orcus | f053cf0164ed9a1c81f220ae3d1002acb7d4fb0154ee9e08588a6d24f84a24f1

General

Target

123123.exe
Size

903KB
MD5

be600c84c2975ab640487f7d896080d8
SHA1

6eb2dbaace9f52f08000908c82b02827ca401838
SHA256

f053cf0164ed9a1c81f220ae3d1002acb7d4fb0154ee9e08588a6d24f84a24f1
SHA512

9b5c0aaa3dbd61f8d2aaecb2b44de0d1bb47e72f42bd63d3f46b7c95feeed2271ed5ee497e27da5ca09dbd4429a08230c8a5f4bd1fef9b71024dd33e5f95fadb
SSDEEP

12288:g8shHAVBuQBBed37dG1lFlWcYT70pxnnaaoawMRVcTqSA+9rZNrI0AilFEvxHvB0:R3s4MROxnF9LqrZlI0AilFEvxHi+o

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

23.84.85.170:8888

Mutex

6c8f63d94afe4a09b223a2e8da9b77f3

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023489-35.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023489-35.dat	orcus
behavioral2/memory/548-44-0x0000000000320000-0x0000000000408000-memory.dmp	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	123123.exe

Executes dropped EXE 1 IoCs

pid	Process
548	Orcus.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	123123.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	123123.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	123123.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	123123.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	123123.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	123123.exe
File created	C:\Windows\assembly\Desktop.ini	123123.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	123123.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	548	Orcus.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
548	Orcus.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
548	Orcus.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2680	2564	123123.exe	82
PID 2564 wrote to memory of 2680	2564	123123.exe	82
PID 2680 wrote to memory of 4104	2680	csc.exe	84
PID 2680 wrote to memory of 4104	2680	csc.exe	84
PID 2564 wrote to memory of 548	2564	123123.exe	90
PID 2564 wrote to memory of 548	2564	123123.exe	90

C:\Users\Admin\AppData\Local\Temp\123123.exe
"C:\Users\Admin\AppData\Local\Temp\123123.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eqxxu3qg.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E16.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9E15.tmp"
    3⤵
    PID:4104
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
903KB

MD5
be600c84c2975ab640487f7d896080d8

SHA1
6eb2dbaace9f52f08000908c82b02827ca401838

SHA256
f053cf0164ed9a1c81f220ae3d1002acb7d4fb0154ee9e08588a6d24f84a24f1

SHA512
9b5c0aaa3dbd61f8d2aaecb2b44de0d1bb47e72f42bd63d3f46b7c95feeed2271ed5ee497e27da5ca09dbd4429a08230c8a5f4bd1fef9b71024dd33e5f95fadb

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9E16.tmp

Filesize
1KB

MD5
4c657a7a06b4bffc6a6413a6d3dc4f4f

SHA1
13624e7c40c6598e8beaa890df2fa148085ada3e

SHA256
2a9f0387d012b77fef63a448da4767a7a14f19f7afe04bc224ba39adba03340c

SHA512
2e56110491e3c34157041b251c3e75a21e815bf09650defaf654829e5708da2f0488229fb960176b3d606d7cbbef6fc6df368bfc9d7e82d86fe715741db4a8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\eqxxu3qg.dll

Filesize
76KB

MD5
ec65f68692ab4bb21c9daf9a361c684d

SHA1
6b5c7d508bd37d611d1236266e5a40f8ba07523c

SHA256
34e73bcc365294885ff7349b1e06ce1b748783e7322bf10aa6ecc89d84902f35

SHA512
1788dd42eeb55ed5262be93c5da4469f00d050ae1b91a5c7c00e3fd6117d5116c9671a74c7705c366e88667c10076785b929d86f77ffe54aa5210b65585ca9eb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9E15.tmp

Filesize
676B

MD5
1d716f1f32e70424bdd4acdd0be1f54d

SHA1
728599383c6d63500e33a4ca9d0a75d713499433

SHA256
af03cb4e08efceb0ccc82ffa25025a3971d111582711405f77b8c36206e305f1

SHA512
b3ee82ef15ae5dc52341f3272c84a11858a7e336e9aed5e5f1aa6c59954c0bc2c7623e5dce806091e20970585b1c9d2d3260f7d6db33567e19f4ce6e1823b485

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eqxxu3qg.0.cs

Filesize
208KB

MD5
d99a6ea726b01452f6c7054e6bda8e02

SHA1
eba2d350a4d967c7a1fef49b1022ee369f3ef799

SHA256
4cd39766f9c3d6330a0ea8ddb085f13bd2031446e45fe14e087e1b21ba9e9cae

SHA512
706a6507ffddcbea925566c73a0784cdbc044730c634e131d0d3fb045a0a4e995941c8505a096d3a4ddea6220c51f20d7d01ff1b1c18a64ed5b2ba2cd24f28bf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eqxxu3qg.cmdline

Filesize
349B

MD5
59f308a97ac807e974bbc14577f7b4a4

SHA1
318e3392aeffe1b69f7e6102f5edcfbe117a72b5

SHA256
4d5ccbd3d3df7d607221ef2c50da2820af66013ebb7aeea8543c607114454f61

SHA512
16be9ece5e8edf37b12670f2c48d73cb43af79a5891bfebf78fa149497ff34b1626210886aa70307e02073fc0300f25ac70ac54a9b0517a31111776dd8270e53

Download Submit
memory/548-48-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/548-47-0x00000000026C0000-0x00000000026D8000-memory.dmp

Filesize
96KB

Download
memory/548-46-0x00000000026B0000-0x00000000026C2000-memory.dmp

Filesize
72KB

Download
memory/548-44-0x0000000000320000-0x0000000000408000-memory.dmp

Filesize
928KB

Download
memory/2564-8-0x000000001CBA0000-0x000000001CC3C000-memory.dmp

Filesize
624KB

Download
memory/2564-0-0x00007FFC3A865000-0x00007FFC3A866000-memory.dmp

Filesize
4KB

Download
memory/2564-1-0x00007FFC3A5B0000-0x00007FFC3AF51000-memory.dmp

Filesize
9.6MB

Download
memory/2564-23-0x000000001C040000-0x000000001C056000-memory.dmp

Filesize
88KB

Download
memory/2564-25-0x0000000001A20000-0x0000000001A32000-memory.dmp

Filesize
72KB

Download
memory/2564-26-0x00000000019F0000-0x00000000019F8000-memory.dmp

Filesize
32KB

Download
memory/2564-27-0x00007FFC3A5B0000-0x00007FFC3AF51000-memory.dmp

Filesize
9.6MB

Download
memory/2564-2-0x000000001BF00000-0x000000001BF5C000-memory.dmp

Filesize
368KB

Download
memory/2564-7-0x000000001C630000-0x000000001CAFE000-memory.dmp

Filesize
4.8MB

Download
memory/2564-45-0x00007FFC3A5B0000-0x00007FFC3AF51000-memory.dmp

Filesize
9.6MB

Download
memory/2564-6-0x00007FFC3A5B0000-0x00007FFC3AF51000-memory.dmp

Filesize
9.6MB

Download
memory/2564-5-0x000000001C000000-0x000000001C00E000-memory.dmp

Filesize
56KB

Download
memory/2680-21-0x00007FFC3A5B0000-0x00007FFC3AF51000-memory.dmp

Filesize
9.6MB

Download
memory/2680-16-0x00007FFC3A5B0000-0x00007FFC3AF51000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing