Overview

overview

10

Static

static

10

EULA.exe

windows7-x64

10

EULA.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-01-2025 15:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EULA.exe

  • Size

    903KB

  • MD5

    74e7c3dd5e6ef5b11711908ef3287ca4

  • SHA1

    51f8d9c30afe4a8008b5ebeba170867344515894

  • SHA256

    d9180bdfac53a54bca92664b13aae1db03e9ad2e789528730f4f855302588d39

  • SHA512

    32617b9ff6effab4884c3f1a40e212ca94f64b5482aad51109ae890759313a601ee1b41019e9e23e35c8d94aad1d41a6027c615641fe3586e65b2781a9d964e1

  • SSDEEP

    24576:Ham4MROxnF4HrrcI0AilFEvxHPuGaoo1:HOMiaHrrcI0AilFEvxHP

Score
10/10
orcusdiscoveryratspywarestealer

Malware Config

Extracted

Family

orcus

C2

195.88.218.71:10134

Mutex

1ca5744744c6474d88ae72987a8eded8

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus family
    orcus
  • Orcurs Rat Executable 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\EULA.exe
    "C:\Users\Admin\AppData\Local\Temp\EULA.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:2324
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\WatchPush.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2152
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2152 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2828

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    5d011252b2bb3eb296724f3061950e35

    SHA1

    b7b0653c0ba16f579c4f0c7b136dce37b4f6705a

    SHA256

    8d3c54ef0a6b6e9eb4d18b8435cda90c59ea5d5e7c3680cf069d81bc86bca420

    SHA512

    8623dac97e2c63444cb8b1e22dfe0db95fffb7ec09a9c91081b9c43de6345456e04a216a9f8a6647ec6ac7bc8adf070c92f336f07fecf4ccce7c7b850e9660a0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    905ad9439d5a2aa834eda8620ce8f767

    SHA1

    bf83c4dc9d4826d00a879ddf867879fde94591dc

    SHA256

    963404bb195d6a080712170cde8a4212f8fc64dff2f9a979669afefe4e07d66e

    SHA512

    a2b9f079a78925e7da11a79fb17c5ec8925562f398d32601706d081f5c71bafaa39e0a0dae362cfd7a78a17318db72e42f2af9681d555b0d47c9bd3c65a65ed0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f5c066e52a876770f2799e8b648a6c5b

    SHA1

    b925a8d1c8096a9aa53aa90691fe519033e1ea68

    SHA256

    348292795d7a3390f5480734b17cc727b08f588dde75f36aacd222bb04688e60

    SHA512

    af6ef64ebdabd6868033ab8731db395c8a2441dcc0727140be113896f62e83ad2993958cf8e322b3136a487dd91a5cc9517cfc3a4804d9d868098c475985ab34

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b4fad3dbc110e14bef8be3698d4077c1

    SHA1

    51ffc4a2ed41e1517a065f07a5fe3bbdab0f0faf

    SHA256

    a8d4f30e43d2f70794b6793f379d38889414821c42df4f23bd10c9d9e91ccf52

    SHA512

    1bba77661dea776d77415f465127bcfd9e85128eab8e159e8d5be0bc4e513ae1b4e3f0a54e65ddb2ea15b7e03fbf98b4ac7cecaf61f535ef13d498290944511a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e66783fa0c52c2ccee4e23af2d1deb33

    SHA1

    68f918f0480cb6be9e35780e5010ee07271f555a

    SHA256

    f9d49e917cec3c313211201f3acec916e6ea1a8dd44ff018fb0e072acb5cc6f2

    SHA512

    613e10df1e508e123079ee1c6532fd0950d8c101afb04e8528a460024be6d26111b202295e7b2761f1842889b43ac3409f3ad76305c0d21a65844cf3d99f240c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    9b416d6e38799dcc564aba7cfa7f7ec9

    SHA1

    56004cc974621db97660f869a9800c9825c5b48b

    SHA256

    3963c159bb997974f7f135a3f0915ea9ca33fbe9e4909297cf71150f692ef684

    SHA512

    81f9cc2b960ed61175bbe67c84ff964f7ba871d279742d7fd69511599424e35d17f4ff396476a26ec8871716736a8552781efa5835599e6026effa01f4a9b31f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    adbc89182a87497207d30caf2fef371b

    SHA1

    5e90221375d8156f18239839465ef4020c6e05dc

    SHA256

    eaff6ca7a862813199818a9d95fd0c4263a1b9c01c560c239949d5c4af8f58c3

    SHA512

    b90497e8085b5ae9db50a0294f5dee6e2bbdfd41438d0e0f38e008a04771267afc2036857424a488330edf5addbcfa54cdb09ebeab131b49e4b93b69c3bebda6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    17dae34c49887256bbd8808fd35d5596

    SHA1

    7f73c42f5e36193ad787b6d363f8ba92af2e6d18

    SHA256

    8721f1da983a4f41fc08efa32220c4459d6bcb31450ec2d0b8476190477882a1

    SHA512

    adb79958fce8b07086bab8b2b4f0ab7a485a005fcf77286398a9b98fb52808079aeffe488e4e4a8a4b20ab57ec5d58ee9617fe75e0af71b116af168dd2e974e0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    9533ee7e0e53860daec15e68377e482f

    SHA1

    4cb5ce47f3577beeb431845ced0c6ab4b4a45d1b

    SHA256

    48cf1d69d0cddc0896167e06d0ab1de2830bbcb31e804f83697ba6e5b99b4ee0

    SHA512

    b98a9cc61219a08c0ae6584db821be41d67b7111a45c20df61145e96487e381f29e6c17166caee4f5eda8a90b6a54c804cefaadf4745b9c0ef2e0f016ac1201c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b28112840a7591ee8678af0ff2782299

    SHA1

    2c81736253fe93cecb454bcf20fdbdd6bbe98435

    SHA256

    5fdea7febbfebab7820320bc8722dab10b47555b4052b7eb1005219f2207f220

    SHA512

    0c3c9d7b206b3e8ea7107bdb9c30a139900b8d5a6d4f6cb0529610206d6129b4b5a4a691a48d12a0a6ce7ecbd65247ea430aa23dd7c6de9a0a17c4d6f6b8cc6e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabDF78.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarED.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • memory/2324-5-0x0000000000800000-0x0000000000812000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2324-29-0x0000000074480000-0x0000000074B6E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2324-28-0x000000007448E000-0x000000007448F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2324-7-0x0000000000B90000-0x0000000000BA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2324-6-0x0000000000A60000-0x0000000000A78000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2324-0-0x000000007448E000-0x000000007448F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2324-4-0x0000000000A00000-0x0000000000A5C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2324-3-0x0000000074480000-0x0000000074B6E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2324-2-0x0000000000520000-0x000000000052E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2324-1-0x0000000000F60000-0x0000000001048000-memory.dmp

    Filesize

    928KB

    Download