Malware Analysis Report

2025-03-15 06:42

Sample ID 250125-q3gg3avpcs
Target ya nigga.exe
SHA256 562a88dd72bb03a4e99227652424e2f96b5172007a4331e9f208c4bf5b4b3ef3
Tags
orcus discovery rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

562a88dd72bb03a4e99227652424e2f96b5172007a4331e9f208c4bf5b4b3ef3

Threat Level: Known bad

The file ya nigga.exe was found to be: Known bad.

Malicious Activity Summary

orcus discovery rat spyware stealer

Orcus

Orcus main payload

Orcurs Rat Executable

Orcus family

Orcurs Rat Executable

Loads dropped DLL

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-25 13:46

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-25 13:46

Reported

2025-01-25 13:49

Platform

win7-20240729-en

Max time kernel

63s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ya nigga.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus family

orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ya nigga.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ya nigga.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ya nigga.exe

"C:\Users\Admin\AppData\Local\Temp\ya nigga.exe"

Network

Country Destination Domain Proto
PL 79.163.232.122:10134 tcp

Files

memory/1172-0-0x0000000073DBE000-0x0000000073DBF000-memory.dmp

memory/1172-1-0x0000000001010000-0x00000000010F8000-memory.dmp

memory/1172-2-0x0000000000200000-0x000000000020E000-memory.dmp

memory/1172-3-0x0000000073DB0000-0x000000007449E000-memory.dmp

memory/1172-4-0x0000000000550000-0x00000000005AC000-memory.dmp

memory/1172-5-0x0000000000470000-0x0000000000482000-memory.dmp

memory/1172-6-0x00000000005F0000-0x0000000000608000-memory.dmp

memory/1172-7-0x0000000000620000-0x0000000000630000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab8401.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/1172-24-0x0000000073DBE000-0x0000000073DBF000-memory.dmp

memory/1172-25-0x0000000073DB0000-0x000000007449E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-25 13:46

Reported

2025-01-25 13:49

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ya nigga.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus family

orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ya nigga.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ya nigga.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ya nigga.exe

"C:\Users\Admin\AppData\Local\Temp\ya nigga.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\InstallMount.vbe"

Network

Country Destination Domain Proto
PL 79.163.232.122:10134 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 22.89.16.2.in-addr.arpa udp
US 8.8.8.8:53 7.98.51.23.in-addr.arpa udp
US 8.8.8.8:53 122.232.163.79.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4428-0-0x00000000749DE000-0x00000000749DF000-memory.dmp

memory/4428-1-0x0000000000E60000-0x0000000000F48000-memory.dmp

memory/4428-2-0x0000000005830000-0x000000000583E000-memory.dmp

memory/4428-4-0x00000000058F0000-0x000000000594C000-memory.dmp

memory/4428-3-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/4428-5-0x0000000005FE0000-0x0000000006584000-memory.dmp

memory/4428-6-0x0000000005AD0000-0x0000000005B62000-memory.dmp

memory/4428-7-0x0000000005AC0000-0x0000000005AD2000-memory.dmp

memory/4428-8-0x0000000005F70000-0x0000000005F88000-memory.dmp

memory/4428-9-0x0000000005FD0000-0x0000000005FE0000-memory.dmp

memory/4428-10-0x00000000068C0000-0x00000000068CA000-memory.dmp

memory/4428-13-0x0000000007250000-0x00000000072B6000-memory.dmp

memory/4428-14-0x00000000078E0000-0x0000000007EF8000-memory.dmp

memory/4428-15-0x00000000072F0000-0x0000000007302000-memory.dmp

memory/4428-16-0x0000000007350000-0x000000000738C000-memory.dmp

memory/4428-17-0x00000000073A0000-0x00000000073EC000-memory.dmp

memory/4428-18-0x0000000007520000-0x000000000762A000-memory.dmp

memory/4428-19-0x0000000007F00000-0x00000000080C2000-memory.dmp

memory/4428-20-0x00000000749DE000-0x00000000749DF000-memory.dmp

memory/4428-21-0x00000000749D0000-0x0000000075180000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_75ca5c5640914a7395cf7a069406fd0e\SharpDX.dll

MD5 ffb4b61cc11bec6d48226027c2c26704
SHA1 fa8b9e344accbdc4dffa9b5d821d23f0716da29e
SHA256 061542ff3fb36039b7bbffdf3e07b66176b264c1dfd834a14b09c08620717303
SHA512 48aa6130bf1f5bd6de19256bbdf754c0158b43dd122cec47bb801a7a7b56f2da268bfdec24d135621764a23278ead3dcc35911a057e2dfa55a348bae8ef7b8a9

memory/4428-26-0x0000000006A90000-0x0000000006AD4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_75ca5c5640914a7395cf7a069406fd0e\SharpDX.Direct3D11.dll

MD5 98eb5ba5871acdeaebf3a3b0f64be449
SHA1 c965284f60ef789b00b10b3df60ee682b4497de3
SHA256 d7617d926648849cbfef450b8f48e458ee52e2793fb2251a30094b778aa8848c
SHA512 a60025e304713d333e4b82b2d0be28087950688b049c98d2db5910c00b8d45b92e16d25ac8a58ff1318de019de3a9a00c7cbf8a6ad4b5bb1cb175dafa1b9bea2

memory/4428-33-0x0000000006AE0000-0x0000000006B2A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_75ca5c5640914a7395cf7a069406fd0e\SharpDX.Direct3D9.dll

MD5 934da0e49208d0881c44fe19d5033840
SHA1 a19c5a822e82e41752a08d3bd9110db19a8a5016
SHA256 02da4af8cd4a8de19d816000caaae885e676b9e52f136ff071a279c2b8ad34c7
SHA512 de62f629c2299b50af62893244a28895d63b78138c8632449984306f45de16bd01076eadbb0d75a700215e970c1df731e202ea640236c0f0da6ed15146193b59

memory/4428-40-0x0000000006B30000-0x0000000006B8A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_75ca5c5640914a7395cf7a069406fd0e\SharpDX.DXGI.dll

MD5 2b44c70c49b70d797fbb748158b5d9bb
SHA1 93e00e6527e461c45c7868d14cf05c007e478081
SHA256 3762d43c83af69cd38c9341a927ca6bd00f6bae8217c874d693047d6df4705bf
SHA512 faced62f6ecbfa2ee0d7a47e300302d23030d1f28758cbe9c442e9d8d4f8359c59088aa6237a28103e43d248c8efc7eeaf2c184028701b752df6cce92d6854d0

memory/4428-47-0x00000000066A0000-0x00000000066C6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_75ca5c5640914a7395cf7a069406fd0e\TurboJpegWrapper.dll

MD5 ac6acc235ebef6374bed71b37e322874
SHA1 a267baad59cd7352167636836bad4b971fcd6b6b
SHA256 047b042cebf4c851f0d14f85f16ce952f03e48c20362d4ed9390875d4900fe96
SHA512 72ac8b8c8f27264cc261297c325d14a0be2084d007c6132ab8402d87f912fe9189cb074db11625d9f86d29a6188f22a89e58ae45c9131fac4522473567017081

memory/4428-54-0x0000000008430000-0x0000000008584000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_75ca5c5640914a7395cf7a069406fd0e\x86\turbojpeg.dll

MD5 82898ed19da89d7d44e280a3ced95e9b
SHA1 eec0af5733c642eac8c5e08479f462d1ec1ed4db
SHA256 5f4b9f8360764d75c9faaecd94f6d200c54611b33064cd216e363d973dae7c29
SHA512 ee7b884ce7d7366ee28fb17721b6c89bd4eba8fb373cdbb483e26a4ed7a74ab5db847513c54704d753d77a7e18b1fb9fee90ed6bbc0540bff702273fda36b682

memory/4428-60-0x00000000660C0000-0x000000006614F000-memory.dmp