Overview

overview

10

Static

static

3

Release.rar

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    24s
  • max time network
    26s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    06-01-2025 13:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Release.rar

  • Size

    20.8MB

  • MD5

    5cc2b4b8cb72a593f59bd7673519ebd5

  • SHA1

    44a44f9c5030ad8b33a96ea96e661e22dc3e40fa

  • SHA256

    7035d5b2091822730ef2550e6ae60358bffdfa7cfe88643251d8c8de1883d40b

  • SHA512

    8a5499e9f0b727362ecc7021b9865bcd869f2a5864439d3d99c0564bc8956f630698ae55c23e14470af519131720f6c29cfde82a344623664bedaa18e86912f1

  • SSDEEP

    393216:hcVM/SrrTB8wq73zdXKlmxB0OjM1OwjFar0knvmmYhB186lAvtszHz/F3g:QwcTB8wEh6lmxyL5BstEdg

Score
10/10
orcusratspywarestealer

Malware Config

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus family
    orcus
  • Orcurs Rat Executable 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Release.rar"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4236
  • C:\Users\Admin\Desktop\Mozilla Firefox.exe
    "C:\Users\Admin\Desktop\Mozilla Firefox.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Desktop\Mozilla Firefox.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\Windows\system32\certutil.exe
        certutil -hashfile "C:\Users\Admin\Desktop\Mozilla Firefox.exe" MD5
        3⤵
          PID:2212
        • C:\Windows\system32\find.exe
          find /i /v "md5"
          3⤵
            PID:2708
          • C:\Windows\system32\find.exe
            find /i /v "certutil"
            3⤵
              PID:4456

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Desktop\Mozilla Firefox.exe
          Filesize

          21.1MB

          MD5

          0d4d250000aa66c43ffe3048c5821c7a

          SHA1

          1b899e72723414e17b32bbaf7c4b15ccd0960ed7

          SHA256

          ee8ef780555e9a805671bfa8775c5cbca91a8fe90d757ca380048c2c33d47b53

          SHA512

          595d9b9b704e08cedb0542569b9c0aeb800ba926918ed35ab0e390fad12ff6ebc48111cbfd1063f89969f3f113f12aa4aed35985998bdeb1aa47774a1991a350

          Download Submit

        • memory/3052-4-0x00000001403EB000-0x0000000141067000-memory.dmp

          Filesize

          12.5MB

          Download

        • memory/3052-6-0x00007FFC4D360000-0x00007FFC4D362000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3052-5-0x00007FFC4D350000-0x00007FFC4D352000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3052-7-0x0000000140000000-0x000000014258A000-memory.dmp

          Filesize

          37.5MB

          Download

        • memory/3052-8-0x0000000140000000-0x000000014258A000-memory.dmp

          Filesize

          37.5MB

          Download