orcus | 342f8bea18100c6d245ba3283446c02cb6b9689f9319701647daf626dba044c7

General

Target

342f8bea18100c6d245ba3283446c02cb6b9689f9319701647daf626dba044c7.exe
Size

3.0MB
MD5

bc4165ea7a72ab5e2a09d410179fcc43
SHA1

c177a8c61e65e8cbb35f25fdd988e7e7db40f571
SHA256

342f8bea18100c6d245ba3283446c02cb6b9689f9319701647daf626dba044c7
SHA512

91f30aa7ae92ddc1c674613fd7dc1ac68d426cea44ad3925a4b842d37fa964cd7b7e5f2531a76b3de89866ccc5d6b1e67e1ecf398b0bb64e09df0c8b2de70df8
SSDEEP

49152:ZGX87p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpKu/nRFfjI7L0qb:ZLHTPJg8z1mKnypSbRxo9JCm

Score

10^/10

orcus новый тег discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

Новый тег

C2

31.44.184.52:36345

Mutex

sudo_kf8bedm97o4nlte77updryap0bijng4e

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%appdata%\pythonimage\geotemp.exe
reconnect_delay
10000
registry_keyname
Sudik
taskscheduler_taskname
sudik
watchdog_path
AppData\aga.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000f000000016d3f-10.dat	family_orcus

Orcurs Rat Executable 3 IoCs

resource	yara_rule
behavioral1/memory/2164-1-0x0000000000DE0000-0x00000000010DE000-memory.dmp	orcus
behavioral1/files/0x000f000000016d3f-10.dat	orcus
behavioral1/memory/3000-18-0x00000000003E0000-0x00000000006DE000-memory.dmp	orcus

Executes dropped EXE 4 IoCs

pid	Process
3000	geotemp.exe
2576	geotemp.exe
924	geotemp.exe
2264	geotemp.exe

Loads dropped DLL 1 IoCs

pid	Process
2164	342f8bea18100c6d245ba3283446c02cb6b9689f9319701647daf626dba044c7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	342f8bea18100c6d245ba3283446c02cb6b9689f9319701647daf626dba044c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geotemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geotemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geotemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geotemp.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 3000	2164	342f8bea18100c6d245ba3283446c02cb6b9689f9319701647daf626dba044c7.exe	29
PID 2164 wrote to memory of 3000	2164	342f8bea18100c6d245ba3283446c02cb6b9689f9319701647daf626dba044c7.exe	29
PID 2164 wrote to memory of 3000	2164	342f8bea18100c6d245ba3283446c02cb6b9689f9319701647daf626dba044c7.exe	29
PID 2164 wrote to memory of 3000	2164	342f8bea18100c6d245ba3283446c02cb6b9689f9319701647daf626dba044c7.exe	29
PID 1740 wrote to memory of 2576	1740	taskeng.exe	31
PID 1740 wrote to memory of 2576	1740	taskeng.exe	31
PID 1740 wrote to memory of 2576	1740	taskeng.exe	31
PID 1740 wrote to memory of 2576	1740	taskeng.exe	31
PID 1740 wrote to memory of 924	1740	taskeng.exe	32
PID 1740 wrote to memory of 924	1740	taskeng.exe	32
PID 1740 wrote to memory of 924	1740	taskeng.exe	32
PID 1740 wrote to memory of 924	1740	taskeng.exe	32
PID 1740 wrote to memory of 2264	1740	taskeng.exe	33
PID 1740 wrote to memory of 2264	1740	taskeng.exe	33
PID 1740 wrote to memory of 2264	1740	taskeng.exe	33
PID 1740 wrote to memory of 2264	1740	taskeng.exe	33

C:\Users\Admin\AppData\Local\Temp\342f8bea18100c6d245ba3283446c02cb6b9689f9319701647daf626dba044c7.exe
"C:\Users\Admin\AppData\Local\Temp\342f8bea18100c6d245ba3283446c02cb6b9689f9319701647daf626dba044c7.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Roaming\pythonimage\geotemp.exe
  "C:\Users\Admin\AppData\Roaming\pythonimage\geotemp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3000

C:\Windows\system32\taskeng.exe
taskeng.exe {40CB7730-6206-41AF-990A-9FF698196A51} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Roaming\pythonimage\geotemp.exe
  C:\Users\Admin\AppData\Roaming\pythonimage\geotemp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2576
- C:\Users\Admin\AppData\Roaming\pythonimage\geotemp.exe
  C:\Users\Admin\AppData\Roaming\pythonimage\geotemp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:924
- C:\Users\Admin\AppData\Roaming\pythonimage\geotemp.exe
  C:\Users\Admin\AppData\Roaming\pythonimage\geotemp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\pythonimage\geotemp.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\Users\Admin\AppData\Roaming\pythonimage\geotemp.exe

Filesize
3.0MB

MD5
bc4165ea7a72ab5e2a09d410179fcc43

SHA1
c177a8c61e65e8cbb35f25fdd988e7e7db40f571

SHA256
342f8bea18100c6d245ba3283446c02cb6b9689f9319701647daf626dba044c7

SHA512
91f30aa7ae92ddc1c674613fd7dc1ac68d426cea44ad3925a4b842d37fa964cd7b7e5f2531a76b3de89866ccc5d6b1e67e1ecf398b0bb64e09df0c8b2de70df8

Download Submit
memory/2164-15-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download
memory/2164-1-0x0000000000DE0000-0x00000000010DE000-memory.dmp

Filesize
3.0MB

Download
memory/2164-2-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download
memory/2164-3-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download
memory/2164-4-0x00000000048F0000-0x000000000494C000-memory.dmp

Filesize
368KB

Download
memory/2164-5-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/2164-0-0x000000007437E000-0x000000007437F000-memory.dmp

Filesize
4KB

Download
memory/3000-16-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download
memory/3000-18-0x00000000003E0000-0x00000000006DE000-memory.dmp

Filesize
3.0MB

Download
memory/3000-19-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download
memory/3000-20-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/3000-21-0x0000000000B70000-0x0000000000BBE000-memory.dmp

Filesize
312KB

Download
memory/3000-22-0x00000000023F0000-0x0000000002408000-memory.dmp

Filesize
96KB

Download
memory/3000-24-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/3000-25-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing