orcus | 73e5c9ee757cdc4612403ed222d05a4e1146d9c7377768f56f8bb2784a4cc659

General

Target

123123123123.exe
Size

903KB
MD5

9973c0b7a3f69b5c001ecc09f6cddae4
SHA1

e54f59b0ceb530edbb961854f54942666b812360
SHA256

73e5c9ee757cdc4612403ed222d05a4e1146d9c7377768f56f8bb2784a4cc659
SHA512

b6011b823fda39cbbdcc868c2d9399b11b1d9fb88e6ac7fd5db5e185a763f3c7cdc4e5af2366a19d367ca7a6599ff06ebb020bac9f1559bfbed0aa02050bfca1
SSDEEP

12288:HTUZ/Y95eo6L4ce7dG1lFlWcYT70pxnnaaoawZRVcTqSA+9rZNrI0AilFEvxHvBg:DqI4MROxnFMLqrZlI0AilFEvxHiOuB

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

act-predictions.gl.at.ply.gg:50032

Mutex

eaa01be293dc466298b0d3c48800134c

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023461-37.dat	family_orcus

Orcurs Rat Executable 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023461-37.dat	orcus
behavioral2/memory/1988-46-0x0000000000850000-0x0000000000938000-memory.dmp	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

123123123123.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	123123123123.exe

Executes dropped EXE 1 IoCs

Processes:

Orcus.exe

pid	Process
1988	Orcus.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

123123123123.exe

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	123123123123.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	123123123123.exe

Drops file in Program Files directory 3 IoCs

Processes:

123123123123.exe

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	123123123123.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	123123123123.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	123123123123.exe

Drops file in Windows directory 3 IoCs

Processes:

123123123123.exe

description	ioc	Process
File opened for modification	C:\Windows\assembly	123123123123.exe
File created	C:\Windows\assembly\Desktop.ini	123123123123.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	123123123123.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Orcus.exe

pid	Process
1988	Orcus.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Orcus.exe

pid	Process
1988	Orcus.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

123123123123.execsc.exe

description	pid	Process	procid_target
PID 2852 wrote to memory of 2876	2852	123123123123.exe	82
PID 2852 wrote to memory of 2876	2852	123123123123.exe	82
PID 2876 wrote to memory of 1448	2876	csc.exe	84
PID 2876 wrote to memory of 1448	2876	csc.exe	84
PID 2852 wrote to memory of 1988	2852	123123123123.exe	93
PID 2852 wrote to memory of 1988	2852	123123123123.exe	93

C:\Users\Admin\AppData\Local\Temp\123123123123.exe
"C:\Users\Admin\AppData\Local\Temp\123123123123.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o2tvyqov.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E44.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9E34.tmp"
    3⤵
    PID:1448
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
903KB

MD5
9973c0b7a3f69b5c001ecc09f6cddae4

SHA1
e54f59b0ceb530edbb961854f54942666b812360

SHA256
73e5c9ee757cdc4612403ed222d05a4e1146d9c7377768f56f8bb2784a4cc659

SHA512
b6011b823fda39cbbdcc868c2d9399b11b1d9fb88e6ac7fd5db5e185a763f3c7cdc4e5af2366a19d367ca7a6599ff06ebb020bac9f1559bfbed0aa02050bfca1

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9E44.tmp

Filesize
1KB

MD5
2b13296756c8465137c96f0a80da4318

SHA1
aa120d0510c98d804ddfaa5f00c96e4300cfb09a

SHA256
a0143bff8b9009b1246ad360a10ba67be57357cbdd51b070fe1a81dbdb54de0e

SHA512
bccd054c68edc3ceba425826c374d11b8964cd7e86eef83049d906ce300be681ae582b2efba054b4d76e805ce33a219c64b2f7df660760d0da1c1aebe0841a74

Download Submit
C:\Users\Admin\AppData\Local\Temp\o2tvyqov.dll

Filesize
76KB

MD5
a546cf116fc180fdcc618dced5904235

SHA1
ab27a784f5232b6aaad25e6064fca526e5bf0d1a

SHA256
496715e26f55df051c098fe385fb088e5b3996909c0b7ec8ac4798b8a7616300

SHA512
1acd2a53f97876ed25708234693561b8f25c7ccdf7d634428cdc1fdc6ca8a4ec5fd8e319e26c055d33550291ba20c9c9d3d837bc126f26ee6369953068c8f2c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9E34.tmp

Filesize
676B

MD5
23af10f187f7b7feb72494d174a8c2a3

SHA1
8b45a339ac8fabe8dcae88d0893570a1820c56e4

SHA256
5b9ab11be0d3cb4aa15a509d3fd0b1887ee143a0c8b275dcdcb9093d63925122

SHA512
4aa011a808e9dbff07194d9aa4886854831b61a1c2606cda15c6a33647439fad8e95233a0d4bdccd986616db39e826b798f35717d535222b4bc29e3dc484b603

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o2tvyqov.0.cs

Filesize
208KB

MD5
df14bed31fb34de57c9cb68a7d03f72a

SHA1
208bc8471b27bffb792229d50bb25b3bc3bbb546

SHA256
a619a16228ac447f4ed8768a727f59fee366caa9f6683bd5bea9ecc97e571daf

SHA512
d8cdeb0ae2a43c5c70898c8e2392f6c4f768f521a205863b4f6b8c60342ebe39f2ec72516fb7c27c22a960175c36b2dd135e818af6796dbb431b6e22b5b036e6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o2tvyqov.cmdline

Filesize
349B

MD5
36d9d6fa15742c6db40cf7db8a177ef6

SHA1
ba7917a9c1f61d1bd157ba53054a0af5941d5f78

SHA256
401f8b84fa5ddc6df86aca2570c0d8d9b6c816a42bfde88a203ace8f380f21d1

SHA512
3f54febe1e8d463458a27ddf121a240114499a3db19d4e9ba2b173914535679ea954069b354ac9a29c6c987d1a43c78ff760b54e35a16b742d4bb3118684e9a2

Download Submit
memory/1988-50-0x0000000001290000-0x00000000012A0000-memory.dmp

Filesize
64KB

Download
memory/1988-49-0x0000000002B60000-0x0000000002B78000-memory.dmp

Filesize
96KB

Download
memory/1988-48-0x0000000002B50000-0x0000000002B62000-memory.dmp

Filesize
72KB

Download
memory/1988-46-0x0000000000850000-0x0000000000938000-memory.dmp

Filesize
928KB

Download
memory/2852-28-0x00007FF965E05000-0x00007FF965E06000-memory.dmp

Filesize
4KB

Download
memory/2852-0-0x00007FF965E05000-0x00007FF965E06000-memory.dmp

Filesize
4KB

Download
memory/2852-23-0x000000001C6F0000-0x000000001C706000-memory.dmp

Filesize
88KB

Download
memory/2852-1-0x000000001B3E0000-0x000000001B43C000-memory.dmp

Filesize
368KB

Download
memory/2852-25-0x0000000000E60000-0x0000000000E72000-memory.dmp

Filesize
72KB

Download
memory/2852-26-0x0000000000DD0000-0x0000000000DD8000-memory.dmp

Filesize
32KB

Download
memory/2852-27-0x00007FF965B50000-0x00007FF9664F1000-memory.dmp

Filesize
9.6MB

Download
memory/2852-2-0x00007FF965B50000-0x00007FF9664F1000-memory.dmp

Filesize
9.6MB

Download
memory/2852-29-0x00007FF965B50000-0x00007FF9664F1000-memory.dmp

Filesize
9.6MB

Download
memory/2852-8-0x000000001C050000-0x000000001C0EC000-memory.dmp

Filesize
624KB

Download
memory/2852-6-0x00007FF965B50000-0x00007FF9664F1000-memory.dmp

Filesize
9.6MB

Download
memory/2852-7-0x000000001BAE0000-0x000000001BFAE000-memory.dmp

Filesize
4.8MB

Download
memory/2852-47-0x00007FF965B50000-0x00007FF9664F1000-memory.dmp

Filesize
9.6MB

Download
memory/2852-5-0x000000001B4E0000-0x000000001B4EE000-memory.dmp

Filesize
56KB

Download
memory/2876-21-0x00007FF965B50000-0x00007FF9664F1000-memory.dmp

Filesize
9.6MB

Download
memory/2876-20-0x00007FF965B50000-0x00007FF9664F1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads