orcus | 7a6299c1f92c23741b546f6445655d2b28d5ec591719d7c55f942316c867f21c

Analysis

max time kernel
163s
max time network
159s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
31/01/2025, 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2342.exe
Size

907KB
MD5

840aae69e0ade8737af46709b0e70a12
SHA1

7cd1b72849c21e22e00677350565eee5fd004cb9
SHA256

7a6299c1f92c23741b546f6445655d2b28d5ec591719d7c55f942316c867f21c
SHA512

873798481adbeddb4011b43e1dfda20f73d4cc30cda5c964504f60fc42c71aa486b10da9330f4d90c2c457b758e0c14e8274a1b3c920ed166b60a9b523f51092
SSDEEP

12288:foHWszy2LkjKgEX0pq5g7dG1lFlWcYT70pxnnaaoawvjKgRRAYrZNrI0AilFEvxH:Deu4MROxnFDgHLrZlI0AilFEvxHidE

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

147.185.221.24:35724

Mutex

5e7767f2db524439a050fdf054bd5f58

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000c000000027cb7-27.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x000c000000027cb7-27.dat	orcus
behavioral1/memory/2260-32-0x00000000001A0000-0x0000000000288000-memory.dmp	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2206060733-4028293381-3488472159-1000\Control Panel\International\Geo\Nation	2342.exe

Executes dropped EXE 1 IoCs

pid	Process
2260	Orcus.exe

Loads dropped DLL 1 IoCs

pid	Process
2260	Orcus.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	2342.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	2342.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	2342.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	2342.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	2342.exe
File created	C:\Windows\assembly\Desktop.ini	2342.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	2342.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Orcus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Orcus.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2260	Orcus.exe
Token: 33	1948	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1948	AUDIODG.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 2428	4536	2342.exe	83
PID 4536 wrote to memory of 2428	4536	2342.exe	83
PID 2428 wrote to memory of 2308	2428	csc.exe	85
PID 2428 wrote to memory of 2308	2428	csc.exe	85
PID 4536 wrote to memory of 2260	4536	2342.exe	86
PID 4536 wrote to memory of 2260	4536	2342.exe	86

C:\Users\Admin\AppData\Local\Temp\2342.exe
"C:\Users\Admin\AppData\Local\Temp\2342.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e2hp3sm-.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D7E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7D7D.tmp"
    3⤵
    PID:2308
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:2260

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8 0x4dc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
907KB

MD5
840aae69e0ade8737af46709b0e70a12

SHA1
7cd1b72849c21e22e00677350565eee5fd004cb9

SHA256
7a6299c1f92c23741b546f6445655d2b28d5ec591719d7c55f942316c867f21c

SHA512
873798481adbeddb4011b43e1dfda20f73d4cc30cda5c964504f60fc42c71aa486b10da9330f4d90c2c457b758e0c14e8274a1b3c920ed166b60a9b523f51092

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7D7E.tmp

Filesize
1KB

MD5
62d6f842681efc8aa8ef68e4baeb4d78

SHA1
08408b2aa5f64cd3d4bb21105afae2a7bdc36c28

SHA256
4eb496fdf4c30e423a5fbe0adc4708bf6bede29bc4fc476442236943f505f8f5

SHA512
0788d4de372e4dcc8714f474b4d151a00cb2c7442f2bcf3483ae7c5716290ea7b4f04e960d1f682e00e6d5867ef713062a75e92b1919e0bf459f0d9db3df6dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2hp3sm-.dll

Filesize
76KB

MD5
5de794fcdaf5da6cc49cef7471e2837b

SHA1
e7b52e15d426ec2a7f50c19f14c9b9e23d86dcd6

SHA256
6f0735a5eadf498974ed0f66bc52cb22b048cfc54f4f62e97bbabb4bcec8226f

SHA512
660f5a2b449939beca50086e5fadabead820c3b9578304ff816f5856a58f62d25979d23ad785e1eab67ad01633b337cffa35b6a4259127bf5fb901a5c6218181

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_5e7767f2db524439a050fdf054bd5f58\SharpDX.DXGI.dll

Filesize
125KB

MD5
2b44c70c49b70d797fbb748158b5d9bb

SHA1
93e00e6527e461c45c7868d14cf05c007e478081

SHA256
3762d43c83af69cd38c9341a927ca6bd00f6bae8217c874d693047d6df4705bf

SHA512
faced62f6ecbfa2ee0d7a47e300302d23030d1f28758cbe9c442e9d8d4f8359c59088aa6237a28103e43d248c8efc7eeaf2c184028701b752df6cce92d6854d0

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_5e7767f2db524439a050fdf054bd5f58\SharpDX.Direct3D11.dll

Filesize
271KB

MD5
98eb5ba5871acdeaebf3a3b0f64be449

SHA1
c965284f60ef789b00b10b3df60ee682b4497de3

SHA256
d7617d926648849cbfef450b8f48e458ee52e2793fb2251a30094b778aa8848c

SHA512
a60025e304713d333e4b82b2d0be28087950688b049c98d2db5910c00b8d45b92e16d25ac8a58ff1318de019de3a9a00c7cbf8a6ad4b5bb1cb175dafa1b9bea2

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_5e7767f2db524439a050fdf054bd5f58\SharpDX.Direct3D9.dll

Filesize
338KB

MD5
934da0e49208d0881c44fe19d5033840

SHA1
a19c5a822e82e41752a08d3bd9110db19a8a5016

SHA256
02da4af8cd4a8de19d816000caaae885e676b9e52f136ff071a279c2b8ad34c7

SHA512
de62f629c2299b50af62893244a28895d63b78138c8632449984306f45de16bd01076eadbb0d75a700215e970c1df731e202ea640236c0f0da6ed15146193b59

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_5e7767f2db524439a050fdf054bd5f58\SharpDX.dll

Filesize
247KB

MD5
ffb4b61cc11bec6d48226027c2c26704

SHA1
fa8b9e344accbdc4dffa9b5d821d23f0716da29e

SHA256
061542ff3fb36039b7bbffdf3e07b66176b264c1dfd834a14b09c08620717303

SHA512
48aa6130bf1f5bd6de19256bbdf754c0158b43dd122cec47bb801a7a7b56f2da268bfdec24d135621764a23278ead3dcc35911a057e2dfa55a348bae8ef7b8a9

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_5e7767f2db524439a050fdf054bd5f58\TurboJpegWrapper.dll

Filesize
1.3MB

MD5
ac6acc235ebef6374bed71b37e322874

SHA1
a267baad59cd7352167636836bad4b971fcd6b6b

SHA256
047b042cebf4c851f0d14f85f16ce952f03e48c20362d4ed9390875d4900fe96

SHA512
72ac8b8c8f27264cc261297c325d14a0be2084d007c6132ab8402d87f912fe9189cb074db11625d9f86d29a6188f22a89e58ae45c9131fac4522473567017081

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_5e7767f2db524439a050fdf054bd5f58\x64\turbojpeg.dll

Filesize
662KB

MD5
b36cc7f7c7148a783fbed3493bc27954

SHA1
44b39651949a00cf2a5cbba74c3210b980ae81b4

SHA256
c1ce9a872d33fb8757c59b5cd1f26c93b9eeec3e3cf57162c29a0783e6222a38

SHA512
c987c689ecc2cc57350c74ee22b66cb543535bc17b790016ec6407c3d02c539a727f5c38e1451a201e8e7ccfcb4d4639780b6e68cd38b7e67b1b28034ad738a2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC7D7D.tmp

Filesize
676B

MD5
96a85e66c298f81839093c40a974940e

SHA1
6dfc20855d110a1b8a8deb369dbeaad432840b6d

SHA256
8a157c5d82f385465bc6da61ce41db722134d830e03d968a66ef139c2bf98bf8

SHA512
66d071dde135fdfa6df150bd86d2b2149cf0674c39deab27c233d20947d9282f54830a16b7ba707d18fe7e6293f0ce403a7231580a8935774c400621d995bcc7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e2hp3sm-.0.cs

Filesize
208KB

MD5
616158d980f6f47c408d8a3c9ee3ab60

SHA1
5bb86b287b6e0d5f38a12b45a93adf5e0cee74c8

SHA256
614882c5cf5585ac0745a7aeec9d35e8e5c3f8617e3de0c5b98aa5f3549af3ac

SHA512
ed9a98bff2d613c7e5d4054a53032b2c8f96f83bc249c729719019e39e796e88c38c9158c6305046b709ee32617ea2b44ce7a9bfdf421a17921cf17a56b4cc15

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e2hp3sm-.cmdline

Filesize
349B

MD5
61211936e182f6b1a97f7e6b2ee0a1ee

SHA1
56a59a8b320e7cb9e63884233e756caee1ff1067

SHA256
2c07e83718a69c46b9174fdf1467cfd747d7064388214400e9a3d2cdea2595d6

SHA512
925f3e89a5ddee2fbaede0b5b53b75ae9ba1f1625d71851456af5bb9c3f54dda35363557adc3bc305f375317705b88096004f22c37e7a2e79de341b50684efd2

Download Submit
memory/2260-32-0x00000000001A0000-0x0000000000288000-memory.dmp

Filesize
928KB

Download
memory/2260-42-0x000000001C5C0000-0x000000001C604000-memory.dmp

Filesize
272KB

Download
memory/2260-101-0x000000001D960000-0x000000001DADA000-memory.dmp

Filesize
1.5MB

Download
memory/2260-89-0x000000001D910000-0x000000001D95A000-memory.dmp

Filesize
296KB

Download
memory/2260-88-0x000000001D6C0000-0x000000001D812000-memory.dmp

Filesize
1.3MB

Download
memory/2260-83-0x00000000660C0000-0x000000006615C000-memory.dmp

Filesize
624KB

Download
memory/2260-30-0x00007FFACBE73000-0x00007FFACBE75000-memory.dmp

Filesize
8KB

Download
memory/2260-74-0x000000001D460000-0x000000001D5B4000-memory.dmp

Filesize
1.3MB

Download
memory/2260-33-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/2260-34-0x000000001C2B0000-0x000000001C2C8000-memory.dmp

Filesize
96KB

Download
memory/2260-35-0x0000000002310000-0x0000000002320000-memory.dmp

Filesize
64KB

Download
memory/2260-36-0x000000001CBF0000-0x000000001CC02000-memory.dmp

Filesize
72KB

Download
memory/2260-37-0x000000001CC50000-0x000000001CC8C000-memory.dmp

Filesize
240KB

Download
memory/2260-38-0x000000001CDA0000-0x000000001CEAA000-memory.dmp

Filesize
1.0MB

Download
memory/2260-39-0x000000001D080000-0x000000001D242000-memory.dmp

Filesize
1.8MB

Download
memory/2260-66-0x000000001C580000-0x000000001C5A6000-memory.dmp

Filesize
152KB

Download
memory/2260-58-0x000000001D2A0000-0x000000001D2FA000-memory.dmp

Filesize
360KB

Download
memory/2260-50-0x000000001D250000-0x000000001D29A000-memory.dmp

Filesize
296KB

Download
memory/2428-16-0x00007FFACE5A0000-0x00007FFACEF41000-memory.dmp

Filesize
9.6MB

Download
memory/2428-21-0x00007FFACE5A0000-0x00007FFACEF41000-memory.dmp

Filesize
9.6MB

Download
memory/4536-7-0x000000001C680000-0x000000001CB4E000-memory.dmp

Filesize
4.8MB

Download
memory/4536-8-0x000000001CB50000-0x000000001CBEC000-memory.dmp

Filesize
624KB

Download
memory/4536-6-0x000000001B6E0000-0x000000001B6EE000-memory.dmp

Filesize
56KB

Download
memory/4536-3-0x000000001B5F0000-0x000000001B64C000-memory.dmp

Filesize
368KB

Download
memory/4536-23-0x000000001D200000-0x000000001D216000-memory.dmp

Filesize
88KB

Download
memory/4536-0-0x00007FFACE855000-0x00007FFACE856000-memory.dmp

Filesize
4KB

Download
memory/4536-2-0x00007FFACE5A0000-0x00007FFACEF41000-memory.dmp

Filesize
9.6MB

Download
memory/4536-1-0x00007FFACE5A0000-0x00007FFACEF41000-memory.dmp

Filesize
9.6MB

Download
memory/4536-31-0x00007FFACE5A0000-0x00007FFACEF41000-memory.dmp

Filesize
9.6MB

Download
memory/4536-25-0x0000000001020000-0x0000000001032000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads