orcus | a91db08cd243f4a8186026af1a99ea3d5c90ed868fb54c4465b115c8ec20c06d

General

Target

123.exe
Size

3.0MB
MD5

07240cd6ba75c9de0b73c89e44d95b7a
SHA1

2081431367f5ecfcd338becc676dfdfc09324329
SHA256

a91db08cd243f4a8186026af1a99ea3d5c90ed868fb54c4465b115c8ec20c06d
SHA512

56fb58adc517326ecc8bdbade7a36fc14a47c5c1c6aecd6ca27b58c623b502d0c667d9fcb67db46dcdd397d1821b96ed350166451572e54fae2b6897df2d7ca9
SSDEEP

49152:snwEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmm8crZEu:snwtODUKTslWp2MpbfGGilIJPypSbxEe

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

10.9.173.50:1337

Mutex

c7a29885defe4dd8a65fbed3f3afa030

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

Processes:

resource	yara_rule
C:\Program Files\Orcus\Orcus.exe	family_orcus

Orcurs Rat Executable 2 IoCs

Processes:

resource	yara_rule
C:\Program Files\Orcus\Orcus.exe	orcus
behavioral2/memory/2892-40-0x0000000000350000-0x000000000064A000-memory.dmp	orcus

Executes dropped EXE 1 IoCs

Processes:

Orcus.exe

pid process

2892 Orcus.exe

pid	process
2892	Orcus.exe

Drops file in Program Files directory 4 IoCs

Processes:

123.exeOrcus.exe

description	ioc	process
File created	C:\Program Files\Orcus\Orcus.exe	123.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	123.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	123.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	Orcus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

1848 PING.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1848 PING.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Orcus.exe

pid process

2892 Orcus.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Orcus.exe

pid process

2892 Orcus.exe

pid	process
1848	PING.EXE

pid	process
1848	PING.EXE

pid	process
2892	Orcus.exe

pid	process
2892	Orcus.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

123.execsc.exeOrcus.execmd.exe

description	pid	process	target process
PID 4064 wrote to memory of 2132	4064	123.exe	csc.exe
PID 4064 wrote to memory of 2132	4064	123.exe	csc.exe
PID 2132 wrote to memory of 2060	2132	csc.exe	cvtres.exe
PID 2132 wrote to memory of 2060	2132	csc.exe	cvtres.exe
PID 4064 wrote to memory of 2892	4064	123.exe	Orcus.exe
PID 4064 wrote to memory of 2892	4064	123.exe	Orcus.exe
PID 2892 wrote to memory of 3768	2892	Orcus.exe	cmd.exe
PID 2892 wrote to memory of 3768	2892	Orcus.exe	cmd.exe
PID 3768 wrote to memory of 1848	3768	cmd.exe	PING.EXE
PID 3768 wrote to memory of 1848	3768	cmd.exe	PING.EXE
PID 3768 wrote to memory of 2780	3768	cmd.exe	cmd.exe
PID 3768 wrote to memory of 2780	3768	cmd.exe	cmd.exe
PID 3768 wrote to memory of 5000	3768	cmd.exe	cmd.exe
PID 3768 wrote to memory of 5000	3768	cmd.exe	cmd.exe
PID 3768 wrote to memory of 3008	3768	cmd.exe	cmd.exe
PID 3768 wrote to memory of 3008	3768	cmd.exe	cmd.exe
PID 3768 wrote to memory of 1060	3768	cmd.exe	cmd.exe
PID 3768 wrote to memory of 1060	3768	cmd.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\123.exe
"C:\Users\Admin\AppData\Local\Temp\123.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b9fmma8z.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE50.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBE4F.tmp"
    3⤵
    PID:2060
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{ccd0917d-3058-4d99-97a3-94c07f603958}.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3768
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo j "
      4⤵
      PID:2780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" del "C:\Program Files\Orcus\Orcus.exe""
      4⤵
      PID:5000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo j "
      4⤵
      PID:3008
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" del C:\Users\Admin\AppData\Local\Temp\{ccd0917d-3058-4d99-97a3-94c07f603958}.bat"
      4⤵
      PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
3.0MB

MD5
07240cd6ba75c9de0b73c89e44d95b7a

SHA1
2081431367f5ecfcd338becc676dfdfc09324329

SHA256
a91db08cd243f4a8186026af1a99ea3d5c90ed868fb54c4465b115c8ec20c06d

SHA512
56fb58adc517326ecc8bdbade7a36fc14a47c5c1c6aecd6ca27b58c623b502d0c667d9fcb67db46dcdd397d1821b96ed350166451572e54fae2b6897df2d7ca9

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
349B

MD5
89817519e9e0b4e703f07e8c55247861

SHA1
4636de1f6c997a25c3190f73f46a3fd056238d78

SHA256
f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

SHA512
b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBE50.tmp

Filesize
1KB

MD5
1c792f65be92f30f05d5829f311e6095

SHA1
47cf1d733e298d13188d469a2a46c4dc57f3d845

SHA256
7e65930163c95e1c519e78ee49f1acef985e236018a7ccd9a9cdbf647a04e274

SHA512
38ab2ae33519be8600bb0888e84633b7b47afae7159a899b5180b7bd6293ce67281fee5b9475482be7c8a89647a16ff2b877b967f2a4d57d63e391ddd96807c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9fmma8z.dll

Filesize
76KB

MD5
068229cc334b2d24b3d0e736447630a3

SHA1
0f741b52df59646ba7d754e875b3aa4d8ebcc947

SHA256
b18301d23c4f796e6166b500da2746bbf04d7ce4506583cb5ee927b6d28c8daf

SHA512
b5d849fb2b5a6e430863a2a36c33de72d87546ed18097af7b2c7c731addaef9d8d4a41b55bf21fa49f36243b17078aa7d25dbc686a176ef0a3ee873fffbf6244

Download Submit
C:\Users\Admin\AppData\Local\Temp\{ccd0917d-3058-4d99-97a3-94c07f603958}.bat

Filesize
171B

MD5
5f4b358b60ff8baf84ea9f9f752e0617

SHA1
927aa4931bcf6cde61781e8302f126c00b2817a3

SHA256
14f0909795480bca4f72a6c7afa752706380fdcc4d6a5c11e55ca906e2e1e512

SHA512
aff993e7d1f89220588eaeff0e56c91ff2d90fdafdf2b326189c85d19d7e8ba3654ff6a059dbf3eccedd0270f3ced9f2c9919eeacf2ffce171c4bf49dcc912e8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCBE4F.tmp

Filesize
676B

MD5
54a6f0d71dd61591eba6a14e56225091

SHA1
1443c80c2c0dc9ea228e4f1d84832295761df789

SHA256
77e6bf3c57faafe596772e8f08ee88fca8768b3f6421244399fac6250435c981

SHA512
9f7f288f9e4cb0a2ecc7025dfc198cbbe2717a4fb72a5742aff56d8ea607d00b7c236ed31648d13307e9c84742aeb834b2afaedef7b5074ec061d6bea04c42e6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b9fmma8z.0.cs

Filesize
208KB

MD5
0b5a4a578a040a419fac6f4dd71481af

SHA1
8cdb8c880e04275a3fc5e08d6c091f7835266e0f

SHA256
86f9e73fb057a0c670596f547b4f344bdca0de3624d87db31da4e1581b1e7ce3

SHA512
6f8ec43c2262db7ab31e9c266231dd9ee32a548a45dc06c7e39c974ca57307f5c8657689f6ff02f837123d01c8c5447a6891f6750f5debbddd258cc0b45d541c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b9fmma8z.cmdline

Filesize
349B

MD5
aa711ab76a306140116157329780b315

SHA1
f9c4fedc1911ac369dbe7e64a955698d3eb7573c

SHA256
c9b80a47c747f41961bebd2c7cec0be6b008df965ac8a6a3872b0f3b91fc71d6

SHA512
52c757a9ca027bc38b8cfa6b34b083aa0e97989910744f492ecd66b8e714755dc5c3365eec6536cb45ce2b1a93beb8f9539799b7e00c378876d7cdab607f2caf

Download Submit
memory/2132-19-0x00007FFA50690000-0x00007FFA51031000-memory.dmp

Filesize
9.6MB

Download
memory/2132-14-0x00007FFA50690000-0x00007FFA51031000-memory.dmp

Filesize
9.6MB

Download
memory/2892-41-0x0000000002840000-0x0000000002858000-memory.dmp

Filesize
96KB

Download
memory/2892-38-0x00007FFA4DF63000-0x00007FFA4DF65000-memory.dmp

Filesize
8KB

Download
memory/2892-46-0x000000001E280000-0x000000001E2CE000-memory.dmp

Filesize
312KB

Download
memory/2892-45-0x000000001E390000-0x000000001E49A000-memory.dmp

Filesize
1.0MB

Download
memory/2892-44-0x000000001E240000-0x000000001E27C000-memory.dmp

Filesize
240KB

Download
memory/2892-43-0x000000001E1E0000-0x000000001E1F2000-memory.dmp

Filesize
72KB

Download
memory/2892-42-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/2892-40-0x0000000000350000-0x000000000064A000-memory.dmp

Filesize
3.0MB

Download
memory/4064-23-0x0000000001710000-0x0000000001722000-memory.dmp

Filesize
72KB

Download
memory/4064-39-0x00007FFA50690000-0x00007FFA51031000-memory.dmp

Filesize
9.6MB

Download
memory/4064-3-0x0000000001350000-0x000000000135E000-memory.dmp

Filesize
56KB

Download
memory/4064-0-0x00007FFA50945000-0x00007FFA50946000-memory.dmp

Filesize
4KB

Download
memory/4064-2-0x000000001BC40000-0x000000001BC9C000-memory.dmp

Filesize
368KB

Download
memory/4064-6-0x000000001C9E0000-0x000000001CA7C000-memory.dmp

Filesize
624KB

Download
memory/4064-21-0x0000000001730000-0x0000000001746000-memory.dmp

Filesize
88KB

Download
memory/4064-4-0x00007FFA50690000-0x00007FFA51031000-memory.dmp

Filesize
9.6MB

Download
memory/4064-5-0x000000001C470000-0x000000001C93E000-memory.dmp

Filesize
4.8MB

Download
memory/4064-1-0x00007FFA50690000-0x00007FFA51031000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads