orcus | 51fc8dc03eca49528064dc469aafa0d1df10bd5a48a22896dfc4c5cc5f8899a5

Analysis

max time kernel
131s
max time network
150s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
17-01-2025 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nigger.exe
Size

903KB
MD5

72524fbc022c3beb0550f62e5e727343
SHA1

8671520865d2c9c31e63c4c8c5405bc6e16d30d1
SHA256

51fc8dc03eca49528064dc469aafa0d1df10bd5a48a22896dfc4c5cc5f8899a5
SHA512

a09077f5b6cfd692e7b088ed1c9da6ce4afc52ab1f60bce6f5968069d85ae78fe1bf23de185443e1ed01da01b262cc5c63e6a4cecca0bf8f5fac8a3aebe90157
SSDEEP

12288:r8shHAVBuQBBed37dG1lFlWcYT70pxnnaaoawMRVcTqSA+9rZNrI0AilFEvxHvBH:Y3s4MROxnF9LqrZlI0AilFEvxHiho

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

2.tcp.eu.ngrok.io:16912

Mutex

d2c1eb76639a415ebb82e3e5f8d92836

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0029000000046132-33.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x0029000000046132-33.dat	orcus
behavioral1/memory/3628-36-0x0000000000B40000-0x0000000000C28000-memory.dmp	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000\Control Panel\International\Geo\Nation	nigger.exe

Executes dropped EXE 1 IoCs

pid	Process
3628	Orcus.exe

Loads dropped DLL 1 IoCs

pid	Process
3628	Orcus.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	nigger.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	nigger.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
7	2.tcp.eu.ngrok.io

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	nigger.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	nigger.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	nigger.exe
File created	C:\Windows\assembly\Desktop.ini	nigger.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	nigger.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3628	Orcus.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3628	Orcus.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3628	Orcus.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 416	828	nigger.exe	81
PID 828 wrote to memory of 416	828	nigger.exe	81
PID 416 wrote to memory of 4732	416	csc.exe	83
PID 416 wrote to memory of 4732	416	csc.exe	83
PID 828 wrote to memory of 3628	828	nigger.exe	84
PID 828 wrote to memory of 3628	828	nigger.exe	84

C:\Users\Admin\AppData\Local\Temp\nigger.exe
"C:\Users\Admin\AppData\Local\Temp\nigger.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:828
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kzxjfo0u.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:416
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES735C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC735B.tmp"
    3⤵
    PID:4732
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
903KB

MD5
72524fbc022c3beb0550f62e5e727343

SHA1
8671520865d2c9c31e63c4c8c5405bc6e16d30d1

SHA256
51fc8dc03eca49528064dc469aafa0d1df10bd5a48a22896dfc4c5cc5f8899a5

SHA512
a09077f5b6cfd692e7b088ed1c9da6ce4afc52ab1f60bce6f5968069d85ae78fe1bf23de185443e1ed01da01b262cc5c63e6a4cecca0bf8f5fac8a3aebe90157

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES735C.tmp

Filesize
1KB

MD5
167d08dbb33776ad2694c606eb36bbfe

SHA1
2c5762d44306c953fdffa816797f5654e3befb94

SHA256
d0fd6f9b1b7cfb5dd562dbf09c00d71f2cd6aeb1cd01df6bf7826070ff407f55

SHA512
bde800c88975a6f118597c85c24fb15015824a210c737d3f64045d7b03a1daac2e7a434414dd952bdb0bd6307ebfe648659e70c0128719b71da4814c0e3e5c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\kzxjfo0u.dll

Filesize
76KB

MD5
e2f483fba92afcac23f51d7907fc93d1

SHA1
5cf8990d0e07c80b724edb0f9dbcfc744a27a7f4

SHA256
3cc12f278a0f2fa67f78a454ffc20b65555fd6595cb72121c7df415f173e16b3

SHA512
00b1ea569f936907e0388f7d69eb87e9ea6ff2e6b687eb079fe4d996c613538fb872fbafb5eebe7c5c4d0063ad47c0b4428643fdf4f29ee7421e75c01482799b

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_d2c1eb76639a415ebb82e3e5f8d92836\AForge.Video.DirectShow.dll

Filesize
60KB

MD5
17ed442e8485ac3f7dc5b3c089654a61

SHA1
d3a17c1fdd6d54951141053f88bf8238dea0b937

SHA256
666d44798d94eafa1ed21af79e9bc0293ffd96f863ab5d87f78bcee9ef9ffd6b

SHA512
9118bf11760354e9971ae8b27f7f6a405e46145b39ca6e6b413cb2e729e51304b895965e9140f66c9e3ef7caa4f344762bf059688b23dd32e4c2df271394fea2

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_d2c1eb76639a415ebb82e3e5f8d92836\AForge.Video.dll

Filesize
20KB

MD5
0bd34aa29c7ea4181900797395a6da78

SHA1
ddffdcef29daddc36ca7d8ae2c8e01c1c8bb23a8

SHA256
bafa6ed04ca2782270074127a0498dde022c2a9f4096c6bb2b8e3c08bb3d404d

SHA512
a3734660c0aba1c2b27ab55f9e578371b56c82754a3b7cfd01e68c88967c8dada8d202260220831f1d1039a5a35bd1a67624398e689702481ac056d1c1ddcdb0

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_d2c1eb76639a415ebb82e3e5f8d92836\CSCore.dll

Filesize
516KB

MD5
dde3ec6e17bc518b10c99efbd09ab72e

SHA1
a2306e60b74b8a01a0dbc1199a7fffca288f2033

SHA256
60a5077b443273238e6629ce5fc3ff7ee3592ea2e377b8fc28bfe6e76bda64b8

SHA512
09a528c18291980ca7c5ddca67625035bbb21b9d95ab0854670d28c59c4e7adc6d13a356fa1d2c9ad75d16b334ae9818e06ddb10408a3e776e4ef0d7b295f877

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_d2c1eb76639a415ebb82e3e5f8d92836\SharpDX.DXGI.dll

Filesize
125KB

MD5
2b44c70c49b70d797fbb748158b5d9bb

SHA1
93e00e6527e461c45c7868d14cf05c007e478081

SHA256
3762d43c83af69cd38c9341a927ca6bd00f6bae8217c874d693047d6df4705bf

SHA512
faced62f6ecbfa2ee0d7a47e300302d23030d1f28758cbe9c442e9d8d4f8359c59088aa6237a28103e43d248c8efc7eeaf2c184028701b752df6cce92d6854d0

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_d2c1eb76639a415ebb82e3e5f8d92836\SharpDX.Direct3D11.dll

Filesize
271KB

MD5
98eb5ba5871acdeaebf3a3b0f64be449

SHA1
c965284f60ef789b00b10b3df60ee682b4497de3

SHA256
d7617d926648849cbfef450b8f48e458ee52e2793fb2251a30094b778aa8848c

SHA512
a60025e304713d333e4b82b2d0be28087950688b049c98d2db5910c00b8d45b92e16d25ac8a58ff1318de019de3a9a00c7cbf8a6ad4b5bb1cb175dafa1b9bea2

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_d2c1eb76639a415ebb82e3e5f8d92836\SharpDX.Direct3D9.dll

Filesize
338KB

MD5
934da0e49208d0881c44fe19d5033840

SHA1
a19c5a822e82e41752a08d3bd9110db19a8a5016

SHA256
02da4af8cd4a8de19d816000caaae885e676b9e52f136ff071a279c2b8ad34c7

SHA512
de62f629c2299b50af62893244a28895d63b78138c8632449984306f45de16bd01076eadbb0d75a700215e970c1df731e202ea640236c0f0da6ed15146193b59

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_d2c1eb76639a415ebb82e3e5f8d92836\SharpDX.dll

Filesize
247KB

MD5
ffb4b61cc11bec6d48226027c2c26704

SHA1
fa8b9e344accbdc4dffa9b5d821d23f0716da29e

SHA256
061542ff3fb36039b7bbffdf3e07b66176b264c1dfd834a14b09c08620717303

SHA512
48aa6130bf1f5bd6de19256bbdf754c0158b43dd122cec47bb801a7a7b56f2da268bfdec24d135621764a23278ead3dcc35911a057e2dfa55a348bae8ef7b8a9

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_d2c1eb76639a415ebb82e3e5f8d92836\TurboJpegWrapper.dll

Filesize
1.3MB

MD5
ac6acc235ebef6374bed71b37e322874

SHA1
a267baad59cd7352167636836bad4b971fcd6b6b

SHA256
047b042cebf4c851f0d14f85f16ce952f03e48c20362d4ed9390875d4900fe96

SHA512
72ac8b8c8f27264cc261297c325d14a0be2084d007c6132ab8402d87f912fe9189cb074db11625d9f86d29a6188f22a89e58ae45c9131fac4522473567017081

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_d2c1eb76639a415ebb82e3e5f8d92836\x64\turbojpeg.dll

Filesize
662KB

MD5
b36cc7f7c7148a783fbed3493bc27954

SHA1
44b39651949a00cf2a5cbba74c3210b980ae81b4

SHA256
c1ce9a872d33fb8757c59b5cd1f26c93b9eeec3e3cf57162c29a0783e6222a38

SHA512
c987c689ecc2cc57350c74ee22b66cb543535bc17b790016ec6407c3d02c539a727f5c38e1451a201e8e7ccfcb4d4639780b6e68cd38b7e67b1b28034ad738a2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC735B.tmp

Filesize
676B

MD5
45c38b2f01262e1a99c8b7a9429ca327

SHA1
5cf40071fed614916384351065af050351e7d4b2

SHA256
06039e52861b40618e679e406b01da7b7fb9651d5c1e35bd6a23c261ccdd644e

SHA512
1e6dc7207796e849724c93a7f5b62556dfb8db405ceb789f767c0d0bfc38a3f519fb61d1681282c4da0355d1f0b2877768ee61a2cce1d20c33474e6745655d14

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kzxjfo0u.0.cs

Filesize
208KB

MD5
f6eed912715ebfa4b016f02a332c2556

SHA1
ae0b4ea3fa5c0cf285f0116509445cac3f4b030d

SHA256
c722dc8a305148e73df8614281e23cb1ccd6fd6a274ba01ba48862b753aaa5e4

SHA512
31877d806278863b3e6ad1b98a0740110e1664534481bcc9ab84d42f5bea8209aa6a79f24020143c08c319fe10b695fc86f50affa3f7b0a4b06a3ac21bbbceb3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kzxjfo0u.cmdline

Filesize
349B

MD5
8f825d52c38e40172351e84bdee93dd6

SHA1
32bcdfe8551640e3814258b686d2fd41ae13977a

SHA256
4d39f46c08134e512e276fd1c2c506f65c5b4b764a8f469271231d9474c615b2

SHA512
d39591260c2a317ce9b4fec2fffd48c43905a0f68bccfa74a50fcd58698dc6f066b0f6cbe7b6cf76e30a1c49a97b81ccf3a683385de41b94fa84d38c06c29611

Download Submit
memory/416-21-0x00007FFFA6EC0000-0x00007FFFA7861000-memory.dmp

Filesize
9.6MB

Download
memory/416-16-0x00007FFFA6EC0000-0x00007FFFA7861000-memory.dmp

Filesize
9.6MB

Download
memory/828-37-0x00007FFFA6EC0000-0x00007FFFA7861000-memory.dmp

Filesize
9.6MB

Download
memory/828-5-0x000000001B800000-0x000000001B80E000-memory.dmp

Filesize
56KB

Download
memory/828-26-0x0000000001100000-0x0000000001108000-memory.dmp

Filesize
32KB

Download
memory/828-25-0x0000000001130000-0x0000000001142000-memory.dmp

Filesize
72KB

Download
memory/828-1-0x00007FFFA6EC0000-0x00007FFFA7861000-memory.dmp

Filesize
9.6MB

Download
memory/828-23-0x000000001B8F0000-0x000000001B906000-memory.dmp

Filesize
88KB

Download
memory/828-2-0x000000001B710000-0x000000001B76C000-memory.dmp

Filesize
368KB

Download
memory/828-29-0x00007FFFA6EC0000-0x00007FFFA7861000-memory.dmp

Filesize
9.6MB

Download
memory/828-6-0x000000001C830000-0x000000001CCFE000-memory.dmp

Filesize
4.8MB

Download
memory/828-7-0x00007FFFA6EC0000-0x00007FFFA7861000-memory.dmp

Filesize
9.6MB

Download
memory/828-8-0x000000001CD00000-0x000000001CD9C000-memory.dmp

Filesize
624KB

Download
memory/828-28-0x00007FFFA7175000-0x00007FFFA7176000-memory.dmp

Filesize
4KB

Download
memory/828-0-0x00007FFFA7175000-0x00007FFFA7176000-memory.dmp

Filesize
4KB

Download
memory/828-27-0x00007FFFA6EC0000-0x00007FFFA7861000-memory.dmp

Filesize
9.6MB

Download
memory/3628-55-0x000000001C810000-0x000000001C826000-memory.dmp

Filesize
88KB

Download
memory/3628-87-0x000000001C830000-0x000000001C856000-memory.dmp

Filesize
152KB

Download
memory/3628-44-0x000000001DEE0000-0x000000001E0A2000-memory.dmp

Filesize
1.8MB

Download
memory/3628-63-0x000000001D4D0000-0x000000001D514000-memory.dmp

Filesize
272KB

Download
memory/3628-43-0x000000001DC00000-0x000000001DD0A000-memory.dmp

Filesize
1.0MB

Download
memory/3628-71-0x000000001D520000-0x000000001D56A000-memory.dmp

Filesize
296KB

Download
memory/3628-42-0x000000001DAB0000-0x000000001DAEC000-memory.dmp

Filesize
240KB

Download
memory/3628-79-0x000000001D570000-0x000000001D5CA000-memory.dmp

Filesize
360KB

Download
memory/3628-41-0x000000001C9B0000-0x000000001C9C2000-memory.dmp

Filesize
72KB

Download
memory/3628-47-0x000000001C7E0000-0x000000001C7EC000-memory.dmp

Filesize
48KB

Download
memory/3628-40-0x0000000002D10000-0x0000000002D20000-memory.dmp

Filesize
64KB

Download
memory/3628-95-0x000000001E0B0000-0x000000001E204000-memory.dmp

Filesize
1.3MB

Download
memory/3628-39-0x0000000002D60000-0x0000000002D78000-memory.dmp

Filesize
96KB

Download
memory/3628-103-0x000000001DDE0000-0x000000001DE66000-memory.dmp

Filesize
536KB

Download
memory/3628-38-0x0000000002D20000-0x0000000002D32000-memory.dmp

Filesize
72KB

Download
memory/3628-109-0x000000001E940000-0x000000001EE68000-memory.dmp

Filesize
5.2MB

Download
memory/3628-36-0x0000000000B40000-0x0000000000C28000-memory.dmp

Filesize
928KB

Download