orcus | 481449cf6fc783f0ec2057882640f1952ceaf8c34ddcd26ed76d20654cb30374

General

Target

123123123qw3qew.exe
Size

903KB
MD5

ac40df4b922b8476be86ce4f3b4576d1
SHA1

b7b4ba3424288ae52178b0190574b252a7f9cdbe
SHA256

481449cf6fc783f0ec2057882640f1952ceaf8c34ddcd26ed76d20654cb30374
SHA512

579e71de8c28d0eebcb7324e298d110837f9d41423a77576fef21ee4044fe584c280b4c82a9c3da083885404b0148cc81b15d0b2f0b16bcc23407c91ee9966ab
SSDEEP

12288:hTUZ/Y95eo6L4ce7dG1lFlWcYT70pxnnaaoawZRVcTqSA+9rZNrI0AilFEvxHvBu:xqI4MROxnFMLqrZlI0AilFEvxHi9B

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

act-predictions.gl.at.ply.gg:53002

Mutex

ccda6c301bcc4bffbcfcf707e51e3319

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x00080000000233e4-37.dat	family_orcus

Orcurs Rat Executable 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x00080000000233e4-37.dat	orcus
behavioral2/memory/880-46-0x0000000000DF0000-0x0000000000ED8000-memory.dmp	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

123123123qw3qew.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	123123123qw3qew.exe

Executes dropped EXE 1 IoCs

Processes:

Orcus.exe

pid	Process
880	Orcus.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

123123123qw3qew.exe

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	123123123qw3qew.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	123123123qw3qew.exe

Drops file in Program Files directory 3 IoCs

Processes:

123123123qw3qew.exe

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	123123123qw3qew.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	123123123qw3qew.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	123123123qw3qew.exe

Drops file in Windows directory 3 IoCs

Processes:

123123123qw3qew.exe

description	ioc	Process
File opened for modification	C:\Windows\assembly	123123123qw3qew.exe
File created	C:\Windows\assembly\Desktop.ini	123123123qw3qew.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	123123123qw3qew.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Orcus.exeAUDIODG.EXE

description	pid	Process
Token: SeDebugPrivilege	880	Orcus.exe
Token: 33	2264	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2264	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Orcus.exe

pid	Process
880	Orcus.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Orcus.exe

pid	Process
880	Orcus.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

123123123qw3qew.execsc.exe

description	pid	Process	procid_target
PID 2708 wrote to memory of 4532	2708	123123123qw3qew.exe	84
PID 2708 wrote to memory of 4532	2708	123123123qw3qew.exe	84
PID 4532 wrote to memory of 4588	4532	csc.exe	86
PID 4532 wrote to memory of 4588	4532	csc.exe	86
PID 2708 wrote to memory of 880	2708	123123123qw3qew.exe	97
PID 2708 wrote to memory of 880	2708	123123123qw3qew.exe	97

C:\Users\Admin\AppData\Local\Temp\123123123qw3qew.exe
"C:\Users\Admin\AppData\Local\Temp\123123123qw3qew.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zkleu5if.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA85.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCA84.tmp"
    3⤵
    PID:4588
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:880

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4 0x2c8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
903KB

MD5
ac40df4b922b8476be86ce4f3b4576d1

SHA1
b7b4ba3424288ae52178b0190574b252a7f9cdbe

SHA256
481449cf6fc783f0ec2057882640f1952ceaf8c34ddcd26ed76d20654cb30374

SHA512
579e71de8c28d0eebcb7324e298d110837f9d41423a77576fef21ee4044fe584c280b4c82a9c3da083885404b0148cc81b15d0b2f0b16bcc23407c91ee9966ab

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCA85.tmp

Filesize
1KB

MD5
895f04d3aba7303f15b61f59306da477

SHA1
ba3296794a43cc0cd2d3b552e36f31b18c37d774

SHA256
ff4608271247e501df755199a5544dfbfb0491b1e427a451aca4142c6ad433d1

SHA512
4051484c85fbcb51d4e1d552c848d55322bf7d2cd71ce1fe97024aedabaa7a70f37fe5371559620ee62bbf2e881b7d86f2adb492f7559657f1da6ea172694c80

Download Submit
C:\Users\Admin\AppData\Local\Temp\zkleu5if.dll

Filesize
76KB

MD5
bc3780aabdf1b82e7bbeff2a3cd7a478

SHA1
392ea16e5078bcaebdd807050afc6e3e3fbc8bd4

SHA256
8ceddc55101440f4f971f20d6812f4898822e612c5c94e898564d752b6fb8132

SHA512
1cd47aa847da05b97ac9daa4eb9ed5b42b5cbfcc574c2e938e7cd94aa10c9d2c7befa2f23240b3d87e2b74352eef025d7d25caa1c6348f14aed7bfd7a528465b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCCA84.tmp

Filesize
676B

MD5
ddb855905f20de9e2b67620a99a15180

SHA1
5828e55e350c6b0f4ed76f421457362b539c1dcd

SHA256
4291a7ef8040eb3ee8a8b90097686e4e462792e5ee220f587c83da2c45c4d271

SHA512
474679ec2c7fc68bb2e30caf2dd25c0b57d8d4171cefb6a7d7f5e0382132eae66355dcafcfdb0c3066502c5f332d49a1997a1782965771508e8049fea699b19b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zkleu5if.0.cs

Filesize
208KB

MD5
ec7e3399714d12bc8afbf633e0034a0b

SHA1
069c920a559b527794688d56368cbcb7b5e418bf

SHA256
6019f89295bef88b281f00942ce80d13961440d03a8cbba80dc37e6f1886c8e0

SHA512
5543ff52eec3d7a3bd2af1473614f96f7992fb873abfbb5a3dfe3d671211b7ed0446982598fb2e2bd1eae1a6c24d6b4aacf2da47afb763bd326aa2e97aa905ba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zkleu5if.cmdline

Filesize
349B

MD5
4c64af7064c7443753e5b15412dbe095

SHA1
a763b04daf0254387240e384ab09afce14760309

SHA256
5fb4e21f104fca324547751e27452134857240886ea42fd8933b9c5357819e21

SHA512
4cc4f286171588e638dbba6dc4839cb73aed2d967ecc509ffeec92381589d68022c0209f6b7bf319e7759dd595112faf44eeb1e8c2489a9741bde44b1cdfdfdd

Download Submit
memory/880-74-0x000000001BF60000-0x000000001BF86000-memory.dmp

Filesize
152KB

Download
memory/880-84-0x000000001D2E0000-0x000000001D366000-memory.dmp

Filesize
536KB

Download
memory/880-64-0x000000001CBC0000-0x000000001CC0A000-memory.dmp

Filesize
296KB

Download
memory/880-48-0x00000000017E0000-0x00000000017F2000-memory.dmp

Filesize
72KB

Download
memory/880-79-0x000000001D180000-0x000000001D2D4000-memory.dmp

Filesize
1.3MB

Download
memory/880-59-0x000000001BF10000-0x000000001BF54000-memory.dmp

Filesize
272KB

Download
memory/880-56-0x000000001CFB0000-0x000000001D172000-memory.dmp

Filesize
1.8MB

Download
memory/880-69-0x000000001CC10000-0x000000001CC6A000-memory.dmp

Filesize
360KB

Download
memory/880-55-0x000000001CCD0000-0x000000001CDDA000-memory.dmp

Filesize
1.0MB

Download
memory/880-54-0x000000001C8C0000-0x000000001C8FC000-memory.dmp

Filesize
240KB

Download
memory/880-53-0x000000001C860000-0x000000001C872000-memory.dmp

Filesize
72KB

Download
memory/880-50-0x00000000017D0000-0x00000000017E0000-memory.dmp

Filesize
64KB

Download
memory/880-49-0x00000000030B0000-0x00000000030C8000-memory.dmp

Filesize
96KB

Download
memory/880-89-0x000000001D450000-0x000000001D52A000-memory.dmp

Filesize
872KB

Download
memory/880-92-0x000000001DB60000-0x000000001E088000-memory.dmp

Filesize
5.2MB

Download
memory/880-46-0x0000000000DF0000-0x0000000000ED8000-memory.dmp

Filesize
928KB

Download
memory/2708-28-0x00007FFE6EB95000-0x00007FFE6EB96000-memory.dmp

Filesize
4KB

Download
memory/2708-23-0x000000001CE60000-0x000000001CE76000-memory.dmp

Filesize
88KB

Download
memory/2708-29-0x00007FFE6E8E0000-0x00007FFE6F281000-memory.dmp

Filesize
9.6MB

Download
memory/2708-0-0x00007FFE6EB95000-0x00007FFE6EB96000-memory.dmp

Filesize
4KB

Download
memory/2708-27-0x00007FFE6E8E0000-0x00007FFE6F281000-memory.dmp

Filesize
9.6MB

Download
memory/2708-26-0x000000001BA30000-0x000000001BA38000-memory.dmp

Filesize
32KB

Download
memory/2708-25-0x000000001BAC0000-0x000000001BAD2000-memory.dmp

Filesize
72KB

Download
memory/2708-47-0x00007FFE6E8E0000-0x00007FFE6F281000-memory.dmp

Filesize
9.6MB

Download
memory/2708-1-0x00007FFE6E8E0000-0x00007FFE6F281000-memory.dmp

Filesize
9.6MB

Download
memory/2708-2-0x000000001BB60000-0x000000001BBBC000-memory.dmp

Filesize
368KB

Download
memory/2708-7-0x000000001C230000-0x000000001C6FE000-memory.dmp

Filesize
4.8MB

Download
memory/2708-8-0x000000001C7A0000-0x000000001C83C000-memory.dmp

Filesize
624KB

Download
memory/2708-6-0x00007FFE6E8E0000-0x00007FFE6F281000-memory.dmp

Filesize
9.6MB

Download
memory/2708-5-0x000000001BD50000-0x000000001BD5E000-memory.dmp

Filesize
56KB

Download
memory/4532-16-0x00007FFE6E8E0000-0x00007FFE6F281000-memory.dmp

Filesize
9.6MB

Download
memory/4532-21-0x00007FFE6E8E0000-0x00007FFE6F281000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads