orcus | 75bc4d362485bf57a072a62a3c11d6590a38a43598eb1ce259c50a0cb0a578de

General

Target

1.exe
Size

3.0MB
MD5

1c3d920e9083781d881ed09efe737e3e
SHA1

db0d3e1c5622f439265fc49112717e134c9a8d4c
SHA256

75bc4d362485bf57a072a62a3c11d6590a38a43598eb1ce259c50a0cb0a578de
SHA512

526edeffdbcfa77a2179038adef5e624e18e20413ec789f41f427dd71cb33dacf827c4a505b31cd5f1e49d164dfd25f21233f2069521f0d8c5b4a4ebf9c4b949
SSDEEP

49152:GXbEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmlcrZEu:GXbtODUKTslWp2MpbfGGilIJPypSbxEb

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

Ezling-25441.portmap.host:25441

Mutex

d9a68a06158a4170bbc5f456a7f7076a

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

Processes:

resource	yara_rule
C:\Program Files\Orcus\Orcus.exe	family_orcus

Orcurs Rat Executable 2 IoCs

Processes:

resource	yara_rule
C:\Program Files\Orcus\Orcus.exe	orcus
behavioral1/memory/4616-39-0x0000000000620000-0x000000000091A000-memory.dmp	orcus

Executes dropped EXE 1 IoCs

Processes:

Orcus.exe

pid process

4616 Orcus.exe

pid	process
4616	Orcus.exe

Drops file in Program Files directory 4 IoCs

Processes:

1.exeOrcus.exe

description	ioc	process
File created	C:\Program Files\Orcus\Orcus.exe.config	1.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	Orcus.exe
File created	C:\Program Files\Orcus\Orcus.exe	1.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

3380 PING.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3380 PING.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Orcus.exe

pid process

4616 Orcus.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Orcus.exe

pid process

4616 Orcus.exe

pid	process
3380	PING.EXE

pid	process
3380	PING.EXE

pid	process
4616	Orcus.exe

pid	process
4616	Orcus.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

1.execsc.exeOrcus.execmd.exe

description	pid	process	target process
PID 2036 wrote to memory of 2596	2036	1.exe	csc.exe
PID 2036 wrote to memory of 2596	2036	1.exe	csc.exe
PID 2596 wrote to memory of 3612	2596	csc.exe	cvtres.exe
PID 2596 wrote to memory of 3612	2596	csc.exe	cvtres.exe
PID 2036 wrote to memory of 4616	2036	1.exe	Orcus.exe
PID 2036 wrote to memory of 4616	2036	1.exe	Orcus.exe
PID 4616 wrote to memory of 4580	4616	Orcus.exe	cmd.exe
PID 4616 wrote to memory of 4580	4616	Orcus.exe	cmd.exe
PID 4580 wrote to memory of 3380	4580	cmd.exe	PING.EXE
PID 4580 wrote to memory of 3380	4580	cmd.exe	PING.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k3gltusy.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA682.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA652.tmp"
    3⤵
    PID:3612
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{960ef41a-d7b2-4461-93d4-b381d5eaa6be}.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
3.0MB

MD5
1c3d920e9083781d881ed09efe737e3e

SHA1
db0d3e1c5622f439265fc49112717e134c9a8d4c

SHA256
75bc4d362485bf57a072a62a3c11d6590a38a43598eb1ce259c50a0cb0a578de

SHA512
526edeffdbcfa77a2179038adef5e624e18e20413ec789f41f427dd71cb33dacf827c4a505b31cd5f1e49d164dfd25f21233f2069521f0d8c5b4a4ebf9c4b949

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
349B

MD5
89817519e9e0b4e703f07e8c55247861

SHA1
4636de1f6c997a25c3190f73f46a3fd056238d78

SHA256
f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

SHA512
b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA682.tmp

Filesize
1KB

MD5
d30ca1d8a0fd584ecdc4855d72207001

SHA1
6095452f2f5e11a0907b09494160c3b34324fc6c

SHA256
b73182a0f1f4c9e66c078c9f661d4084da2e80fedf4d1c42a19aaad0e3ad2b4b

SHA512
50eb2360951a61af2d6a8c2b34e4d00b1953d176ea87c74bac1b74e66e9235f91749b2d20ef20ebe930cac6b0a89d31237cd8a9f31ce6ba3a450e02aa857b081

Download Submit
C:\Users\Admin\AppData\Local\Temp\k3gltusy.dll

Filesize
76KB

MD5
9fa89c03be5699f735961289dc677122

SHA1
cbfd0f8cd2569f28b8bfc16652d96366cd305a17

SHA256
977c3470f8edf2365a654719d09219b61a1dd6dd801dccc41a14b57dbd0a6003

SHA512
6d6ee0e0947866571d6cd576fbc6f9af1b93893d4719a1ec2a13504848b2795c95cf702b8d8a27c618a0aad9e9f59a02e8716e32c8b11fc5e39b1ca2fd82e60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{960ef41a-d7b2-4461-93d4-b381d5eaa6be}.bat

Filesize
171B

MD5
435a5054d6dae160b6aca42bd2aa7701

SHA1
66d11abc8c2f60db12b67d46ca928b1098837fd2

SHA256
4a53d1acafcccec3397e0a2bb68e1b66a8a5f2b372782aa66ca8512c22c3c62a

SHA512
9975e228013f2710bfe35cc29433a055538746596c0e7ce5f80010c04a414b7c156646187072097d368be5ab6745f0b374c9358c6847137d0dbbb644de5affc2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA652.tmp

Filesize
676B

MD5
5d205f3090cf709421cfa059163b85d9

SHA1
e1f6dd581cf22c4aa9d2e1b3ac2211c476640659

SHA256
1d09cabb174054522a8c01dd1cbdec03aeb40272263dec814c2c75bbe0b3921a

SHA512
4297b185803fc12c6955ae14cc421bcc59487e4b355745dd7af72017156224fe8e20110d9986ff0cb4e2eb5810e9b0dc7ac8a747f414a97a92eafe505d5f08c6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k3gltusy.0.cs

Filesize
208KB

MD5
3abf482dc571b66a2cf536d09dbed262

SHA1
04036637a5c64d75953923cecbd57533de3c3223

SHA256
6fab2d7c797b5b46fbfdb1bdfd5b85b614ba422c1166f0b492d624c098c91724

SHA512
fb9bdb2705118eb20ced29f2b5cdec1ae6b0bc3f9b6658780bf14f65736e4e907fd80eb5cc7cbe3f86ca039823dd2e22da94d7ba0654528aab188c4d20f01468

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k3gltusy.cmdline

Filesize
349B

MD5
c595aadb99aaa6b3f1bac645c4db2609

SHA1
514f027469c393e3f74187828d1b338867e07049

SHA256
d168e3ca832571ea694f297a7e7d31fcf940138883c7a5a864baa39714642938

SHA512
92e3fde7091f31f1cf243aaed55a4710bdf95c6eb1adfee9beb477a710ca0b50b2a1ea254043b017e5d78ba1d15a2661b6830b8a149892956f8d6e066ce550c1

Download Submit
memory/2036-21-0x000000001CF80000-0x000000001CF96000-memory.dmp

Filesize
88KB

Download
memory/2036-40-0x00007FFC6FEB0000-0x00007FFC70851000-memory.dmp

Filesize
9.6MB

Download
memory/2036-6-0x000000001CE90000-0x000000001CF2C000-memory.dmp

Filesize
624KB

Download
memory/2036-5-0x000000001C9C0000-0x000000001CE8E000-memory.dmp

Filesize
4.8MB

Download
memory/2036-4-0x00007FFC6FEB0000-0x00007FFC70851000-memory.dmp

Filesize
9.6MB

Download
memory/2036-0-0x00007FFC70165000-0x00007FFC70166000-memory.dmp

Filesize
4KB

Download
memory/2036-23-0x000000001C1D0000-0x000000001C1E2000-memory.dmp

Filesize
72KB

Download
memory/2036-3-0x0000000001BE0000-0x0000000001BEE000-memory.dmp

Filesize
56KB

Download
memory/2036-2-0x000000001C020000-0x000000001C07C000-memory.dmp

Filesize
368KB

Download
memory/2036-1-0x00007FFC6FEB0000-0x00007FFC70851000-memory.dmp

Filesize
9.6MB

Download
memory/2596-19-0x00007FFC6FEB0000-0x00007FFC70851000-memory.dmp

Filesize
9.6MB

Download
memory/2596-12-0x00007FFC6FEB0000-0x00007FFC70851000-memory.dmp

Filesize
9.6MB

Download
memory/4616-39-0x0000000000620000-0x000000000091A000-memory.dmp

Filesize
3.0MB

Download
memory/4616-41-0x00000000011F0000-0x0000000001202000-memory.dmp

Filesize
72KB

Download
memory/4616-42-0x0000000001200000-0x0000000001218000-memory.dmp

Filesize
96KB

Download
memory/4616-43-0x0000000002C60000-0x0000000002C70000-memory.dmp

Filesize
64KB

Download
memory/4616-44-0x000000001E4A0000-0x000000001E4B2000-memory.dmp

Filesize
72KB

Download
memory/4616-45-0x000000001E500000-0x000000001E53C000-memory.dmp

Filesize
240KB

Download
memory/4616-46-0x000000001E650000-0x000000001E75A000-memory.dmp

Filesize
1.0MB

Download
memory/4616-47-0x000000001E540000-0x000000001E58E000-memory.dmp

Filesize
312KB

Download
memory/4616-38-0x00007FFC6DAB3000-0x00007FFC6DAB5000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads