orcus | 61160780cd8f24a4ad7d46cf0e7cfdad0accbcef02c681b294fe220d3d297401

General

Target

61160780cd8f24a4ad7d46cf0e7cfdad0accbcef02c681b294fe220d3d297401.exe
Size

911KB
MD5

9ab3d6d5b0495a056c23afb26d58b01e
SHA1

e2b0d0611c9f0b9728a07ccc76f5ee9d588ca9b7
SHA256

61160780cd8f24a4ad7d46cf0e7cfdad0accbcef02c681b294fe220d3d297401
SHA512

062b3985953adbf1cc792648121624ccae60ba1f3d01ca7313a2b8768a875f3d418447a3da017a28e75ac3a08c41a757883c647780028f49ceec6c41cb066b8d
SSDEEP

24576:NBB4MROxnF4jUINrrcI0AilFEvxHPXooN:NQMimNrrcI0AilFEvxHP

Score

10^/10

orcus nursultan 1.16.5 discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

nursultan 1.16.5

C2

127.0.0.1:1268

Mutex

29e5ffc31816447189007ae4dd81fe0d

Attributes

autostart_method
Disable
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016d47-16.dat	family_orcus

Orcurs Rat Executable 3 IoCs

resource	yara_rule
behavioral1/memory/2196-1-0x00000000009A0000-0x0000000000A8A000-memory.dmp	orcus
behavioral1/files/0x0008000000016d47-16.dat	orcus
behavioral1/memory/2312-20-0x0000000000940000-0x0000000000A2A000-memory.dmp	orcus

Executes dropped EXE 2 IoCs

pid	Process
2312	Orcus.exe
2816	Orcus.exe

Loads dropped DLL 1 IoCs

pid	Process
2196	61160780cd8f24a4ad7d46cf0e7cfdad0accbcef02c681b294fe220d3d297401.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Orcus\Orcus.exe.config	61160780cd8f24a4ad7d46cf0e7cfdad0accbcef02c681b294fe220d3d297401.exe
File created	C:\Program Files (x86)\Orcus\Orcus.exe	61160780cd8f24a4ad7d46cf0e7cfdad0accbcef02c681b294fe220d3d297401.exe
File opened for modification	C:\Program Files (x86)\Orcus\Orcus.exe	61160780cd8f24a4ad7d46cf0e7cfdad0accbcef02c681b294fe220d3d297401.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61160780cd8f24a4ad7d46cf0e7cfdad0accbcef02c681b294fe220d3d297401.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orcus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orcus.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	Orcus.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2312	Orcus.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2312	Orcus.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2312	Orcus.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2312	2196	61160780cd8f24a4ad7d46cf0e7cfdad0accbcef02c681b294fe220d3d297401.exe	31
PID 2196 wrote to memory of 2312	2196	61160780cd8f24a4ad7d46cf0e7cfdad0accbcef02c681b294fe220d3d297401.exe	31
PID 2196 wrote to memory of 2312	2196	61160780cd8f24a4ad7d46cf0e7cfdad0accbcef02c681b294fe220d3d297401.exe	31
PID 2196 wrote to memory of 2312	2196	61160780cd8f24a4ad7d46cf0e7cfdad0accbcef02c681b294fe220d3d297401.exe	31
PID 3036 wrote to memory of 2816	3036	taskeng.exe	33
PID 3036 wrote to memory of 2816	3036	taskeng.exe	33
PID 3036 wrote to memory of 2816	3036	taskeng.exe	33
PID 3036 wrote to memory of 2816	3036	taskeng.exe	33

C:\Users\Admin\AppData\Local\Temp\61160780cd8f24a4ad7d46cf0e7cfdad0accbcef02c681b294fe220d3d297401.exe
"C:\Users\Admin\AppData\Local\Temp\61160780cd8f24a4ad7d46cf0e7cfdad0accbcef02c681b294fe220d3d297401.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Program Files (x86)\Orcus\Orcus.exe
  "C:\Program Files (x86)\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2312

C:\Windows\system32\taskeng.exe
taskeng.exe {D0F40D3A-35C4-4FEC-A42D-7706A0BB14E0} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Program Files (x86)\Orcus\Orcus.exe
  "C:\Program Files (x86)\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Orcus\Orcus.exe

Filesize
911KB

MD5
9ab3d6d5b0495a056c23afb26d58b01e

SHA1
e2b0d0611c9f0b9728a07ccc76f5ee9d588ca9b7

SHA256
61160780cd8f24a4ad7d46cf0e7cfdad0accbcef02c681b294fe220d3d297401

SHA512
062b3985953adbf1cc792648121624ccae60ba1f3d01ca7313a2b8768a875f3d418447a3da017a28e75ac3a08c41a757883c647780028f49ceec6c41cb066b8d

Download Submit
C:\Program Files (x86)\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\err_29e5ffc31816447189007ae4dd81fe0d.dat

Filesize
1KB

MD5
0b7b51780b8aa9193d5ca1a66c5a26c6

SHA1
5ca0c21bfabdafc1558a8ee5522ab53c2b6a4baf

SHA256
a66ac434410b8a98b492d340c31923c01a047ed3ea61f626e3881166cc975277

SHA512
3982e3a6d28addae7a2f6c156d176325d000155d7db3486c20b432d6afcc88edf0e245b489aba5cdac6d021f5ad44a101e88fba57b3431c503228711a1b21b48

Download Submit
memory/2196-5-0x0000000000580000-0x0000000000592000-memory.dmp

Filesize
72KB

Download
memory/2196-1-0x00000000009A0000-0x0000000000A8A000-memory.dmp

Filesize
936KB

Download
memory/2196-0-0x00000000746AE000-0x00000000746AF000-memory.dmp

Filesize
4KB

Download
memory/2196-6-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/2196-7-0x00000000005F0000-0x00000000005F8000-memory.dmp

Filesize
32KB

Download
memory/2196-3-0x0000000001F30000-0x0000000001F8C000-memory.dmp

Filesize
368KB

Download
memory/2196-18-0x00000000746A0000-0x0000000074D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2196-2-0x00000000004F0000-0x00000000004FE000-memory.dmp

Filesize
56KB

Download
memory/2196-4-0x00000000746A0000-0x0000000074D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2312-21-0x00000000746A0000-0x0000000074D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2312-20-0x0000000000940000-0x0000000000A2A000-memory.dmp

Filesize
936KB

Download
memory/2312-23-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/2312-26-0x0000000004680000-0x00000000046CE000-memory.dmp

Filesize
312KB

Download
memory/2312-22-0x00000000746A0000-0x0000000074D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2312-27-0x00000000046D0000-0x00000000046E8000-memory.dmp

Filesize
96KB

Download
memory/2312-28-0x00000000048C0000-0x00000000048D0000-memory.dmp

Filesize
64KB

Download
memory/2312-30-0x00000000746A0000-0x0000000074D8E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing