orcus | 1f248d4c2028ad0b65d481f03ef96cca58392d59b523d90e2cd0322869c6c770

General

Target

435.exe
Size

907KB
MD5

d8aa21495f543065a75d6b6d5051eaf2
SHA1

54f22e7afde469f5a644e6af1bf7e9569d9655d4
SHA256

1f248d4c2028ad0b65d481f03ef96cca58392d59b523d90e2cd0322869c6c770
SHA512

2eedd9eb079e8ae8d61139ae45433cd0c30a23bfd884cfc9bc386d7df34ba7aee00b8328102d6edb01c4c817175ed4981d520ffb4341f9c56806d14872c9f50f
SSDEEP

12288:5gfe07KFML7iLMucoUe7dG1lFlWcYT70pxnnaaoawnjKgRRA4rZNrI0AilFEvxHd:utY4MROxnFbgH/rZlI0AilFEvxHiq+M

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

147.185.221.24:35724

Mutex

0c82855d014a432ea72430fd05680a9c

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x001b00000002ab26-37.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x001b00000002ab26-37.dat	orcus
behavioral1/memory/3164-47-0x00000000008E0000-0x00000000009C8000-memory.dmp	orcus

Executes dropped EXE 1 IoCs

pid	Process
3164	Orcus.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	435.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	435.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	435.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	435.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	435.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	435.exe
File created	C:\Windows\assembly\Desktop.ini	435.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	435.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3164	Orcus.exe
Token: 33	3036	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3036	AUDIODG.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 2156	1192	435.exe	77
PID 1192 wrote to memory of 2156	1192	435.exe	77
PID 2156 wrote to memory of 4164	2156	csc.exe	79
PID 2156 wrote to memory of 4164	2156	csc.exe	79
PID 1192 wrote to memory of 3164	1192	435.exe	80
PID 1192 wrote to memory of 3164	1192	435.exe	80

C:\Users\Admin\AppData\Local\Temp\435.exe
"C:\Users\Admin\AppData\Local\Temp\435.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c-xpmn-j.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA68.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBA67.tmp"
    3⤵
    PID:4164
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3164

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004EC 0x00000000000004E4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
907KB

MD5
d8aa21495f543065a75d6b6d5051eaf2

SHA1
54f22e7afde469f5a644e6af1bf7e9569d9655d4

SHA256
1f248d4c2028ad0b65d481f03ef96cca58392d59b523d90e2cd0322869c6c770

SHA512
2eedd9eb079e8ae8d61139ae45433cd0c30a23bfd884cfc9bc386d7df34ba7aee00b8328102d6edb01c4c817175ed4981d520ffb4341f9c56806d14872c9f50f

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBA68.tmp

Filesize
1KB

MD5
5e769bc465fdc808253590e331be5a91

SHA1
34de7cef2955dcd839ba034aecbd994d51b43cca

SHA256
287ccbb4fc9453a5bafea636cd13850af9e6e55fc1b3c2d89b87b99915bd27c0

SHA512
08308e0bf47b396e4ba4847dcf47033ee1e98209147058dec860d5cdc96d782558a2d88ab74666ff36a84d6d43201fec186e1aaa95a578456fdee8caaeca0070

Download Submit
C:\Users\Admin\AppData\Local\Temp\c-xpmn-j.dll

Filesize
76KB

MD5
dfeb80681aaf80c0869b09fd11c0c4e4

SHA1
f122d4743ec8f16267bf122873e0920f6b98a74e

SHA256
d5b4c5c9d9f0a75838ffc6e7c96818ae7cf64570b1f0728b1933c43dcfd79417

SHA512
9c5eae781b335898c8962a8748fa65904f3f38af7e1023274b81e3edececf3c5b93ab73493194f5a8a670e453bf530e5cbb7522bf8e9fd683291893a0be406c3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCBA67.tmp

Filesize
676B

MD5
c67e3281889517fee34021b7ceaf6f06

SHA1
8fc9edf742db5a852ef32a303fb3df876b02809d

SHA256
18388739af098a1938feb8365700acffea19aa43c043a068b8fa996095e81041

SHA512
76b757961f9c4eb4d413e4430190a6c5380c8c898b9191c6d6f19a485fd94ab96dc9415e49e73c2dba92c99462961b7f62a6e9a3b80ac1b20ba9adc07af4d706

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c-xpmn-j.0.cs

Filesize
208KB

MD5
0858a21925c64642efd10d29c27f4d4a

SHA1
7666da7aed3fceeceaec198a15d2c1b9783b2063

SHA256
8634d099692279ceae4b2e8a5912bf2903f186385764e986e000e8ca8a9ec39c

SHA512
6b9bb87f4bcf840a7a8f9f481c6dd0f9e3e71da0b83c943d0e43bff4d0bafb1759632fec182c514a43bd4bc874773c69f5e61db4d01380ec785fe6c4ef77a155

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c-xpmn-j.cmdline

Filesize
349B

MD5
b9482c8f7cd4dbdb7e30174851b2213a

SHA1
35075ca31cf4caaeb02e1f82d4c306447de4e273

SHA256
96be2146c1eff413d4c92c63348f44685237dd120292fad440fa875cd55d6c36

SHA512
f155ae0f7c4b4af897a66010a5b92d4fc6deae4e652c3785a5a1a66512c8c9dfbe4ed08bf89b8d16a247e0de03480bb11d90cb0d05b6c3f50b9e70b687bf039b

Download Submit
memory/1192-26-0x000000001BC40000-0x000000001BC48000-memory.dmp

Filesize
32KB

Download
memory/1192-2-0x000000001BD70000-0x000000001BDCC000-memory.dmp

Filesize
368KB

Download
memory/1192-46-0x00007FFDE5C90000-0x00007FFDE6631000-memory.dmp

Filesize
9.6MB

Download
memory/1192-8-0x00007FFDE5C90000-0x00007FFDE6631000-memory.dmp

Filesize
9.6MB

Download
memory/1192-6-0x000000001C450000-0x000000001C91E000-memory.dmp

Filesize
4.8MB

Download
memory/1192-1-0x00007FFDE5C90000-0x00007FFDE6631000-memory.dmp

Filesize
9.6MB

Download
memory/1192-23-0x000000001CA90000-0x000000001CAA6000-memory.dmp

Filesize
88KB

Download
memory/1192-5-0x000000001BF70000-0x000000001BF7E000-memory.dmp

Filesize
56KB

Download
memory/1192-25-0x000000001BCD0000-0x000000001BCE2000-memory.dmp

Filesize
72KB

Download
memory/1192-0-0x00007FFDE5F45000-0x00007FFDE5F46000-memory.dmp

Filesize
4KB

Download
memory/1192-27-0x00007FFDE5C90000-0x00007FFDE6631000-memory.dmp

Filesize
9.6MB

Download
memory/1192-28-0x00007FFDE5F45000-0x00007FFDE5F46000-memory.dmp

Filesize
4KB

Download
memory/1192-29-0x00007FFDE5C90000-0x00007FFDE6631000-memory.dmp

Filesize
9.6MB

Download
memory/1192-7-0x000000001C9C0000-0x000000001CA5C000-memory.dmp

Filesize
624KB

Download
memory/2156-21-0x00007FFDE5C90000-0x00007FFDE6631000-memory.dmp

Filesize
9.6MB

Download
memory/2156-16-0x00007FFDE5C90000-0x00007FFDE6631000-memory.dmp

Filesize
9.6MB

Download
memory/3164-47-0x00000000008E0000-0x00000000009C8000-memory.dmp

Filesize
928KB

Download
memory/3164-48-0x0000000002C50000-0x0000000002C62000-memory.dmp

Filesize
72KB

Download
memory/3164-49-0x0000000002C60000-0x0000000002C78000-memory.dmp

Filesize
96KB

Download
memory/3164-50-0x0000000002C40000-0x0000000002C50000-memory.dmp

Filesize
64KB

Download
memory/3164-53-0x000000001C1C0000-0x000000001C1D2000-memory.dmp

Filesize
72KB

Download
memory/3164-54-0x000000001C220000-0x000000001C25C000-memory.dmp

Filesize
240KB

Download
memory/3164-55-0x000000001C520000-0x000000001C62A000-memory.dmp

Filesize
1.0MB

Download
memory/3164-56-0x000000001C800000-0x000000001C9C2000-memory.dmp

Filesize
1.8MB

Download
memory/3164-60-0x000000001CAD0000-0x000000001CC4A000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing