orcus | 75bc4d362485bf57a072a62a3c11d6590a38a43598eb1ce259c50a0cb0a578de

General

Target

1.exe
Size

3.0MB
MD5

1c3d920e9083781d881ed09efe737e3e
SHA1

db0d3e1c5622f439265fc49112717e134c9a8d4c
SHA256

75bc4d362485bf57a072a62a3c11d6590a38a43598eb1ce259c50a0cb0a578de
SHA512

526edeffdbcfa77a2179038adef5e624e18e20413ec789f41f427dd71cb33dacf827c4a505b31cd5f1e49d164dfd25f21233f2069521f0d8c5b4a4ebf9c4b949
SSDEEP

49152:GXbEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmlcrZEu:GXbtODUKTslWp2MpbfGGilIJPypSbxEb

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

Ezling-25441.portmap.host:25441

Mutex

d9a68a06158a4170bbc5f456a7f7076a

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016d33-25.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016d33-25.dat	orcus
behavioral1/memory/2228-29-0x0000000001100000-0x00000000013FA000-memory.dmp	orcus

Executes dropped EXE 1 IoCs

pid	Process
2228	Orcus.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	1.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	1.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	Orcus.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2228	Orcus.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2228	Orcus.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2712	1992	1.exe	30
PID 1992 wrote to memory of 2712	1992	1.exe	30
PID 1992 wrote to memory of 2712	1992	1.exe	30
PID 2712 wrote to memory of 2832	2712	csc.exe	32
PID 2712 wrote to memory of 2832	2712	csc.exe	32
PID 2712 wrote to memory of 2832	2712	csc.exe	32
PID 1992 wrote to memory of 2228	1992	1.exe	33
PID 1992 wrote to memory of 2228	1992	1.exe	33
PID 1992 wrote to memory of 2228	1992	1.exe	33

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a6ii3xi8.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B58.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7B57.tmp"
    3⤵
    PID:2832
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
3.0MB

MD5
1c3d920e9083781d881ed09efe737e3e

SHA1
db0d3e1c5622f439265fc49112717e134c9a8d4c

SHA256
75bc4d362485bf57a072a62a3c11d6590a38a43598eb1ce259c50a0cb0a578de

SHA512
526edeffdbcfa77a2179038adef5e624e18e20413ec789f41f427dd71cb33dacf827c4a505b31cd5f1e49d164dfd25f21233f2069521f0d8c5b4a4ebf9c4b949

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
349B

MD5
89817519e9e0b4e703f07e8c55247861

SHA1
4636de1f6c997a25c3190f73f46a3fd056238d78

SHA256
f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

SHA512
b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7B58.tmp

Filesize
1KB

MD5
c0b37536e059792f753db14ce6d29cc7

SHA1
e41962d22c568e4dec7f4c41a31c3443b6598454

SHA256
34eb6920f3db789e7ccae98bff3f6730374352ffca686f6b5022992961c934d5

SHA512
204e78c0f1f227b43bb6a7ccde890d1f35135d74f465a09bec6075dbeec5ac90847d12b966f16af2f5da6ee294776f57ab6b7b56537df7fe9c8be69cb965d049

Download Submit
C:\Users\Admin\AppData\Local\Temp\a6ii3xi8.dll

Filesize
76KB

MD5
032d6e1c065bf0a5c6964a8180626a0b

SHA1
1cc39aafda697317b30002bab6775c9c5af128d9

SHA256
c752e62a1c59f8d7fc9699ece8eb279dc11dd5e7b668369f1cb0aa333db57134

SHA512
bf1faf2ff2bf581811c6dca09601090efe8c6b051afcbc9a271b5f7fdf5393cc29075bf7c532e7e46177c4a2efcbbd1158c4a0b2e9914cbfe3501218a9c0aae9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC7B57.tmp

Filesize
676B

MD5
74cee484c7d42b4208d6dbb65ceabcee

SHA1
0ac627070bb6c1523ccfae0a20ed69bec772c824

SHA256
9cd992801b61b30bd04c02ffd08526e342e13638a466c5d22b72bac69234f9de

SHA512
d503555afc14c7e833b97ffb5f485bd7be10545089ed0f3ce1bb001bb81541acc333f262e319cef16712a9f71330b528059b732860147b9bd13e4f6614f76cae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a6ii3xi8.0.cs

Filesize
208KB

MD5
e0e546d7fd3c64e5b22b3353b204dd11

SHA1
5d5c49a6e788d4158b02ee7e108f21e70e38abe3

SHA256
a0905feb0f6f707877d65ee30bda55e361097b26cda6dde06bb0a56cb0ec3639

SHA512
2f4a3b28d81b9ddf7e288e65d78867c35cce06e69c4891aaed3e1a06e46b704636f0c8ab2653550ce3b0a42d2c624f30d331be96560978d7e151478962b1466a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a6ii3xi8.cmdline

Filesize
349B

MD5
90882734497f238e121434eba330ce49

SHA1
7ec72f19ad1c3d23b9f834881ec13c787a3dc717

SHA256
295576c8d7c6e031926803c5459e750957f8cc16378a6b9509ccb7d9a4084c0a

SHA512
17aed657c5f8bf10ec04a71a5107287f579afc56ea4c82b6299fa7f3b716461230269c1bcc74b2aacc5736e58665b019f3cc6278623f45c63f1b08748ceff751

Download Submit
memory/1992-4-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/1992-17-0x00000000022C0000-0x00000000022D6000-memory.dmp

Filesize
88KB

Download
memory/1992-0-0x000007FEF5AFE000-0x000007FEF5AFF000-memory.dmp

Filesize
4KB

Download
memory/1992-1-0x0000000000940000-0x000000000099C000-memory.dmp

Filesize
368KB

Download
memory/1992-2-0x0000000000380000-0x000000000038E000-memory.dmp

Filesize
56KB

Download
memory/1992-20-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/1992-27-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/1992-3-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/2228-30-0x0000000000190000-0x00000000001A2000-memory.dmp

Filesize
72KB

Download
memory/2228-29-0x0000000001100000-0x00000000013FA000-memory.dmp

Filesize
3.0MB

Download
memory/2228-31-0x00000000003B0000-0x00000000003C8000-memory.dmp

Filesize
96KB

Download
memory/2228-32-0x0000000000180000-0x0000000000190000-memory.dmp

Filesize
64KB

Download
memory/2712-19-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/2712-33-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing