orcus | a91db08cd243f4a8186026af1a99ea3d5c90ed868fb54c4465b115c8ec20c06d

General

Target

123.exe
Size

3.0MB
MD5

07240cd6ba75c9de0b73c89e44d95b7a
SHA1

2081431367f5ecfcd338becc676dfdfc09324329
SHA256

a91db08cd243f4a8186026af1a99ea3d5c90ed868fb54c4465b115c8ec20c06d
SHA512

56fb58adc517326ecc8bdbade7a36fc14a47c5c1c6aecd6ca27b58c623b502d0c667d9fcb67db46dcdd397d1821b96ed350166451572e54fae2b6897df2d7ca9
SSDEEP

49152:snwEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmm8crZEu:snwtODUKTslWp2MpbfGGilIJPypSbxEe

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

10.9.173.50:1337

Mutex

c7a29885defe4dd8a65fbed3f3afa030

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0009000000023c9e-29.dat	family_orcus

Orcurs Rat Executable 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0009000000023c9e-29.dat	orcus
behavioral1/memory/1148-40-0x0000000000BD0000-0x0000000000ECA000-memory.dmp	orcus

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

123.exeOrcus.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	123.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Orcus.exe

Executes dropped EXE 1 IoCs

Processes:

Orcus.exe

pid	Process
1148	Orcus.exe

Drops file in Program Files directory 4 IoCs

Processes:

123.exeOrcus.exe

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe.config	123.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	Orcus.exe
File created	C:\Program Files\Orcus\Orcus.exe	123.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	123.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXE

pid	Process
2592	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
2592	PING.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Orcus.exe

pid	Process
1148	Orcus.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Orcus.exe

pid	Process
1148	Orcus.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

123.execsc.exeOrcus.execmd.exe

description	pid	Process	procid_target
PID 2700 wrote to memory of 2008	2700	123.exe	87
PID 2700 wrote to memory of 2008	2700	123.exe	87
PID 2008 wrote to memory of 2280	2008	csc.exe	89
PID 2008 wrote to memory of 2280	2008	csc.exe	89
PID 2700 wrote to memory of 1148	2700	123.exe	90
PID 2700 wrote to memory of 1148	2700	123.exe	90
PID 1148 wrote to memory of 3116	1148	Orcus.exe	92
PID 1148 wrote to memory of 3116	1148	Orcus.exe	92
PID 3116 wrote to memory of 2592	3116	cmd.exe	94
PID 3116 wrote to memory of 2592	3116	cmd.exe	94
PID 3116 wrote to memory of 4272	3116	cmd.exe	99
PID 3116 wrote to memory of 4272	3116	cmd.exe	99
PID 3116 wrote to memory of 3632	3116	cmd.exe	100
PID 3116 wrote to memory of 3632	3116	cmd.exe	100
PID 3116 wrote to memory of 836	3116	cmd.exe	101
PID 3116 wrote to memory of 836	3116	cmd.exe	101
PID 3116 wrote to memory of 1524	3116	cmd.exe	102
PID 3116 wrote to memory of 1524	3116	cmd.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\123.exe
"C:\Users\Admin\AppData\Local\Temp\123.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rawuupc0.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD92B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD92A.tmp"
    3⤵
    PID:2280
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{ad75a0f9-0cec-4892-b265-b0d428c70c57}.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3116
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2592
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo j "
      4⤵
      PID:4272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" del "C:\Program Files\Orcus\Orcus.exe""
      4⤵
      PID:3632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo j "
      4⤵
      PID:836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" del C:\Users\Admin\AppData\Local\Temp\{ad75a0f9-0cec-4892-b265-b0d428c70c57}.bat"
      4⤵
      PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
3.0MB

MD5
07240cd6ba75c9de0b73c89e44d95b7a

SHA1
2081431367f5ecfcd338becc676dfdfc09324329

SHA256
a91db08cd243f4a8186026af1a99ea3d5c90ed868fb54c4465b115c8ec20c06d

SHA512
56fb58adc517326ecc8bdbade7a36fc14a47c5c1c6aecd6ca27b58c623b502d0c667d9fcb67db46dcdd397d1821b96ed350166451572e54fae2b6897df2d7ca9

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
349B

MD5
89817519e9e0b4e703f07e8c55247861

SHA1
4636de1f6c997a25c3190f73f46a3fd056238d78

SHA256
f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

SHA512
b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD92B.tmp

Filesize
1KB

MD5
1379baad35398ad9098d32cae01eefd1

SHA1
9745d36528f597fda7af5798a303cbbd24213a3c

SHA256
51b359b08bb99962cb82a03f828f92b79dc48cdbb26021413dec2bb6e0150b54

SHA512
10fa38e6f892135166b064421711dffeef344b53986455e82eeffd088a74c6338bf5caed7ca75b71b4498f89353770892001f216341a9ab1b8328003f1d12304

Download Submit
C:\Users\Admin\AppData\Local\Temp\rawuupc0.dll

Filesize
76KB

MD5
28e0a23e88eb1d97634590961192b740

SHA1
39fb97d81e9f66771eca2248b37ffbb12e9d51a9

SHA256
44542dbc76f69aed83b551a2d527568a2e16a2547238ab7786d55bd061e662fb

SHA512
f8619edf99dd4e8ba337f908de0d86a1679f0dc2162b64e9c69da6092b3ccfa29421a1b0635415d420ca1b5a546b16373fa750e52328e75214b3af248cc501a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{ad75a0f9-0cec-4892-b265-b0d428c70c57}.bat

Filesize
171B

MD5
e751217cff5730374b5a2fddad6e4f85

SHA1
b164216cc6272fcd7f28ab9c897f667fcd6f7d49

SHA256
763bd53084a61d4353867c95b88b1abbd47788bd9ba2bec104f2f343ff548805

SHA512
9551eeb366508d1ac9e81f270f94d0a5f94918487fb1776879b5ea481b51a5c7b6f3f03280b47cf0705e513b584a632a42ec5a242ddafe712dddd2e1fcb5eb1b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCD92A.tmp

Filesize
676B

MD5
a9764b8ce667f93f88a032d8ab19e5d7

SHA1
df915bffb219b609d1ff8821ad807ac626da2a4b

SHA256
14e53a4fc7a53b0b79b609e0a56bbf9134f93339f7a12f015764d8a32f7d2e6c

SHA512
ec489db66cc113a9a38d19cf4a923a9a47ae611e786d85e38de3e6b3298b168922cd46c36fa8e5466d797047473b6e11d2d1073bc0e8cd6d175e911d7717d6b4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rawuupc0.0.cs

Filesize
208KB

MD5
3e8e2817e9959f7ec9cf4dbf1037cd0e

SHA1
b79d1f71debed6963ea6eeef57b725fa843c89b0

SHA256
b20cbf786cc6f391b5ec791c9e1806a2a33cb48fe7654f951e4f616baa0b3093

SHA512
f18ef3b8451c455c894ad56f0ca4d90d68d3696cce8e88c7e8af88e60b8ddeae7c1509bba07a4ad5758e245e237c6e70162a13ca7c594ab94ab49e89e4e9fd6f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rawuupc0.cmdline

Filesize
349B

MD5
32c119b03be146852de337718bc43e12

SHA1
af2b4370afb9b26a900c913bb647166e1524e572

SHA256
ff726f8447c83bfea0cf39d15fbd97a1f9d449fbc2294c784a78f3e935af1978

SHA512
50d14bad4acdf55ccdb3b00cff02c30c68d6ad0150bfd2176c721cdfdb798f27bfe28d04e28b77d28d205096438049e4709ccc400aa07d9f9d335646e4fb6025

Download Submit
memory/1148-41-0x00000000030E0000-0x00000000030F2000-memory.dmp

Filesize
72KB

Download
memory/1148-40-0x0000000000BD0000-0x0000000000ECA000-memory.dmp

Filesize
3.0MB

Download
memory/1148-48-0x000000001F680000-0x000000001F6CE000-memory.dmp

Filesize
312KB

Download
memory/1148-47-0x000000001F790000-0x000000001F89A000-memory.dmp

Filesize
1.0MB

Download
memory/1148-46-0x000000001F640000-0x000000001F67C000-memory.dmp

Filesize
240KB

Download
memory/1148-45-0x000000001D5E0000-0x000000001D5F2000-memory.dmp

Filesize
72KB

Download
memory/1148-44-0x00007FFD08A53000-0x00007FFD08A55000-memory.dmp

Filesize
8KB

Download
memory/1148-38-0x00007FFD08A53000-0x00007FFD08A55000-memory.dmp

Filesize
8KB

Download
memory/1148-43-0x00000000030D0000-0x00000000030E0000-memory.dmp

Filesize
64KB

Download
memory/1148-42-0x00000000030F0000-0x0000000003108000-memory.dmp

Filesize
96KB

Download
memory/2008-15-0x00007FFD0BA60000-0x00007FFD0C401000-memory.dmp

Filesize
9.6MB

Download
memory/2008-19-0x00007FFD0BA60000-0x00007FFD0C401000-memory.dmp

Filesize
9.6MB

Download
memory/2700-21-0x000000001CB60000-0x000000001CB76000-memory.dmp

Filesize
88KB

Download
memory/2700-0-0x00007FFD0BD15000-0x00007FFD0BD16000-memory.dmp

Filesize
4KB

Download
memory/2700-39-0x00007FFD0BA60000-0x00007FFD0C401000-memory.dmp

Filesize
9.6MB

Download
memory/2700-2-0x000000001BD20000-0x000000001BD7C000-memory.dmp

Filesize
368KB

Download
memory/2700-3-0x00000000016C0000-0x00000000016CE000-memory.dmp

Filesize
56KB

Download
memory/2700-23-0x000000001BBE0000-0x000000001BBF2000-memory.dmp

Filesize
72KB

Download
memory/2700-6-0x000000001CAC0000-0x000000001CB5C000-memory.dmp

Filesize
624KB

Download
memory/2700-5-0x000000001C550000-0x000000001CA1E000-memory.dmp

Filesize
4.8MB

Download
memory/2700-4-0x00007FFD0BA60000-0x00007FFD0C401000-memory.dmp

Filesize
9.6MB

Download
memory/2700-1-0x00007FFD0BA60000-0x00007FFD0C401000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads