orcus | dad9c156fb5562b5ca6a3fc66ce92d0435091a0444448633a8d8d0e7caee6534

Analysis

max time kernel
147s
max time network
151s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
20/11/2024, 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

die.exe
Size

3.0MB
MD5

e0e9f2b50bfa42d18679c8c0b429cddd
SHA1

b7f28f076a3d109396380bf85bfb732fa45b7901
SHA256

dad9c156fb5562b5ca6a3fc66ce92d0435091a0444448633a8d8d0e7caee6534
SHA512

d5cfbe7977b6b0fbdcc1326065976b3cefac3b1f5d0e7b013d96d5967dd8288e5f612f02aca45869a817752331bef98ee6358251b139ce1d6606a2609005e3fa
SSDEEP

49152:eNODf7+QSLqZeM9/04zgaMWUljQfJgVXkKAypQxb0/o9JnCmsWncFf0I74gu3KM:egyb2MnjQBEUNypSb6o9JCm

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

10.211.55.25:10134

Mutex

0d5c4caa686e4bf1a077d8b4011ad8f2

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/memory/468-1-0x0000021B02B80000-0x0000021B02E78000-memory.dmp	orcus
behavioral1/files/0x0028000000045041-9.dat	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	die.exe

Executes dropped EXE 1 IoCs

pid	Process
1640	Orcus.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	die.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	die.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 1640	468	die.exe	82
PID 468 wrote to memory of 1640	468	die.exe	82

C:\Users\Admin\AppData\Local\Temp\die.exe
"C:\Users\Admin\AppData\Local\Temp\die.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:468
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
3.0MB

MD5
e0e9f2b50bfa42d18679c8c0b429cddd

SHA1
b7f28f076a3d109396380bf85bfb732fa45b7901

SHA256
dad9c156fb5562b5ca6a3fc66ce92d0435091a0444448633a8d8d0e7caee6534

SHA512
d5cfbe7977b6b0fbdcc1326065976b3cefac3b1f5d0e7b013d96d5967dd8288e5f612f02aca45869a817752331bef98ee6358251b139ce1d6606a2609005e3fa

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
349B

MD5
89817519e9e0b4e703f07e8c55247861

SHA1
4636de1f6c997a25c3190f73f46a3fd056238d78

SHA256
f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

SHA512
b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

Download Submit
memory/468-2-0x0000021B1D3E0000-0x0000021B1D43C000-memory.dmp

Filesize
368KB

Download
memory/468-0-0x00007FFCFBC93000-0x00007FFCFBC95000-memory.dmp

Filesize
8KB

Download
memory/468-4-0x00007FFCFBC90000-0x00007FFCFC752000-memory.dmp

Filesize
10.8MB

Download
memory/468-5-0x0000021B04A80000-0x0000021B04A92000-memory.dmp

Filesize
72KB

Download
memory/468-3-0x0000021B03220000-0x0000021B0322E000-memory.dmp

Filesize
56KB

Download
memory/468-1-0x0000021B02B80000-0x0000021B02E78000-memory.dmp

Filesize
3.0MB

Download
memory/468-13-0x00007FFCFBC90000-0x00007FFCFC752000-memory.dmp

Filesize
10.8MB

Download
memory/1640-12-0x00007FFCFBC90000-0x00007FFCFC752000-memory.dmp

Filesize
10.8MB

Download
memory/1640-14-0x00007FFCFBC90000-0x00007FFCFC752000-memory.dmp

Filesize
10.8MB

Download
memory/1640-15-0x0000028F17E70000-0x0000028F17E82000-memory.dmp

Filesize
72KB

Download
memory/1640-16-0x0000028F17E90000-0x0000028F17EA8000-memory.dmp

Filesize
96KB

Download
memory/1640-17-0x0000028F17E60000-0x0000028F17E70000-memory.dmp

Filesize
64KB

Download
memory/1640-18-0x00007FFCFBC90000-0x00007FFCFC752000-memory.dmp

Filesize
10.8MB

Download