orcus | 84219374f172ea99bebe9fd7dc98710725d4db38949cf1031acb13e135f0d530

General

Target

84219374f172ea99bebe9fd7dc98710725d4db38949cf1031acb13e135f0d530.exe
Size

940KB
MD5

349136bb636b9cfb47d8933041cf72c1
SHA1

eddfa1e216a0a72333b0ce79046d72f010063af8
SHA256

84219374f172ea99bebe9fd7dc98710725d4db38949cf1031acb13e135f0d530
SHA512

b0f7ba45275b40a42e74bdc684b74409f444f4ff9a63e2f63000ed4b1f6aad1f432bc60f5e69e739db7c44718499d2c263e834c25f6cf852e8a94659a5dc1953
SSDEEP

24576:vsz3s4MROxnF9LqrZlI0AilFEvxHi8b8om:0z3/Mi7qrZlI0AilFEvxHi7

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

25.58.174.75:10134

Mutex

5959ab4ab0884401bc50ad7556c97639

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012260-2.dat	family_orcus

Orcurs Rat Executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012260-2.dat	orcus

Executes dropped EXE 1 IoCs

pid	Process
2392	nrqiowbzfporq.exe

Loads dropped DLL 1 IoCs

pid	Process
2336	84219374f172ea99bebe9fd7dc98710725d4db38949cf1031acb13e135f0d530.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\_tmp9877	84219374f172ea99bebe9fd7dc98710725d4db38949cf1031acb13e135f0d530.exe
File created	C:\Windows\SysWOW64\_tmp9877	84219374f172ea99bebe9fd7dc98710725d4db38949cf1031acb13e135f0d530.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	84219374f172ea99bebe9fd7dc98710725d4db38949cf1031acb13e135f0d530.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2392	2336	84219374f172ea99bebe9fd7dc98710725d4db38949cf1031acb13e135f0d530.exe	31
PID 2336 wrote to memory of 2392	2336	84219374f172ea99bebe9fd7dc98710725d4db38949cf1031acb13e135f0d530.exe	31
PID 2336 wrote to memory of 2392	2336	84219374f172ea99bebe9fd7dc98710725d4db38949cf1031acb13e135f0d530.exe	31
PID 2336 wrote to memory of 2392	2336	84219374f172ea99bebe9fd7dc98710725d4db38949cf1031acb13e135f0d530.exe	31
PID 2392 wrote to memory of 2384	2392	nrqiowbzfporq.exe	32
PID 2392 wrote to memory of 2384	2392	nrqiowbzfporq.exe	32
PID 2392 wrote to memory of 2384	2392	nrqiowbzfporq.exe	32
PID 2384 wrote to memory of 2656	2384	csc.exe	34
PID 2384 wrote to memory of 2656	2384	csc.exe	34
PID 2384 wrote to memory of 2656	2384	csc.exe	34

C:\Users\Admin\AppData\Local\Temp\84219374f172ea99bebe9fd7dc98710725d4db38949cf1031acb13e135f0d530.exe
"C:\Users\Admin\AppData\Local\Temp\84219374f172ea99bebe9fd7dc98710725d4db38949cf1031acb13e135f0d530.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\nrqiowbzfporq.exe
  "C:\Users\Admin\AppData\Local\Temp\nrqiowbzfporq.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gpziny1p.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD8D3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD8D2.tmp"
      4⤵
      PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD8D3.tmp

Filesize
1KB

MD5
5fe97e1f695df07b83a0d50e8b0af4dd

SHA1
31c391f7141bdd817cf52cd72d47a58a6300f227

SHA256
6a4052244bd23d59066d2b10f20604f73d2d44e161ff4c250a3485aa7319e5f5

SHA512
a6c1355db444b8a1b3136ca1fb4b82967b63badbbd2a492ee862b9b9649eee079392fc4df55aeddbbdeab168b7510f36ea4f420ac888182b8c8b0f6b4068ec23

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpziny1p.dll

Filesize
76KB

MD5
a5b86c2fff5235976866baf7cc4992ca

SHA1
c0ac00e9333323cd76c37ced567526530bf13ace

SHA256
93481d9937c5803110a32894dfd9957830a5302b3d0495f47cd88e1eda22495f

SHA512
b471f30661ed4b2d85a9f2859185641c63cbdf4cc9461aaefd6e147690d792086fa7df302bcf076782c15afef65514954b1cc31cb641e0e3cff7e532637b28e6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCD8D2.tmp

Filesize
676B

MD5
31eb3bafe8cce320218ba805bca41da7

SHA1
28c1bd86d2e29cab8241da89542e00b0bab704e5

SHA256
cf77c8012b2c3a1ec37dc6cfc37a981f02d6fdcf5ce3fd66db04a138cde75d5a

SHA512
e546512853f84352ecce3a4f19be30bf8fd4aee3010aa1823a881e6e079ec938cec5022ff724a7d4e3327dbb34dd35d585ff2f48ee99a191e2ca9131443c1987

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gpziny1p.0.cs

Filesize
208KB

MD5
c555d9796194c1d9a1310a05a2264e08

SHA1
82641fc4938680519c3b2e925e05e1001cbd71d7

SHA256
ccbb8fd27ab2f27fbbd871793886ff52ff1fbd9117c98b8d190c1a96b67e498a

SHA512
0b85ca22878998c7697c589739905b218f9b264a32c8f99a9f9dd73d0687a5de46cc7e851697ee16424baf94d301e411648aa2d061ac149a6d2e06b085e07090

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gpziny1p.cmdline

Filesize
349B

MD5
22c3c21930da2af1408992b19291b8d8

SHA1
253bb7170e8078890ac5c3104e8ecf94519bf778

SHA256
d1355a8c56b633a66bbe9d767fec9224071dda7b982265f404daf0e51e5ef02c

SHA512
e63b1330693f8c7c11ddf62d90d1e0b7156fb0a1d77251e1df24bf08f854c30a37cf03ad6148ce9b10fdbe527e3956d382cb4026d3c8088e230b747cb0118af8

Download Submit
\Users\Admin\AppData\Local\Temp\nrqiowbzfporq.exe

Filesize
903KB

MD5
e01f6c2e3489ec4f372f5e42043c76ad

SHA1
ff18a6f8f0535cb90bd1be41c5f751eb7e68c9bf

SHA256
78afefee16a6e648a08f0e348c086dde76f917e24b45dd4c64124fa0645f8d97

SHA512
b7eb8aaf68bc5a91e94bb1889cda2d0c22af3cbf4011134b6b4d86d08ca6e945002f868a3c818fb0aa0e551193863167c874f4780aa93142b7e74768d96dd932

Download Submit
memory/2392-14-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

Filesize
9.6MB

Download
memory/2392-13-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

Filesize
9.6MB

Download
memory/2392-12-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/2392-11-0x000000001AFF0000-0x000000001B04C000-memory.dmp

Filesize
368KB

Download
memory/2392-10-0x000007FEF610E000-0x000007FEF610F000-memory.dmp

Filesize
4KB

Download
memory/2392-27-0x000000001AEB0000-0x000000001AEC6000-memory.dmp

Filesize
88KB

Download
memory/2392-29-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/2392-30-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing