orcus | 478241c86132a6eb39627abbc9689ebbb2c646cf52a75880432dc12d656671fb

Analysis

max time kernel
146s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

478241c86132a6eb39627abbc9689ebbb2c646cf52a75880432dc12d656671fb.exe
Size

3.0MB
MD5

832d479717feba64d070366ed01c3675
SHA1

31e9312abaa13b1bc5aaba5b9ae9213bc53eb6ef
SHA256

478241c86132a6eb39627abbc9689ebbb2c646cf52a75880432dc12d656671fb
SHA512

6407d2bf63057cbc5a94ddd6b8edefeb996c81bfd45dedc87fd044de36ac5d4be3abbeb0de6bd5898ade53b1ed370b62e3a3ca4578bfed7b4fb54a4c502538fd
SSDEEP

49152:E8vN8QFUwqYZeM9/ZzzBjMkPUayX82+YXAypQxb9ndo9JnCmutncFf0I74gu3kM:Ei0wGGzBjryX82uypSb9ndo9JCm

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

0.0.0.0:23210

Mutex

38874e1e50484f7aa3733dd3e2f0a4f0

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcurs Rat Executable 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2280-1-0x00000000001D0000-0x00000000004CA000-memory.dmp	orcus
C:\Program Files\Orcus\Orcus.exe	orcus
behavioral1/memory/2644-17-0x0000000000940000-0x0000000000C3A000-memory.dmp	orcus

Executes dropped EXE 1 IoCs

Processes:

Orcus.exe

pid process

2644 Orcus.exe

pid	process
2644	Orcus.exe

Drops file in Program Files directory 3 IoCs

Processes:

478241c86132a6eb39627abbc9689ebbb2c646cf52a75880432dc12d656671fb.exe

description	ioc	process
File created	C:\Program Files\Orcus\Orcus.exe	478241c86132a6eb39627abbc9689ebbb2c646cf52a75880432dc12d656671fb.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	478241c86132a6eb39627abbc9689ebbb2c646cf52a75880432dc12d656671fb.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	478241c86132a6eb39627abbc9689ebbb2c646cf52a75880432dc12d656671fb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

478241c86132a6eb39627abbc9689ebbb2c646cf52a75880432dc12d656671fb.exe

description	pid	process	target process
PID 2280 wrote to memory of 2644	2280	478241c86132a6eb39627abbc9689ebbb2c646cf52a75880432dc12d656671fb.exe	Orcus.exe
PID 2280 wrote to memory of 2644	2280	478241c86132a6eb39627abbc9689ebbb2c646cf52a75880432dc12d656671fb.exe	Orcus.exe
PID 2280 wrote to memory of 2644	2280	478241c86132a6eb39627abbc9689ebbb2c646cf52a75880432dc12d656671fb.exe	Orcus.exe

C:\Users\Admin\AppData\Local\Temp\478241c86132a6eb39627abbc9689ebbb2c646cf52a75880432dc12d656671fb.exe
"C:\Users\Admin\AppData\Local\Temp\478241c86132a6eb39627abbc9689ebbb2c646cf52a75880432dc12d656671fb.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
3.0MB

MD5
832d479717feba64d070366ed01c3675

SHA1
31e9312abaa13b1bc5aaba5b9ae9213bc53eb6ef

SHA256
478241c86132a6eb39627abbc9689ebbb2c646cf52a75880432dc12d656671fb

SHA512
6407d2bf63057cbc5a94ddd6b8edefeb996c81bfd45dedc87fd044de36ac5d4be3abbeb0de6bd5898ade53b1ed370b62e3a3ca4578bfed7b4fb54a4c502538fd

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
memory/2280-3-0x00000000001C0000-0x00000000001CE000-memory.dmp

Filesize
56KB

Download
memory/2280-0-0x000007FEF5623000-0x000007FEF5624000-memory.dmp

Filesize
4KB

Download
memory/2280-4-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/2280-5-0x00000000007D0000-0x00000000007E2000-memory.dmp

Filesize
72KB

Download
memory/2280-2-0x0000000000540000-0x000000000059C000-memory.dmp

Filesize
368KB

Download
memory/2280-1-0x00000000001D0000-0x00000000004CA000-memory.dmp

Filesize
3.0MB

Download
memory/2280-15-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-16-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-17-0x0000000000940000-0x0000000000C3A000-memory.dmp

Filesize
3.0MB

Download
memory/2644-18-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-19-0x0000000000900000-0x0000000000918000-memory.dmp

Filesize
96KB

Download
memory/2644-20-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/2644-21-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download