orcus | b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34

General

Target

b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe
Size

913KB
MD5

3992adca438aa315a440553482496942
SHA1

3280796a667b1b14731ccf37656f02366237fb46
SHA256

b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34
SHA512

7433550582171fbd50eccf8ad0b0d8e71194b2157374429081738d709c15b843e1b8ccd856c2cdf9faaf589ba6b41a928c895a304a5f08e358ce97d7e001882b
SSDEEP

24576:4Eqr4MROxnF25bHKTlQMrZlI0AilFEvxHiPN:4EjMiwMrZlI0AilFEvxHi

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

192.168.31.232:3941

Mutex

8b9d3646f7234d7ea3bb88796d93242f

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000800000001927a-30.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x000800000001927a-30.dat	orcus
behavioral1/memory/2620-35-0x0000000000B30000-0x0000000000C1A000-memory.dmp	orcus

Executes dropped EXE 1 IoCs

pid	Process
2620	Orcus.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Orcus\Orcus.exe	b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe
File created	C:\Program Files\Orcus\Orcus.exe	b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2620	Orcus.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2620	Orcus.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2620	Orcus.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2812	2336	b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe	30
PID 2336 wrote to memory of 2812	2336	b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe	30
PID 2336 wrote to memory of 2812	2336	b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe	30
PID 2812 wrote to memory of 2576	2812	csc.exe	32
PID 2812 wrote to memory of 2576	2812	csc.exe	32
PID 2812 wrote to memory of 2576	2812	csc.exe	32
PID 2336 wrote to memory of 2620	2336	b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe	34
PID 2336 wrote to memory of 2620	2336	b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe	34
PID 2336 wrote to memory of 2620	2336	b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe	34

C:\Users\Admin\AppData\Local\Temp\b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe
"C:\Users\Admin\AppData\Local\Temp\b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nbnjzhw5.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES30A3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC30A2.tmp"
    3⤵
    PID:2576
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
913KB

MD5
3992adca438aa315a440553482496942

SHA1
3280796a667b1b14731ccf37656f02366237fb46

SHA256
b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34

SHA512
7433550582171fbd50eccf8ad0b0d8e71194b2157374429081738d709c15b843e1b8ccd856c2cdf9faaf589ba6b41a928c895a304a5f08e358ce97d7e001882b

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES30A3.tmp

Filesize
1KB

MD5
a5068b95dcd530ac6cb2a4addbb27811

SHA1
3cd613ed8ed1ae240401311350ad8175fea01866

SHA256
2d4445adc5fe9bd642e4bdd955dcabf028436b967c0a01f1b5ea1830b674c967

SHA512
5729a8b5e599de759b7304ec73c1500ba2dc9bc04351d35bcd9c0764f77fdbed4a7feaa195c8cff3b095147757ac55b6ea94a01fe0b6cdd1f0294dddc6069e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbnjzhw5.dll

Filesize
76KB

MD5
a0d9b4792230b203b81c5738229c097b

SHA1
d98aac221dbefa3c7299c9582a6446fcfda3cd35

SHA256
221feffbe9797f3c58f7e3c8e2ad12b67be9a49d833027ff2fb5cc24857476d9

SHA512
0b869941e411f3bafc66fb8b7f17eb6ccf773a6a1f188b562f05ce2173ebfacfc765e79a98aa1dd0dbcb7daeca1a6ffca0f48d7a7271c01559ec519546ee6a4c

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\err_8b9d3646f7234d7ea3bb88796d93242f.dat

Filesize
1KB

MD5
dcf2865f7046219f419ff0e9b2aeab10

SHA1
b32d87bbd2e600856d75d5d0ff7c856d0647555e

SHA256
70c3e74d2f6d9727b88ec50237ec4aca3aaf449a112a3f3b251937066be64d76

SHA512
e8dcbf309e6d707b0e734ae769bf2e64aeca2430bebfdc42449339a9e2e33a3bedab3b3a8add7c9630c0a98ff40e521aceecd2c33f782a0ac1e2676591571616

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC30A2.tmp

Filesize
676B

MD5
d614ec99b0041a0cb4450be04e39c36c

SHA1
b88ccfbf342764559c10f22847be0134aca9ea9f

SHA256
bd47e8d83802fbb1428e3e30779b2778eede6d77e6a1952d0bb3b8771ec219ba

SHA512
f978ad280af63312ec3c0084cc0b44c66630ec3c0edc92baa6f42977ae427099bf206dd335a2d8cfc37e70a406fffa2668d51f26f3e751e22772e2fc5d1c7dfb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nbnjzhw5.0.cs

Filesize
208KB

MD5
c555d9796194c1d9a1310a05a2264e08

SHA1
82641fc4938680519c3b2e925e05e1001cbd71d7

SHA256
ccbb8fd27ab2f27fbbd871793886ff52ff1fbd9117c98b8d190c1a96b67e498a

SHA512
0b85ca22878998c7697c589739905b218f9b264a32c8f99a9f9dd73d0687a5de46cc7e851697ee16424baf94d301e411648aa2d061ac149a6d2e06b085e07090

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nbnjzhw5.cmdline

Filesize
349B

MD5
dd65770194e839b18cd6b97b0ca2c0fe

SHA1
f6711925936c2d152ae690355514a3e243975102

SHA256
8604c99b1de56ee40c1ea6b49dfcde63a3a09f75290321349180af1daf52a277

SHA512
4b708c1186598a4c25918b10d23f7babd63b92971451e207e101e1cbf322f570d629a1f1b2cb4fd7ceb2d28052c9a96a8c34ffd31d3d3f5e731ebe5283464d12

Download Submit
memory/2336-32-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2336-6-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2336-7-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2336-19-0x0000000000E40000-0x0000000000E56000-memory.dmp

Filesize
88KB

Download
memory/2336-2-0x0000000000280000-0x000000000028E000-memory.dmp

Filesize
56KB

Download
memory/2336-21-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/2336-22-0x0000000000610000-0x0000000000618000-memory.dmp

Filesize
32KB

Download
memory/2336-23-0x0000000000640000-0x0000000000648000-memory.dmp

Filesize
32KB

Download
memory/2336-24-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2336-1-0x0000000000DE0000-0x0000000000E3C000-memory.dmp

Filesize
368KB

Download
memory/2336-0-0x000007FEF65EE000-0x000007FEF65EF000-memory.dmp

Filesize
4KB

Download
memory/2336-33-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2620-35-0x0000000000B30000-0x0000000000C1A000-memory.dmp

Filesize
936KB

Download
memory/2620-38-0x0000000002120000-0x0000000002138000-memory.dmp

Filesize
96KB

Download
memory/2620-39-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/2812-10-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2812-17-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing