orcus | a7416cfb861ac1151c17305ec1b43f033729f637a0c74a15b3d0a85f68e90807

General

Target

htdhfrsfs.exe
Size

903KB
MD5

942a8d7c0a5bdd9639ff9805365021a3
SHA1

019ebb82c3208968d53b03cb940fb342c85b6a6c
SHA256

a7416cfb861ac1151c17305ec1b43f033729f637a0c74a15b3d0a85f68e90807
SHA512

5484158ba1b75cee0a4111b2e53c46c266546906ade4ed516eac3b0c53536f5fbc7a6b3849fe345a0ae60f6955c5da83716f2fdb1f59a9183e847f5e3713512d
SSDEEP

12288:Z8shHAVBuQBBed37dG1lFlWcYT70pxnnaaoawMRVcTqSA+9rZNrI0AilFEvxHvB0:m3s4MROxnF9LqrZlI0AilFEvxHinSo

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

23.84.85.170:3389

Mutex

466139a685e046efa39e67d19f3bebeb

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

Processes:

resource	yara_rule
C:\Program Files\Orcus\Orcus.exe	family_orcus

Orcurs Rat Executable 2 IoCs

Processes:

resource	yara_rule
C:\Program Files\Orcus\Orcus.exe	orcus
behavioral1/memory/2076-35-0x0000000000320000-0x0000000000408000-memory.dmp	orcus

Executes dropped EXE 1 IoCs

Processes:

Orcus.exe

pid process

2076 Orcus.exe

pid	process
2076	Orcus.exe

Drops file in Program Files directory 3 IoCs

Processes:

htdhfrsfs.exe

description	ioc	process
File created	C:\Program Files\Orcus\Orcus.exe	htdhfrsfs.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	htdhfrsfs.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	htdhfrsfs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Orcus.exe

description pid process

Token: SeDebugPrivilege 2076 Orcus.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Orcus.exe

pid process

2076 Orcus.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Orcus.exe

pid process

2076 Orcus.exe

description	pid	process
Token: SeDebugPrivilege	2076	Orcus.exe

pid	process
2076	Orcus.exe

pid	process
2076	Orcus.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

htdhfrsfs.execsc.exe

description	pid	process	target process
PID 1708 wrote to memory of 2348	1708	htdhfrsfs.exe	csc.exe
PID 1708 wrote to memory of 2348	1708	htdhfrsfs.exe	csc.exe
PID 1708 wrote to memory of 2348	1708	htdhfrsfs.exe	csc.exe
PID 2348 wrote to memory of 2504	2348	csc.exe	cvtres.exe
PID 2348 wrote to memory of 2504	2348	csc.exe	cvtres.exe
PID 2348 wrote to memory of 2504	2348	csc.exe	cvtres.exe
PID 1708 wrote to memory of 2076	1708	htdhfrsfs.exe	Orcus.exe
PID 1708 wrote to memory of 2076	1708	htdhfrsfs.exe	Orcus.exe
PID 1708 wrote to memory of 2076	1708	htdhfrsfs.exe	Orcus.exe

C:\Users\Admin\AppData\Local\Temp\htdhfrsfs.exe
"C:\Users\Admin\AppData\Local\Temp\htdhfrsfs.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hifenumg.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE61C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE61B.tmp"
    3⤵
    PID:2504
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
903KB

MD5
942a8d7c0a5bdd9639ff9805365021a3

SHA1
019ebb82c3208968d53b03cb940fb342c85b6a6c

SHA256
a7416cfb861ac1151c17305ec1b43f033729f637a0c74a15b3d0a85f68e90807

SHA512
5484158ba1b75cee0a4111b2e53c46c266546906ade4ed516eac3b0c53536f5fbc7a6b3849fe345a0ae60f6955c5da83716f2fdb1f59a9183e847f5e3713512d

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFCB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE61C.tmp

Filesize
1KB

MD5
b7aa674b63002eb1e36c798c964cd8db

SHA1
3b5ca47b0c6abb3cf96ea17caf198951f4be0de6

SHA256
992f0376fcc8e47b8d2d87db2b77973aef2426d15755ae57426ce1d48d160ddc

SHA512
b33254f3631fe10b5342b6b6f580b813b861dd6f5f44ae23dbb4c35c1fd5fe13883ed5f51ba837eb03eb1d4dd97afcaddd5c5a2a368fbd011561b41e00f5d3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\hifenumg.dll

Filesize
76KB

MD5
b4c00b17db6877b63210a0164f2e69af

SHA1
a452471d3909da9780074f3384d44f24095e63aa

SHA256
21f1e72d31d58cde875e51d297eb31e3d659e4b02f8f005826b6be7c81f75d1e

SHA512
0ef9bdd44dfccbd4ff5fbacf2fbca29671e663dc0a9a0e88972f8a167788ce23a3d8408b55f68ba26d7af74ec189aae6a2b832f44a6b0398b3c6b80369830409

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE61B.tmp

Filesize
676B

MD5
1dc2457a00b63e7f813a874252c22870

SHA1
ffd710ec43588300c36a0e560aa96dcfda85d964

SHA256
86e3141f9fe15e827757ad8c7b87089669a527c06346ff7e3e5f5b95620bf80e

SHA512
b7d7cecbf42b5589e97e36be0e3cacd01b0b90dc2c40b8a0c3e3942e099952c553d86e7aacc8d9ce77474d4d7038831d487b23667a1007262e6cb22b7915dd99

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hifenumg.0.cs

Filesize
208KB

MD5
6011503497b1b9250a05debf9690e52c

SHA1
897aea61e9bffc82d7031f1b3da12fb83efc6d82

SHA256
08f42b8d57bb61bc8f9628c8a80953b06ca4149d50108083fca6dc26bdd49434

SHA512
604c33e82e8b5bb5c54389c2899c81e5482a06e69db08268173a5b4574327ee5de656d312011d07e50a2e398a4c9b0cd79029013f76e05e18cf67ce5a916ffd9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hifenumg.cmdline

Filesize
349B

MD5
cf906a992219eec5144eb327cff48b64

SHA1
3f60ea20b481696a02126a9cca7b8121d84f553a

SHA256
1d5f274dc66fcde163181b4a90ebcc66f3fd4fc11440261093c590c666666ac5

SHA512
66412b854d270f43bdac144980b3ffd7bd2535c79e76429e4961a8f666f151db7ba108b3a4d3e769de8c584f71899a16db48e92717661a123d4e058f880defcf

Download Submit
memory/1708-23-0x000007FEF55AE000-0x000007FEF55AF000-memory.dmp

Filesize
4KB

Download
memory/1708-33-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

Filesize
9.6MB

Download
memory/1708-24-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

Filesize
9.6MB

Download
memory/1708-4-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

Filesize
9.6MB

Download
memory/1708-3-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

Filesize
9.6MB

Download
memory/1708-21-0x0000000000590000-0x00000000005A2000-memory.dmp

Filesize
72KB

Download
memory/1708-22-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

Filesize
9.6MB

Download
memory/1708-1-0x0000000002010000-0x000000000206C000-memory.dmp

Filesize
368KB

Download
memory/1708-19-0x000000001AEA0000-0x000000001AEB6000-memory.dmp

Filesize
88KB

Download
memory/1708-2-0x00000000002F0000-0x00000000002FE000-memory.dmp

Filesize
56KB

Download
memory/1708-0-0x000007FEF55AE000-0x000007FEF55AF000-memory.dmp

Filesize
4KB

Download
memory/2076-36-0x0000000002240000-0x0000000002252000-memory.dmp

Filesize
72KB

Download
memory/2076-35-0x0000000000320000-0x0000000000408000-memory.dmp

Filesize
928KB

Download
memory/2076-37-0x0000000002250000-0x0000000002268000-memory.dmp

Filesize
96KB

Download
memory/2076-38-0x0000000002230000-0x0000000002240000-memory.dmp

Filesize
64KB

Download
memory/2348-10-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

Filesize
9.6MB

Download
memory/2348-17-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads