orcus | a7416cfb861ac1151c17305ec1b43f033729f637a0c74a15b3d0a85f68e90807

General

Target

htdhfrsfs.exe
Size

903KB
MD5

942a8d7c0a5bdd9639ff9805365021a3
SHA1

019ebb82c3208968d53b03cb940fb342c85b6a6c
SHA256

a7416cfb861ac1151c17305ec1b43f033729f637a0c74a15b3d0a85f68e90807
SHA512

5484158ba1b75cee0a4111b2e53c46c266546906ade4ed516eac3b0c53536f5fbc7a6b3849fe345a0ae60f6955c5da83716f2fdb1f59a9183e847f5e3713512d
SSDEEP

12288:Z8shHAVBuQBBed37dG1lFlWcYT70pxnnaaoawMRVcTqSA+9rZNrI0AilFEvxHvB0:m3s4MROxnF9LqrZlI0AilFEvxHinSo

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

23.84.85.170:3389

Mutex

466139a685e046efa39e67d19f3bebeb

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

Processes:

resource	yara_rule
C:\Program Files\Orcus\Orcus.exe	family_orcus

Orcurs Rat Executable 2 IoCs

Processes:

resource	yara_rule
C:\Program Files\Orcus\Orcus.exe	orcus
behavioral2/memory/2976-45-0x00000000006C0000-0x00000000007A8000-memory.dmp	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

htdhfrsfs.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	htdhfrsfs.exe

Executes dropped EXE 1 IoCs

Processes:

Orcus.exe

pid process

2976 Orcus.exe

pid	process
2976	Orcus.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

htdhfrsfs.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	htdhfrsfs.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	htdhfrsfs.exe

Drops file in Program Files directory 3 IoCs

Processes:

htdhfrsfs.exe

description	ioc	process
File created	C:\Program Files\Orcus\Orcus.exe	htdhfrsfs.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	htdhfrsfs.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	htdhfrsfs.exe

Drops file in Windows directory 3 IoCs

Processes:

htdhfrsfs.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	htdhfrsfs.exe
File created	C:\Windows\assembly\Desktop.ini	htdhfrsfs.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	htdhfrsfs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Orcus.exe

description pid process

Token: SeDebugPrivilege 2976 Orcus.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Orcus.exe

pid process

2976 Orcus.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Orcus.exe

pid process

2976 Orcus.exe

description	pid	process
Token: SeDebugPrivilege	2976	Orcus.exe

pid	process
2976	Orcus.exe

pid	process
2976	Orcus.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

htdhfrsfs.execsc.exe

description	pid	process	target process
PID 3536 wrote to memory of 4836	3536	htdhfrsfs.exe	csc.exe
PID 3536 wrote to memory of 4836	3536	htdhfrsfs.exe	csc.exe
PID 4836 wrote to memory of 2440	4836	csc.exe	cvtres.exe
PID 4836 wrote to memory of 2440	4836	csc.exe	cvtres.exe
PID 3536 wrote to memory of 2976	3536	htdhfrsfs.exe	Orcus.exe
PID 3536 wrote to memory of 2976	3536	htdhfrsfs.exe	Orcus.exe

C:\Users\Admin\AppData\Local\Temp\htdhfrsfs.exe
"C:\Users\Admin\AppData\Local\Temp\htdhfrsfs.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vtuppciv.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A03.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC59F2.tmp"
    3⤵
    PID:2440
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4380,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4188 /prefetch:8
1⤵
PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
903KB

MD5
942a8d7c0a5bdd9639ff9805365021a3

SHA1
019ebb82c3208968d53b03cb940fb342c85b6a6c

SHA256
a7416cfb861ac1151c17305ec1b43f033729f637a0c74a15b3d0a85f68e90807

SHA512
5484158ba1b75cee0a4111b2e53c46c266546906ade4ed516eac3b0c53536f5fbc7a6b3849fe345a0ae60f6955c5da83716f2fdb1f59a9183e847f5e3713512d

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5A03.tmp

Filesize
1KB

MD5
31a70468ec5c471da2ba1684211f4af8

SHA1
a3c2ed5f9de0471f1f68e3607a3b4eaff5c9c47c

SHA256
feb39fecdb4c5eebc163e84bcd67649c540c3fbcbdae0daa6f9ccba016b8fdb4

SHA512
1cc8fa958ab19f5e4f06dc84ac90b037b7df83ffd8fcad220b50648407440d7dc9984ee83cec01cdbc63a277bf0fae62f6572f99cbda8036898e6aea6634b129

Download Submit
C:\Users\Admin\AppData\Local\Temp\vtuppciv.dll

Filesize
76KB

MD5
763320995edd00473565ef3de81f1a25

SHA1
a09133d772acf0cc4f2ef0c4f5e384230b12b306

SHA256
3e922c1a77ed38a45e9ebe08998957246c44e5a4d01573037680783fb78074e2

SHA512
43743688a1e7e2c62251fc3ecb3be5396063309aa2a232d34846b2921868b8f447073fc0b28a67d1896b0d00d9d804751b7d88d317ba213f860ec042136f2ec4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC59F2.tmp

Filesize
676B

MD5
8978a0dbbb40cc5cb2567bcb521c0552

SHA1
f40e299dc000295f168195ec229cfb9f2a71e1ca

SHA256
b0435e282ac516ad6817b55119e82d7c0115b4418f14b3c0e940cfb08f68aa2f

SHA512
cd143d06c9063952def5a7e3829fcb5bc139084c96d4ecf0075b373e57aa22bd1585a5c6a8f0ae0d889c6acf2f90df5f71919fc0c131244973853878b3094b57

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vtuppciv.0.cs

Filesize
208KB

MD5
cde047999d66a2fa75cb45b79de0860a

SHA1
818efb23268acfcf0860041a8bb506a0f3af953f

SHA256
eb2b7972d98ccde1efb99c0b35a2f90889132a8118f3a7e1b7ea43e6d793ec8b

SHA512
71749fbf4611ec509f3c08f96af84d9f517eb3d21a58d319cf43553bfc88e8ee571be5c76e7c6f251276cab1bb5589cce3f4c79b468535f9bb75e7cf082efe4a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vtuppciv.cmdline

Filesize
349B

MD5
b2b685d5f71116dec6f25e94cef7344d

SHA1
8dacaa715f55dc38430f33b94f62e7c74727fcfd

SHA256
5bfaf905938aa42802d6e4b13297d17e1bd4811209e57517082f079a0656828e

SHA512
97e0de26bf031daade10a93625b87b1e1359ad1d4e83e4ad6e8eb917751ff34e373cfaca4c99887f8f8feffcc62f735dbebbd98b67bac3c8359c84148ac03cd5

Download Submit
memory/2976-48-0x000000001B2F0000-0x000000001B300000-memory.dmp

Filesize
64KB

Download
memory/2976-45-0x00000000006C0000-0x00000000007A8000-memory.dmp

Filesize
928KB

Download
memory/2976-47-0x000000001B310000-0x000000001B328000-memory.dmp

Filesize
96KB

Download
memory/2976-46-0x000000001B300000-0x000000001B312000-memory.dmp

Filesize
72KB

Download
memory/3536-26-0x000000001BEF0000-0x000000001BEF8000-memory.dmp

Filesize
32KB

Download
memory/3536-2-0x000000001C080000-0x000000001C0DC000-memory.dmp

Filesize
368KB

Download
memory/3536-5-0x000000001C120000-0x000000001C12E000-memory.dmp

Filesize
56KB

Download
memory/3536-23-0x000000001D330000-0x000000001D346000-memory.dmp

Filesize
88KB

Download
memory/3536-25-0x000000001BF80000-0x000000001BF92000-memory.dmp

Filesize
72KB

Download
memory/3536-8-0x000000001CCA0000-0x000000001CD3C000-memory.dmp

Filesize
624KB

Download
memory/3536-27-0x00007FFD3C800000-0x00007FFD3D1A1000-memory.dmp

Filesize
9.6MB

Download
memory/3536-7-0x000000001C730000-0x000000001CBFE000-memory.dmp

Filesize
4.8MB

Download
memory/3536-1-0x00007FFD3C800000-0x00007FFD3D1A1000-memory.dmp

Filesize
9.6MB

Download
memory/3536-44-0x00007FFD3C800000-0x00007FFD3D1A1000-memory.dmp

Filesize
9.6MB

Download
memory/3536-0-0x00007FFD3CAB5000-0x00007FFD3CAB6000-memory.dmp

Filesize
4KB

Download
memory/3536-6-0x00007FFD3C800000-0x00007FFD3D1A1000-memory.dmp

Filesize
9.6MB

Download
memory/4836-16-0x00007FFD3C800000-0x00007FFD3D1A1000-memory.dmp

Filesize
9.6MB

Download
memory/4836-21-0x00007FFD3C800000-0x00007FFD3D1A1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads