orcus | b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34

General

Target

b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe
Size

913KB
MD5

3992adca438aa315a440553482496942
SHA1

3280796a667b1b14731ccf37656f02366237fb46
SHA256

b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34
SHA512

7433550582171fbd50eccf8ad0b0d8e71194b2157374429081738d709c15b843e1b8ccd856c2cdf9faaf589ba6b41a928c895a304a5f08e358ce97d7e001882b
SSDEEP

24576:4Eqr4MROxnF25bHKTlQMrZlI0AilFEvxHiPN:4EjMiwMrZlI0AilFEvxHi

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

192.168.31.232:3941

Mutex

8b9d3646f7234d7ea3bb88796d93242f

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b84-42.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b84-42.dat	orcus
behavioral2/memory/1924-53-0x0000000000FC0000-0x00000000010AA000-memory.dmp	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe

Executes dropped EXE 1 IoCs

pid	Process
1924	Orcus.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe
File created	C:\Windows\assembly\Desktop.ini	b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1924	Orcus.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1924	Orcus.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1924	Orcus.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3896 wrote to memory of 4020	3896	b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe	82
PID 3896 wrote to memory of 4020	3896	b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe	82
PID 4020 wrote to memory of 4624	4020	csc.exe	84
PID 4020 wrote to memory of 4624	4020	csc.exe	84
PID 3896 wrote to memory of 1924	3896	b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe	86
PID 3896 wrote to memory of 1924	3896	b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe	86

C:\Users\Admin\AppData\Local\Temp\b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe
"C:\Users\Admin\AppData\Local\Temp\b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8hsb7hif.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8657.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8656.tmp"
    3⤵
    PID:4624
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
913KB

MD5
3992adca438aa315a440553482496942

SHA1
3280796a667b1b14731ccf37656f02366237fb46

SHA256
b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34

SHA512
7433550582171fbd50eccf8ad0b0d8e71194b2157374429081738d709c15b843e1b8ccd856c2cdf9faaf589ba6b41a928c895a304a5f08e358ce97d7e001882b

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\8hsb7hif.dll

Filesize
76KB

MD5
ca68a6113dec7658772f7394c2b2fdb8

SHA1
00c1cadaeba199c9daa269a14675eb969ec7d3f3

SHA256
c8ddba48de20387d3b209ebfc9eb600c6502b425f3f67759dcb0f67362127eb7

SHA512
50a2469667519136d8dab389840ab4e3322853c0437e0e5aba5fd0a47bab2cb37877ca5983908023ea59ad43ed8d5c8a2c9060304571d233df14651832387875

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8657.tmp

Filesize
1KB

MD5
1f9acedd9ea3c4536c4a061f0f2438af

SHA1
b291c18e7976690de992be2d3dba27b31068bbd6

SHA256
7f0e31d3a914520b30aa81b1603dc75257dfbd943e786a268b5a7ad9ed0d3cef

SHA512
4d2b5966bebc7b1b59f739264d1d93008ab00c2d3bd1cf783a719932f2f39026b35b06dc8a6759766f301398b6e790cbd3e8b59a332482d1fdd971094effef0b

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\err_8b9d3646f7234d7ea3bb88796d93242f.dat

Filesize
1KB

MD5
10d77f36a787132344561b44771676d3

SHA1
9a42c59cd4c8998f84efcb9a20b1c2110527e23b

SHA256
3fa797f28e4d7c255cae0fa840876cad47ec9a8c659e5497b423fe168d6171c8

SHA512
1542963090c952fe017f79477172a676e91fd8a0d28cb77b9fabdaea4a0ecef28ebcb4712c35f5c691a823f63bb787ac2b8e1f4ee0e564155c385bdb755df55c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8hsb7hif.0.cs

Filesize
208KB

MD5
a400e6e03516e2b97b425c3144f068de

SHA1
b08e7e42da2ac93650a7446bc0ad0c7b59d76933

SHA256
0c983a77ecb0fe45796340471c4383ebb9a191987b1d33588d6ddf25b1e40e6b

SHA512
f9c87145272fe84083e5bfc4e26e65802e357dec00d85af49e7034eaa97b15bfb7dd0577693c15e176ab5e38533e7d3730320c2f1e3818214f1ec8d36e27c4c8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8hsb7hif.cmdline

Filesize
349B

MD5
53e2b347dff604efec2daa19c9e67099

SHA1
074bc99a72d1fed72c99f12895892aa03f2cb35b

SHA256
0639f9e49f24714f541a2e915d479e17681fa0b793bb6f76b37a3eece8e0aaa2

SHA512
fb09dfb2e85bd9768f0a865019660e058aff98fb832458f464f06f43dc303e7497d6f672c5f6ffeb9a29cab0021f968cc161a31224d4023396609f6dc38cfded

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8656.tmp

Filesize
676B

MD5
efe823497db1eaa647fbcf109c563f49

SHA1
86be3f406554e13e0c86a586498902b99bc64068

SHA256
97f58f9854b98322781b94540e4c01ff862554de7538fa25f5d88c1ef4ea6b13

SHA512
89cbf1827f7e8d0d2959dd19151e7a5a01419d915ae25d23de162e497262b6860d88c54c21537cc3220335e88f537a15907098db093d25deaa32fc7f57f33930

Download Submit
memory/1924-56-0x000000001C100000-0x000000001C13C000-memory.dmp

Filesize
240KB

Download
memory/1924-57-0x000000001C250000-0x000000001C35A000-memory.dmp

Filesize
1.0MB

Download
memory/1924-55-0x000000001BC40000-0x000000001BC52000-memory.dmp

Filesize
72KB

Download
memory/1924-60-0x000000001BD90000-0x000000001BDA8000-memory.dmp

Filesize
96KB

Download
memory/1924-54-0x000000001BC00000-0x000000001BC12000-memory.dmp

Filesize
72KB

Download
memory/1924-53-0x0000000000FC0000-0x00000000010AA000-memory.dmp

Filesize
936KB

Download
memory/1924-61-0x000000001BC70000-0x000000001BC80000-memory.dmp

Filesize
64KB

Download
memory/1924-50-0x00007FFB82253000-0x00007FFB82255000-memory.dmp

Filesize
8KB

Download
memory/1924-62-0x00007FFB82253000-0x00007FFB82255000-memory.dmp

Filesize
8KB

Download
memory/3896-28-0x000000001CA10000-0x000000001CA72000-memory.dmp

Filesize
392KB

Download
memory/3896-27-0x000000001B300000-0x000000001B308000-memory.dmp

Filesize
32KB

Download
memory/3896-29-0x000000001D370000-0x000000001D92A000-memory.dmp

Filesize
5.7MB

Download
memory/3896-30-0x000000001D930000-0x000000001DA20000-memory.dmp

Filesize
960KB

Download
memory/3896-31-0x000000001CB70000-0x000000001CB8E000-memory.dmp

Filesize
120KB

Download
memory/3896-32-0x000000001DA30000-0x000000001DA79000-memory.dmp

Filesize
292KB

Download
memory/3896-33-0x00007FFB85360000-0x00007FFB85D01000-memory.dmp

Filesize
9.6MB

Download
memory/3896-34-0x000000001DB10000-0x000000001DB80000-memory.dmp

Filesize
448KB

Download
memory/3896-35-0x00007FFB85360000-0x00007FFB85D01000-memory.dmp

Filesize
9.6MB

Download
memory/3896-25-0x000000001B270000-0x000000001B282000-memory.dmp

Filesize
72KB

Download
memory/3896-26-0x0000000000B10000-0x0000000000B18000-memory.dmp

Filesize
32KB

Download
memory/3896-0-0x00007FFB85615000-0x00007FFB85616000-memory.dmp

Filesize
4KB

Download
memory/3896-52-0x00007FFB85360000-0x00007FFB85D01000-memory.dmp

Filesize
9.6MB

Download
memory/3896-23-0x000000001C620000-0x000000001C636000-memory.dmp

Filesize
88KB

Download
memory/3896-1-0x00007FFB85360000-0x00007FFB85D01000-memory.dmp

Filesize
9.6MB

Download
memory/3896-2-0x000000001B360000-0x000000001B3BC000-memory.dmp

Filesize
368KB

Download
memory/3896-8-0x000000001BFE0000-0x000000001C07C000-memory.dmp

Filesize
624KB

Download
memory/3896-7-0x000000001BA70000-0x000000001BF3E000-memory.dmp

Filesize
4.8MB

Download
memory/3896-6-0x000000001B410000-0x000000001B41E000-memory.dmp

Filesize
56KB

Download
memory/3896-3-0x00007FFB85360000-0x00007FFB85D01000-memory.dmp

Filesize
9.6MB

Download
memory/4020-16-0x00007FFB85360000-0x00007FFB85D01000-memory.dmp

Filesize
9.6MB

Download
memory/4020-21-0x00007FFB85360000-0x00007FFB85D01000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing