orcus | 84219374f172ea99bebe9fd7dc98710725d4db38949cf1031acb13e135f0d530

General

Target

84219374f172ea99bebe9fd7dc98710725d4db38949cf1031acb13e135f0d530.exe
Size

940KB
MD5

349136bb636b9cfb47d8933041cf72c1
SHA1

eddfa1e216a0a72333b0ce79046d72f010063af8
SHA256

84219374f172ea99bebe9fd7dc98710725d4db38949cf1031acb13e135f0d530
SHA512

b0f7ba45275b40a42e74bdc684b74409f444f4ff9a63e2f63000ed4b1f6aad1f432bc60f5e69e739db7c44718499d2c263e834c25f6cf852e8a94659a5dc1953
SSDEEP

24576:vsz3s4MROxnF9LqrZlI0AilFEvxHi8b8om:0z3/Mi7qrZlI0AilFEvxHi7

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023cad-4.dat	family_orcus

Orcurs Rat Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023cad-4.dat	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	84219374f172ea99bebe9fd7dc98710725d4db38949cf1031acb13e135f0d530.exe

Executes dropped EXE 1 IoCs

pid	Process
4804	xtdbogmtbxgetolt.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	xtdbogmtbxgetolt.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	xtdbogmtbxgetolt.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\_tmp9877	84219374f172ea99bebe9fd7dc98710725d4db38949cf1031acb13e135f0d530.exe
File created	C:\Windows\SysWOW64\_tmp9877	84219374f172ea99bebe9fd7dc98710725d4db38949cf1031acb13e135f0d530.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	xtdbogmtbxgetolt.exe
File created	C:\Windows\assembly\Desktop.ini	xtdbogmtbxgetolt.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	xtdbogmtbxgetolt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	84219374f172ea99bebe9fd7dc98710725d4db38949cf1031acb13e135f0d530.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 4804	2216	84219374f172ea99bebe9fd7dc98710725d4db38949cf1031acb13e135f0d530.exe	83
PID 2216 wrote to memory of 4804	2216	84219374f172ea99bebe9fd7dc98710725d4db38949cf1031acb13e135f0d530.exe	83
PID 4804 wrote to memory of 2712	4804	xtdbogmtbxgetolt.exe	84
PID 4804 wrote to memory of 2712	4804	xtdbogmtbxgetolt.exe	84
PID 2712 wrote to memory of 2532	2712	csc.exe	86
PID 2712 wrote to memory of 2532	2712	csc.exe	86

C:\Users\Admin\AppData\Local\Temp\84219374f172ea99bebe9fd7dc98710725d4db38949cf1031acb13e135f0d530.exe
"C:\Users\Admin\AppData\Local\Temp\84219374f172ea99bebe9fd7dc98710725d4db38949cf1031acb13e135f0d530.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Users\Admin\AppData\Local\Temp\xtdbogmtbxgetolt.exe
  "C:\Users\Admin\AppData\Local\Temp\xtdbogmtbxgetolt.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cznwndc0.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4F7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC4F6.tmp"
      4⤵
      PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC4F7.tmp

Filesize
1KB

MD5
60ad7061121f580573f2c34fdf84b385

SHA1
87ab9bc9c4bcc617b77ce17e0bfc26cc335ed116

SHA256
5a65b95569003802824aa374dd97fea4e8319b189e251a7bd4ef669740545f4a

SHA512
78071240d004593b1927424f31fbfe7ce0747ce8bb84941adf0bc953d5176dc44a97c4457757391ea0edf3c45e4c3944273d3ae68be730aac3c6b498626afd2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cznwndc0.dll

Filesize
76KB

MD5
d82b0419a70ddacf62f6d99ce6039d3b

SHA1
80c69982928aaaeee738eca0a617a2deaf45be4e

SHA256
741dd35b5d5e168620ea1a278d116a2fde6d61de3b5a981d9d4d8e4881a77ede

SHA512
f3e6172310341a581f9bf41ad4ca517e6ca54ac139b9519b8998cdb1d608e4db5fe307dc0ce870956da496e57f70a1d3fda6ee1833ee367a80836d6ce7a3d50f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xtdbogmtbxgetolt.exe

Filesize
903KB

MD5
e01f6c2e3489ec4f372f5e42043c76ad

SHA1
ff18a6f8f0535cb90bd1be41c5f751eb7e68c9bf

SHA256
78afefee16a6e648a08f0e348c086dde76f917e24b45dd4c64124fa0645f8d97

SHA512
b7eb8aaf68bc5a91e94bb1889cda2d0c22af3cbf4011134b6b4d86d08ca6e945002f868a3c818fb0aa0e551193863167c874f4780aa93142b7e74768d96dd932

Download Submit
C:\Windows\SysWOW64\_tmp9877

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCC4F6.tmp

Filesize
676B

MD5
3f2c48ed4782436c9202e8a15c8bd7d8

SHA1
61d3522dfaa2386341d78b6b6ac0f1be9bc44a45

SHA256
b7d32fdb0e07cfcb1d139125fca65d28b61c9352b4f53a6786834a5180b66677

SHA512
ef9dab420528b087b2d004c1ffa43e1e31c6fa5fde04dd7abc8a114c016aef74dd266de3a0b95421df04ab38e0e6fe4ac6cd2bc703268cbec21efedd71d3ef83

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cznwndc0.0.cs

Filesize
208KB

MD5
7abd0662fafb055b82242b63f272d90d

SHA1
d2b7a1608c11437a5a712c305a951ce36cdb767a

SHA256
b45676dcc258dcea09c7b507b3fb4b5360eff5741dd114f72fd288a3c4d47489

SHA512
3d7597afb78a7a3a13dc8c918d42ad17d17f7610918b94b157ec8dff4ecd8afc37a52d1329e7d7ca3f1263428a0584df342d957daf99cede83d2c56b0b2af033

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cznwndc0.cmdline

Filesize
349B

MD5
87a3f55853835e0324ca05f352e48b6f

SHA1
fa4facb3f3a2be04b3a049d428cb79ce4e36ceca

SHA256
4d77c66e1435eeafe5c9fe5d55fd17be33f236958321155959f8ceb0e5a57a1c

SHA512
f3bdf7383cd12899a521537c05e74d6aaf2d60d6b0f2bdedcbaba41cc31c578f63493130a53337d0071c9c9210bd3021c40b1e73801df42708dfe7b244b75435

Download Submit
memory/2712-38-0x00007FFD4F580000-0x00007FFD4FF21000-memory.dmp

Filesize
9.6MB

Download
memory/2712-33-0x00007FFD4F580000-0x00007FFD4FF21000-memory.dmp

Filesize
9.6MB

Download
memory/4804-23-0x000000001B1D0000-0x000000001B1DE000-memory.dmp

Filesize
56KB

Download
memory/4804-25-0x000000001BD50000-0x000000001BDEC000-memory.dmp

Filesize
624KB

Download
memory/4804-24-0x000000001B880000-0x000000001BD4E000-memory.dmp

Filesize
4.8MB

Download
memory/4804-22-0x00007FFD4F580000-0x00007FFD4FF21000-memory.dmp

Filesize
9.6MB

Download
memory/4804-19-0x000000001B0E0000-0x000000001B13C000-memory.dmp

Filesize
368KB

Download
memory/4804-18-0x00007FFD4F580000-0x00007FFD4FF21000-memory.dmp

Filesize
9.6MB

Download
memory/4804-40-0x000000001C3F0000-0x000000001C406000-memory.dmp

Filesize
88KB

Download
memory/4804-17-0x00007FFD4F835000-0x00007FFD4F836000-memory.dmp

Filesize
4KB

Download
memory/4804-42-0x000000001B040000-0x000000001B052000-memory.dmp

Filesize
72KB

Download
memory/4804-43-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/4804-44-0x00007FFD4F580000-0x00007FFD4FF21000-memory.dmp

Filesize
9.6MB

Download
memory/4804-46-0x00007FFD4F580000-0x00007FFD4FF21000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing