Malware Analysis Report

2025-01-22 14:49

Sample ID 241129-14xksaypbv
Target be6a2eb19719c11f1aac7a06fc5301df.bin
SHA256 dcb291059b9d48a686b4ae5d83f5c6438617d0e9fc24ba5031556f9284b4d90c
Tags
orcus discovery rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dcb291059b9d48a686b4ae5d83f5c6438617d0e9fc24ba5031556f9284b4d90c

Threat Level: Known bad

The file be6a2eb19719c11f1aac7a06fc5301df.bin was found to be: Known bad.

Malicious Activity Summary

orcus discovery rat spyware stealer

Orcus

Orcus family

Orcurs Rat Executable

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-29 22:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-29 22:12

Reported

2024-11-29 22:15

Platform

win7-20240903-en

Max time kernel

137s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1cd1f7fff33ed742cd3e44b5db696c9081f0452405f2ab33850e0a953e1e5f0e.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus family

orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1cd1f7fff33ed742cd3e44b5db696c9081f0452405f2ab33850e0a953e1e5f0e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1cd1f7fff33ed742cd3e44b5db696c9081f0452405f2ab33850e0a953e1e5f0e.exe

"C:\Users\Admin\AppData\Local\Temp\1cd1f7fff33ed742cd3e44b5db696c9081f0452405f2ab33850e0a953e1e5f0e.exe"

Network

Country Destination Domain Proto
HK 45.204.82.103:6606 tcp
HK 45.204.82.103:6606 tcp
HK 45.204.82.103:6606 tcp
HK 45.204.82.103:6606 tcp
HK 45.204.82.103:6606 tcp
HK 45.204.82.103:6606 tcp
HK 45.204.82.103:6606 tcp

Files

memory/2648-0-0x000000007441E000-0x000000007441F000-memory.dmp

memory/2648-1-0x0000000000C00000-0x0000000000CFC000-memory.dmp

memory/2648-2-0x000000007441E000-0x000000007441F000-memory.dmp

memory/2648-3-0x0000000004D20000-0x0000000004E08000-memory.dmp

memory/2648-4-0x0000000000370000-0x000000000037E000-memory.dmp

memory/2648-5-0x00000000005A0000-0x00000000005FC000-memory.dmp

memory/2648-6-0x0000000074410000-0x0000000074AFE000-memory.dmp

memory/2648-7-0x00000000004C0000-0x00000000004D2000-memory.dmp

memory/2648-8-0x0000000074410000-0x0000000074AFE000-memory.dmp

memory/2648-9-0x0000000000530000-0x0000000000548000-memory.dmp

memory/2648-10-0x0000000000640000-0x0000000000650000-memory.dmp

memory/2648-11-0x0000000074410000-0x0000000074AFE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-29 22:12

Reported

2024-11-29 22:15

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1cd1f7fff33ed742cd3e44b5db696c9081f0452405f2ab33850e0a953e1e5f0e.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus family

orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1cd1f7fff33ed742cd3e44b5db696c9081f0452405f2ab33850e0a953e1e5f0e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1cd1f7fff33ed742cd3e44b5db696c9081f0452405f2ab33850e0a953e1e5f0e.exe

"C:\Users\Admin\AppData\Local\Temp\1cd1f7fff33ed742cd3e44b5db696c9081f0452405f2ab33850e0a953e1e5f0e.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
HK 45.204.82.103:6606 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
HK 45.204.82.103:6606 tcp
HK 45.204.82.103:6606 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
HK 45.204.82.103:6606 tcp
HK 45.204.82.103:6606 tcp
HK 45.204.82.103:6606 tcp
HK 45.204.82.103:6606 tcp

Files

memory/4152-0-0x000000007532E000-0x000000007532F000-memory.dmp

memory/4152-1-0x0000000000440000-0x000000000053C000-memory.dmp

memory/4152-2-0x000000007532E000-0x000000007532F000-memory.dmp

memory/4152-3-0x0000000075320000-0x0000000075AD0000-memory.dmp

memory/4152-4-0x0000000005240000-0x00000000052DC000-memory.dmp

memory/4152-5-0x00000000052E0000-0x00000000053C8000-memory.dmp

memory/4152-6-0x0000000075320000-0x0000000075AD0000-memory.dmp

memory/4152-7-0x0000000004FE0000-0x0000000004FEE000-memory.dmp

memory/4152-8-0x00000000051A0000-0x00000000051FC000-memory.dmp

memory/4152-9-0x0000000005980000-0x0000000005F24000-memory.dmp

memory/4152-10-0x0000000005470000-0x0000000005502000-memory.dmp

memory/4152-11-0x0000000005450000-0x0000000005462000-memory.dmp

memory/4152-12-0x0000000005610000-0x0000000005628000-memory.dmp

memory/4152-13-0x00000000058B0000-0x00000000058C0000-memory.dmp

memory/4152-14-0x0000000006050000-0x000000000605A000-memory.dmp

memory/4152-15-0x0000000075320000-0x0000000075AD0000-memory.dmp