orcus | 75bc4d362485bf57a072a62a3c11d6590a38a43598eb1ce259c50a0cb0a578de

General

Target

1.exe
Size

3.0MB
MD5

1c3d920e9083781d881ed09efe737e3e
SHA1

db0d3e1c5622f439265fc49112717e134c9a8d4c
SHA256

75bc4d362485bf57a072a62a3c11d6590a38a43598eb1ce259c50a0cb0a578de
SHA512

526edeffdbcfa77a2179038adef5e624e18e20413ec789f41f427dd71cb33dacf827c4a505b31cd5f1e49d164dfd25f21233f2069521f0d8c5b4a4ebf9c4b949
SSDEEP

49152:GXbEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmlcrZEu:GXbtODUKTslWp2MpbfGGilIJPypSbxEb

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

Ezling-25441.portmap.host:25441

Mutex

d9a68a06158a4170bbc5f456a7f7076a

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023c8a-29.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023c8a-29.dat	orcus
behavioral2/memory/1316-40-0x00000000009B0000-0x0000000000CAA000-memory.dmp	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	1.exe

Executes dropped EXE 1 IoCs

pid	Process
1316	Orcus.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	1.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	1.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1316	Orcus.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1316	Orcus.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1316	Orcus.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 3352	4748	1.exe	85
PID 4748 wrote to memory of 3352	4748	1.exe	85
PID 3352 wrote to memory of 928	3352	csc.exe	87
PID 3352 wrote to memory of 928	3352	csc.exe	87
PID 4748 wrote to memory of 1316	4748	1.exe	88
PID 4748 wrote to memory of 1316	4748	1.exe	88

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\_7f0eldu.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3352
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC19.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDC18.tmp"
    3⤵
    PID:928
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
3.0MB

MD5
1c3d920e9083781d881ed09efe737e3e

SHA1
db0d3e1c5622f439265fc49112717e134c9a8d4c

SHA256
75bc4d362485bf57a072a62a3c11d6590a38a43598eb1ce259c50a0cb0a578de

SHA512
526edeffdbcfa77a2179038adef5e624e18e20413ec789f41f427dd71cb33dacf827c4a505b31cd5f1e49d164dfd25f21233f2069521f0d8c5b4a4ebf9c4b949

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
349B

MD5
89817519e9e0b4e703f07e8c55247861

SHA1
4636de1f6c997a25c3190f73f46a3fd056238d78

SHA256
f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

SHA512
b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDC19.tmp

Filesize
1KB

MD5
ae394c027f7561046e2fedc4821e7ef3

SHA1
f3afd7b9df102ed2e4157ae46070729b557eb0f8

SHA256
ea09f644e99986f6ac4136823da5444b5cd3e28a19380476795454828a81feef

SHA512
1fd237471e6297697180a152cea7b31b8f77e3fb79de600940860ad50e2383704e2e759f42868479348ba192c30ff3871cb82ef45b9026d4d3f4aadcb2422229

Download Submit
C:\Users\Admin\AppData\Local\Temp\_7f0eldu.dll

Filesize
76KB

MD5
8dc40404865f713f8bef90cefcc9e39c

SHA1
dfd51e30ae4530e640bb196442d8127aa415f87c

SHA256
c089f92ae6839c020a1ba7ec9a4eab2d1273acae2af680add0911dd4c54e6297

SHA512
82bb5d07678d3898c9474a90bf8b716d451d970e4fe1e8c42b1d844d09b5660f6948fccae1aec255be2bfccde79fd3e2c35e66d395509d611ddcaf0e5da16371

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCDC18.tmp

Filesize
676B

MD5
99e96b6c133372c088cd1d762ff682b0

SHA1
da6804772f73ac741036bef035a0e2952e7616a6

SHA256
93682f9e052032ba20aa264d501ce43ffc1c86212c530fa22a7872e0e6430002

SHA512
3e9fc9b55fcfb194a4bea1a670f74ac0aebe732ce2dc32ab9620e0f168406995ceec1672399b3b73942a27c6d6c10433b7e539a6d76a32afaad896f3701a9de0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\_7f0eldu.0.cs

Filesize
208KB

MD5
5aa65a57f40f2f085342cc405eb57175

SHA1
e1689c4737f27b670c61e1f84ff994d41791b291

SHA256
12f4d18d1ddfd3c7b000e14bd9f56ad9eb816a96553d212683be9f7c94fc1dfa

SHA512
c92afcfa5e57ac8bada150a57a48bd43ddc2bf2e0aa7acc14dbfdc6c9ccde8186f11823ef47d1a2575a08f6d4e0e4f268d01060eb56fd8f40b17475626daa43e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\_7f0eldu.cmdline

Filesize
349B

MD5
ac2602c1cfa2f8231def2b66c9fe18c1

SHA1
e7416920996e07a45d5fae29e117e2e5cee7ab99

SHA256
19be194b14a17f15959807d62d55f93c9676ea40ef80a94a737c045d6617f829

SHA512
d4f02059b56b9cb1906661a2c47f1c43e6fc3f064f1b2e3a2405d05f3354ae5c474f286bdeb198ecd8ff8891c1d9138140865cec3343e213643c8eb0089bbed2

Download Submit
memory/1316-41-0x000000001B920000-0x000000001B938000-memory.dmp

Filesize
96KB

Download
memory/1316-40-0x00000000009B0000-0x0000000000CAA000-memory.dmp

Filesize
3.0MB

Download
memory/1316-37-0x00007FFF95973000-0x00007FFF95975000-memory.dmp

Filesize
8KB

Download
memory/1316-42-0x000000001B900000-0x000000001B910000-memory.dmp

Filesize
64KB

Download
memory/1316-43-0x00007FFF95973000-0x00007FFF95975000-memory.dmp

Filesize
8KB

Download
memory/3352-14-0x00007FFF98980000-0x00007FFF99321000-memory.dmp

Filesize
9.6MB

Download
memory/3352-19-0x00007FFF98980000-0x00007FFF99321000-memory.dmp

Filesize
9.6MB

Download
memory/4748-6-0x00007FFF98980000-0x00007FFF99321000-memory.dmp

Filesize
9.6MB

Download
memory/4748-23-0x000000001CD20000-0x000000001CD32000-memory.dmp

Filesize
72KB

Download
memory/4748-21-0x000000001CD40000-0x000000001CD56000-memory.dmp

Filesize
88KB

Download
memory/4748-0-0x00007FFF98C35000-0x00007FFF98C36000-memory.dmp

Filesize
4KB

Download
memory/4748-39-0x00007FFF98980000-0x00007FFF99321000-memory.dmp

Filesize
9.6MB

Download
memory/4748-5-0x000000001CC40000-0x000000001CCDC000-memory.dmp

Filesize
624KB

Download
memory/4748-4-0x000000001C6D0000-0x000000001CB9E000-memory.dmp

Filesize
4.8MB

Download
memory/4748-3-0x00000000018B0000-0x00000000018BE000-memory.dmp

Filesize
56KB

Download
memory/4748-2-0x000000001BDE0000-0x000000001BE3C000-memory.dmp

Filesize
368KB

Download
memory/4748-1-0x00007FFF98980000-0x00007FFF99321000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing