orcus | d55cb8d9ad30078be362414186e4e065394430c3c0b0fa83f06922f59d288a63

General

Target

example.exe
Size

903KB
MD5

de87df65430d0f19436429db542fe5b0
SHA1

bd4026365cbb6d4a7ea8b17a8fea83ab2e7a6037
SHA256

d55cb8d9ad30078be362414186e4e065394430c3c0b0fa83f06922f59d288a63
SHA512

325a50723fbcf82df0a22bc7c68177bd7f9df25a155f204439a27d9aafcd089a8963020b4f8800da8bd444ec7481b5976f717ef7630aa2588dc9cb95c6c46c02
SSDEEP

12288:sTUZ/Y95eo6L4ce7dG1lFlWcYT70pxnnaaoawZRVcTqSA+9rZNrI0AilFEvxHvBO:CqI4MROxnFMLqrZlI0AilFEvxHi5B

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

text-eating.gl.at.ply.gg:52982

Mutex

8fd8dcabe5d849ad96f2d6e189ef12c1

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x00080000000234ca-35.dat	family_orcus

Orcurs Rat Executable 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x00080000000234ca-35.dat	orcus
behavioral2/memory/112-44-0x0000000000F80000-0x0000000001068000-memory.dmp	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

example.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	example.exe

Executes dropped EXE 1 IoCs

Processes:

Orcus.exe

pid	Process
112	Orcus.exe

Loads dropped DLL 1 IoCs

Processes:

Orcus.exe

pid	Process
112	Orcus.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

example.exe

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	example.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	example.exe

Drops file in Program Files directory 3 IoCs

Processes:

example.exe

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe.config	example.exe
File created	C:\Program Files\Orcus\Orcus.exe	example.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	example.exe

Drops file in Windows directory 3 IoCs

Processes:

example.exe

description	ioc	Process
File opened for modification	C:\Windows\assembly	example.exe
File created	C:\Windows\assembly\Desktop.ini	example.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	example.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Orcus.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Orcus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Orcus.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Orcus.exe

description	pid	Process
Token: SeDebugPrivilege	112	Orcus.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Orcus.exe

pid	Process
112	Orcus.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Orcus.exe

pid	Process
112	Orcus.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

example.execsc.exe

description	pid	Process	procid_target
PID 3112 wrote to memory of 3748	3112	example.exe	82
PID 3112 wrote to memory of 3748	3112	example.exe	82
PID 3748 wrote to memory of 4752	3748	csc.exe	84
PID 3748 wrote to memory of 4752	3748	csc.exe	84
PID 3112 wrote to memory of 112	3112	example.exe	89
PID 3112 wrote to memory of 112	3112	example.exe	89

C:\Users\Admin\AppData\Local\Temp\example.exe
"C:\Users\Admin\AppData\Local\Temp\example.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3112
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8gl6nbq8.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3748
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAAD7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAAC7.tmp"
    3⤵
    PID:4752
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
903KB

MD5
de87df65430d0f19436429db542fe5b0

SHA1
bd4026365cbb6d4a7ea8b17a8fea83ab2e7a6037

SHA256
d55cb8d9ad30078be362414186e4e065394430c3c0b0fa83f06922f59d288a63

SHA512
325a50723fbcf82df0a22bc7c68177bd7f9df25a155f204439a27d9aafcd089a8963020b4f8800da8bd444ec7481b5976f717ef7630aa2588dc9cb95c6c46c02

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\8gl6nbq8.dll

Filesize
76KB

MD5
f7bf792feb437a773015d2e7645e458a

SHA1
36278d637bbde3fc98ded478daaa1db860a9860e

SHA256
e475d773b5f83732a8f6b0bf44f495247fe642a4fc0866081de33c9996f775dc

SHA512
7844dc0c7ae0c3cc9eac82ad71f88e33ccaf3e379811117ae593e104a290a047ffa37bec442de4087db51f975a6c798dd4a317a5436e06fe26428fbfc7728520

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAAD7.tmp

Filesize
1KB

MD5
f0682d3776e3971687ba937227f5689b

SHA1
aedc2951fb5e6ef06f1345f8cae2350a0035a546

SHA256
b386b20473058177f8fc7a874a2017fb367116b207ddd097f488ff3ece8b83f6

SHA512
85822c6ed5a934bf65946b5a57c872d455d247465f0f2af1186b37de20290c83bc269647980cc88a63ff1ac0a6b56b25f75bc80819de8f6887cd1c04bf02874c

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_8fd8dcabe5d849ad96f2d6e189ef12c1\x64\turbojpeg.dll

Filesize
662KB

MD5
b36cc7f7c7148a783fbed3493bc27954

SHA1
44b39651949a00cf2a5cbba74c3210b980ae81b4

SHA256
c1ce9a872d33fb8757c59b5cd1f26c93b9eeec3e3cf57162c29a0783e6222a38

SHA512
c987c689ecc2cc57350c74ee22b66cb543535bc17b790016ec6407c3d02c539a727f5c38e1451a201e8e7ccfcb4d4639780b6e68cd38b7e67b1b28034ad738a2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8gl6nbq8.0.cs

Filesize
208KB

MD5
44278669c63771625a662016113245ba

SHA1
e2e929323eccea979f4c0dda1367503bd46187b5

SHA256
d5bd2f24509c8e94c50e5cd424d15d625f0cd9c3b715b0c06a59dd0d7bd93521

SHA512
cab061b3d64d3a40045d1ffae1a2cbb9039a0e068230249e375655e04dd98ffcb1510ba7b885a832e7645cbe77756f592ac2b701d2be4aa36e6cbb21d5f01eca

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8gl6nbq8.cmdline

Filesize
349B

MD5
16f872fe80876bdcacc9697977dcd1f0

SHA1
f1658b7407a403115be990e3189a9bba6ccfb771

SHA256
aec46b902ac7dcf9d08ba3f33bca055ffbf0d630c47c23eadc58c693213cd160

SHA512
f80c4adef1e9304ed8ad1ceae3bcc78a140a8094283257d8a17f7b5681c213617506183879e7c6cc6c3384fabfdcf2565d7b0ae792471fe09c6722b47cdffdba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCAAC7.tmp

Filesize
676B

MD5
2c628ac073d56fb229d9152544def0ce

SHA1
858fd1685cead60fd36190324eca122a2e05c8ac

SHA256
eed973e4807869375d72904092aba55c972538500eab6a3b84c2e0a97d0d8194

SHA512
e103831e52922b4e0d6f7771a7197f0c0f1bf3b96b74c92cfb43667b051eb1b17212043fc49cb2b1e69c7d6cd474641fb07325e842ffdfbcc3425e99d51f140a

Download Submit
memory/112-53-0x000000001D140000-0x000000001D302000-memory.dmp

Filesize
1.8MB

Download
memory/112-66-0x000000001CFC0000-0x000000001D01A000-memory.dmp

Filesize
360KB

Download
memory/112-93-0x000000001FB70000-0x000000001FBBA000-memory.dmp

Filesize
296KB

Download
memory/112-90-0x000000001C9F0000-0x000000001CA06000-memory.dmp

Filesize
88KB

Download
memory/112-85-0x000000001B6E0000-0x000000001B6EC000-memory.dmp

Filesize
48KB

Download
memory/112-82-0x000000001D310000-0x000000001D462000-memory.dmp

Filesize
1.3MB

Download
memory/112-76-0x000000001D470000-0x000000001D5C4000-memory.dmp

Filesize
1.3MB

Download
memory/112-71-0x000000001B6A0000-0x000000001B6C6000-memory.dmp

Filesize
152KB

Download
memory/112-61-0x000000001CF70000-0x000000001CFBA000-memory.dmp

Filesize
296KB

Download
memory/112-56-0x000000001B650000-0x000000001B694000-memory.dmp

Filesize
272KB

Download
memory/112-52-0x000000001CE60000-0x000000001CF6A000-memory.dmp

Filesize
1.0MB

Download
memory/112-51-0x000000001CA70000-0x000000001CAAC000-memory.dmp

Filesize
240KB

Download
memory/112-44-0x0000000000F80000-0x0000000001068000-memory.dmp

Filesize
928KB

Download
memory/112-50-0x000000001CA10000-0x000000001CA22000-memory.dmp

Filesize
72KB

Download
memory/112-46-0x0000000003130000-0x0000000003148000-memory.dmp

Filesize
96KB

Download
memory/112-47-0x0000000003150000-0x0000000003160000-memory.dmp

Filesize
64KB

Download
memory/3112-23-0x000000001CDF0000-0x000000001CE06000-memory.dmp

Filesize
88KB

Download
memory/3112-5-0x000000001BCE0000-0x000000001BCEE000-memory.dmp

Filesize
56KB

Download
memory/3112-6-0x00007FF8D4FA0000-0x00007FF8D5941000-memory.dmp

Filesize
9.6MB

Download
memory/3112-0-0x00007FF8D5255000-0x00007FF8D5256000-memory.dmp

Filesize
4KB

Download
memory/3112-27-0x00007FF8D4FA0000-0x00007FF8D5941000-memory.dmp

Filesize
9.6MB

Download
memory/3112-26-0x000000001B9C0000-0x000000001B9C8000-memory.dmp

Filesize
32KB

Download
memory/3112-2-0x000000001BB10000-0x000000001BB6C000-memory.dmp

Filesize
368KB

Download
memory/3112-1-0x00007FF8D4FA0000-0x00007FF8D5941000-memory.dmp

Filesize
9.6MB

Download
memory/3112-8-0x000000001C730000-0x000000001C7CC000-memory.dmp

Filesize
624KB

Download
memory/3112-45-0x00007FF8D4FA0000-0x00007FF8D5941000-memory.dmp

Filesize
9.6MB

Download
memory/3112-25-0x000000001B9A0000-0x000000001B9B2000-memory.dmp

Filesize
72KB

Download
memory/3112-7-0x000000001C1C0000-0x000000001C68E000-memory.dmp

Filesize
4.8MB

Download
memory/3748-21-0x00007FF8D4FA0000-0x00007FF8D5941000-memory.dmp

Filesize
9.6MB

Download
memory/3748-16-0x00007FF8D4FA0000-0x00007FF8D5941000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads