez.exe	73
PID 2892 wrote to memory of 4596	2892	csc.exe	75
PID 2892 wrote to memory of 4596	2892	csc.exe	75
PID 4092 wrote to memory of 1856	4092	ez.exe	76
PID 4092 wrote to memory of 1856	4092	ez.exe	76

C:\Users\Admin\AppData\Local\Temp\ez.exe
"C:\Users\Admin\AppData\Local\Temp\ez.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\plpjwv5p.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES64A6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC64A5.tmp"
    3⤵
    PID:4596
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\AssertComplete.cmd" "
1⤵
- Enumerates connected drives
PID:596

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\TraceResolve.mov"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2204

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3a0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
903KB

MD5
360d22ae0477099e74b169afdd835fa3

SHA1
28d0961a0c4681530d1894fab03182af873cc249

SHA256
52d3a605d6d2542fc5bdd50d1e60318fbba19ea0774210de5ea4b7c2724fc581

SHA512
934172a9d987f9c06f134145b414b1e230198bc5a3799b6e3f8bf954ab8b8811c426772135e4399fed8f6c3fe879a329f9353f8f84a6c02e431840308267d7c4

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES64A6.tmp

Filesize
1KB

MD5
ad0cec5d29e7ed91a9904852d6d16510

SHA1
6133434cb8b01d89a781969cfe8de00a1c764c57

SHA256
62418dcf3ec7c2ad460724ddae4d1741825769805f89b96d15b13de203539229

SHA512
c75646b2c1ca5e461e446e8bbcdc99011eee0972cc80b74976e8c20d73ce868238983c63869d73ccdf849452f377d006a5a7fcd682324d7c41e1d70b370408e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\plpjwv5p.dll

Filesize
76KB

MD5
3b696f91c1228f636299b75bf1911ac5

SHA1
d25f1b223cb9705603d5570e78e0d7b065723c82

SHA256
f3241eeb328ecaefc6908504d890afd83f816843ac60c808cd738fd9b47a968a

SHA512
13f31d3ec622f6d6efeba6e16a2b8c256a7315a695b952329b81d4dc46e0601a86badcb3ae0c2ec83084b02566b1c1b158de6300e5bb25e67f0ebe16595853a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC64A5.tmp

Filesize
676B

MD5
3bd3689460f912beed62e32e33263078

SHA1
cf70b0a196bd4ea6e34d2493aeaa889f24ad1884

SHA256
0503e8d3d8ac3572aa19464472ae10c17e177a89f3e09451896173aeb54388e5

SHA512
b6498721186a4c5f9e976613931bf36cadb8ee10dfa24ef385330e8464f9e3da919a6c9dc43f0b989fe3222965cf485dd3766995f0fbad4e62ded384767ee943

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\plpjwv5p.0.cs

Filesize
208KB

MD5
84254415b39cc9d976939f95ffbbe3dd

SHA1
0c439a658d6c8a7f88f4da326d3d4ae89ee26282

SHA256
e72b98ef4ee543c1eabed71cf1180cbfe71e7fdfbd385b344d13e0e1cb8c9236

SHA512
25accc3af98ff1d1c882452ea643c54a530d0a04b820bf31f70b39b1c769ac3916692f0ab5aa179ace677dc0ec876b40c1db6245c45524d77b8d10389de02cee

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\plpjwv5p.cmdline

Filesize
349B

MD5
93522b410f2593c626458f3b95dd28b0

SHA1
51bb09f10dd173606b039de9acc60396d9def0d7

SHA256
78e13a69c4c02f2ae8526e83c95335909e04ad80fb80832608f7988feadd66b7

SHA512
40a530603bd7382a0f0df26964ab86731b110753b2919507bc49a9f052c693d711637ebe280411c41bdf14d4845e26f1953631fa47588906bb54d2f6d86678eb

Download Submit
\Users\Admin\AppData\Roaming\Orcus\lib_ee94bd16e34c4afb97e0bbe05badecb5\x64\turbojpeg.dll

Filesize
662KB

MD5
b36cc7f7c7148a783fbed3493bc27954

SHA1
44b39651949a00cf2a5cbba74c3210b980ae81b4

SHA256
c1ce9a872d33fb8757c59b5cd1f26c93b9eeec3e3cf57162c29a0783e6222a38

SHA512
c987c689ecc2cc57350c74ee22b66cb543535bc17b790016ec6407c3d02c539a727f5c38e1451a201e8e7ccfcb4d4639780b6e68cd38b7e67b1b28034ad738a2

Download Submit
memory/1856-71-0x000000001C470000-0x000000001C5C4000-memory.dmp

Filesize
1.3MB

Download
memory/1856-37-0x0000000000030000-0x0000000000118000-memory.dmp

Filesize
928KB

Download
memory/1856-61-0x000000001B5F0000-0x000000001B64A000-memory.dmp

Filesize
360KB

Download
memory/1856-121-0x000000001CAB0000-0x000000001CB8A000-memory.dmp

Filesize
872KB

Download
memory/1856-118-0x000000001BB50000-0x000000001BBFA000-memory.dmp

Filesize
680KB

Download
memory/1856-112-0x000000001D2F0000-0x000000001D816000-memory.dmp

Filesize
5.1MB

Download
memory/1856-109-0x0000000000890000-0x0000000000916000-memory.dmp

Filesize
536KB

Download
memory/1856-56-0x000000001B5A0000-0x000000001B5EA000-memory.dmp

Filesize
296KB

Download
memory/1856-51-0x000000001B270000-0x000000001B2B4000-memory.dmp

Filesize
272KB

Download
memory/1856-47-0x000000001BF40000-0x000000001C102000-memory.dmp

Filesize
1.8MB

Download
memory/1856-46-0x000000001BC60000-0x000000001BD6A000-memory.dmp

Filesize
1.0MB

Download
memory/1856-66-0x000000001B2C0000-0x000000001B2E6000-memory.dmp

Filesize
152KB

Download
memory/1856-77-0x00000000660C0000-0x000000006615C000-memory.dmp

Filesize
624KB

Download
memory/1856-39-0x0000000002480000-0x0000000002492000-memory.dmp

Filesize
72KB

Download
memory/1856-40-0x0000000002490000-0x00000000024A8000-memory.dmp

Filesize
96KB

Download
memory/1856-41-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/1856-44-0x000000001B580000-0x000000001B592000-memory.dmp

Filesize
72KB

Download
memory/1856-45-0x000000001BB10000-0x000000001BB4E000-memory.dmp

Filesize
248KB

Download
memory/2204-101-0x00007FF648550000-0x00007FF648648000-memory.dmp

Filesize
992KB

Download
memory/2204-102-0x00007FFA653D0000-0x00007FFA65404000-memory.dmp

Filesize
208KB

Download
memory/2204-103-0x00007FFA4E400000-0x00007FFA4E6B6000-memory.dmp

Filesize
2.7MB

Download
memory/2204-104-0x00007FFA4BDD0000-0x00007FFA4CE80000-memory.dmp

Filesize
16.7MB

Download
memory/2892-48-0x00007FFA56FB0000-0x00007FFA57950000-memory.dmp

Filesize
9.6MB

Download
memory/2892-20-0x00007FFA56FB0000-0x00007FFA57950000-memory.dmp

Filesize
9.6MB

Download
memory/4092-5-0x000000001B3E0000-0x000000001B3EE000-memory.dmp

Filesize
56KB

Download
memory/4092-0-0x00007FFA57265000-0x00007FFA57266000-memory.dmp

Filesize
4KB

Download
memory/4092-1-0x00007FFA56FB0000-0x00007FFA57950000-memory.dmp

Filesize
9.6MB

Download
memory/4092-38-0x00007FFA56FB0000-0x00007FFA57950000-memory.dmp

Filesize
9.6MB

Download
memory/4092-2-0x000000001B310000-0x000000001B36C000-memory.dmp

Filesize
368KB

Download
memory/4092-8-0x000000001BF30000-0x000000001BFCC000-memory.dmp

Filesize
624KB

Download
memory/4092-26-0x00007FFA56FB0000-0x00007FFA57950000-memory.dmp

Filesize
9.6MB

Download
memory/4092-25-0x0000000000D00000-0x0000000000D08000-memory.dmp

Filesize
32KB

Download
memory/4092-24-0x0000000000D30000-0x0000000000D42000-memory.dmp

Filesize
72KB

Download
memory/4092-6-0x00007FFA56FB0000-0x00007FFA57950000-memory.dmp

Filesize
9.6MB

Download
memory/4092-7-0x000000001BA60000-0x000000001BF2E000-memory.dmp

Filesize
4.8MB

Download
memory/4092-22-0x000000001C5D0000-0x000000001C5E6000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads