orcus | 7a6299c1f92c23741b546f6445655d2b28d5ec591719d7c55f942316c867f21c

General

Target

2342.exe
Size

907KB
MD5

840aae69e0ade8737af46709b0e70a12
SHA1

7cd1b72849c21e22e00677350565eee5fd004cb9
SHA256

7a6299c1f92c23741b546f6445655d2b28d5ec591719d7c55f942316c867f21c
SHA512

873798481adbeddb4011b43e1dfda20f73d4cc30cda5c964504f60fc42c71aa486b10da9330f4d90c2c457b758e0c14e8274a1b3c920ed166b60a9b523f51092
SSDEEP

12288:foHWszy2LkjKgEX0pq5g7dG1lFlWcYT70pxnnaaoawvjKgRRAYrZNrI0AilFEvxH:Deu4MROxnFDgHLrZlI0AilFEvxHidE

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

147.185.221.24:35724

Mutex

5e7767f2db524439a050fdf054bd5f58

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral2/files/0x001b00000002abb2-31.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x001b00000002abb2-31.dat	orcus
behavioral2/memory/1508-42-0x0000000000010000-0x00000000000F8000-memory.dmp	orcus

Executes dropped EXE 1 IoCs

pid	Process
1508	Orcus.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	2342.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	2342.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	2342.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	2342.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	2342.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	2342.exe
File created	C:\Windows\assembly\Desktop.ini	2342.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	2342.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1508	Orcus.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 6036 wrote to memory of 1208	6036	2342.exe	77
PID 6036 wrote to memory of 1208	6036	2342.exe	77
PID 1208 wrote to memory of 5224	1208	csc.exe	79
PID 1208 wrote to memory of 5224	1208	csc.exe	79
PID 6036 wrote to memory of 1508	6036	2342.exe	80
PID 6036 wrote to memory of 1508	6036	2342.exe	80

C:\Users\Admin\AppData\Local\Temp\2342.exe
"C:\Users\Admin\AppData\Local\Temp\2342.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:6036
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bb1uj1fc.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE33.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAE32.tmp"
    3⤵
    PID:5224
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
907KB

MD5
840aae69e0ade8737af46709b0e70a12

SHA1
7cd1b72849c21e22e00677350565eee5fd004cb9

SHA256
7a6299c1f92c23741b546f6445655d2b28d5ec591719d7c55f942316c867f21c

SHA512
873798481adbeddb4011b43e1dfda20f73d4cc30cda5c964504f60fc42c71aa486b10da9330f4d90c2c457b758e0c14e8274a1b3c920ed166b60a9b523f51092

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAE33.tmp

Filesize
1KB

MD5
db6ba90dd6347c890ab91b6dbfb33603

SHA1
0002538469b964294f467cad5d94b433c57b382b

SHA256
024217b52776b045630cee1c4085db7152b27ca15f3a190af8de7669a901634b

SHA512
e615f9cc582c5332ffaea2c6820432e411d2e9b99382e1706e9c41b302aad1537d51e12e495ee0f8215e623438794bf987ef46267bd5dc81fe8f02f862dc43de

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb1uj1fc.dll

Filesize
76KB

MD5
1ac5d31a0cc51c0d61037028bf71a92c

SHA1
a8752cb20701966688d7be89e24884b91ac5990d

SHA256
71f92c8ceded77b9333933de8aeb0b790477fe0e69bdf00be3abcd7153f9c089

SHA512
40fd0cb0c47f5c13339e2dcf468134a60a1a89db68d115bea1424c7ff2d13328389bafc96fd0fa4bc24bcbafcf4984b99b18d282e05005994f9657c662d26ce0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCAE32.tmp

Filesize
676B

MD5
b4506b5ccdfdf74ddb110583d0272820

SHA1
feface1a71f3fbc9436ae6f350b1bced0a3d38cc

SHA256
37f8f75fb9d707aaf18dab547062b22c413560914768d0d966d0f74ba19035af

SHA512
b47036749b0e1e79b265c7280af7e1e1584d7c839df89c843ff6af5e64e2c248cfbbc362ebbfa995c29dd608952bc5ddb4c00399c8d82e4418f891ba643e5697

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bb1uj1fc.0.cs

Filesize
208KB

MD5
a7a4ca5e8759204a55b88c3b15c9a5d7

SHA1
bb8ef8498e3b2b7f828e2a19bdd79b47d27fe0fe

SHA256
2c61456b0eabd32f8a3497d370d5fa039467cf2d97863e5bf3145b0c12b7cde4

SHA512
bd6b6115eafc0785d2fcff06f6afc324d0baa872a44ceefca7a458ce4bf3b0c0edfbe216ef2096e7c62729d28ac9f0efc90a7e4d5eb57eec23ad802db2db4320

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bb1uj1fc.cmdline

Filesize
349B

MD5
94f54b23da82303a263982f66db60949

SHA1
7139be85d0b330bd27fcffed5a4fd758edb12885

SHA256
5284246a935c7517d907fac54845276aac9cdefff4ff383c3ef4e8259984bc2d

SHA512
28787342197ae67efc79d5ccbf42b20025994db34e643fff3cac071ba7d378bdf1cd9078677e02d3655083278d0352b8a74debec448176bd71d7b5a95adf796c

Download Submit
memory/1208-14-0x00007FF8EE690000-0x00007FF8EF031000-memory.dmp

Filesize
9.6MB

Download
memory/1208-21-0x00007FF8EE690000-0x00007FF8EF031000-memory.dmp

Filesize
9.6MB

Download
memory/1508-43-0x0000000002210000-0x0000000002222000-memory.dmp

Filesize
72KB

Download
memory/1508-44-0x0000000002220000-0x0000000002238000-memory.dmp

Filesize
96KB

Download
memory/1508-51-0x000000001BF30000-0x000000001C0F2000-memory.dmp

Filesize
1.8MB

Download
memory/1508-50-0x000000001BC50000-0x000000001BD5A000-memory.dmp

Filesize
1.0MB

Download
memory/1508-49-0x000000001B980000-0x000000001B9BC000-memory.dmp

Filesize
240KB

Download
memory/1508-48-0x000000001B920000-0x000000001B932000-memory.dmp

Filesize
72KB

Download
memory/1508-45-0x0000000002200000-0x0000000002210000-memory.dmp

Filesize
64KB

Download
memory/1508-42-0x0000000000010000-0x00000000000F8000-memory.dmp

Filesize
928KB

Download
memory/1508-40-0x00007FF8EC293000-0x00007FF8EC295000-memory.dmp

Filesize
8KB

Download
memory/6036-1-0x00007FF8EE690000-0x00007FF8EF031000-memory.dmp

Filesize
9.6MB

Download
memory/6036-41-0x00007FF8EE690000-0x00007FF8EF031000-memory.dmp

Filesize
9.6MB

Download
memory/6036-2-0x000000001B3B0000-0x000000001B40C000-memory.dmp

Filesize
368KB

Download
memory/6036-0-0x00007FF8EE945000-0x00007FF8EE946000-memory.dmp

Filesize
4KB

Download
memory/6036-8-0x000000001BFF0000-0x000000001C08C000-memory.dmp

Filesize
624KB

Download
memory/6036-25-0x0000000000E30000-0x0000000000E42000-memory.dmp

Filesize
72KB

Download
memory/6036-23-0x000000001C0C0000-0x000000001C0D6000-memory.dmp

Filesize
88KB

Download
memory/6036-5-0x000000001B5A0000-0x000000001B5AE000-memory.dmp

Filesize
56KB

Download
memory/6036-6-0x00007FF8EE690000-0x00007FF8EF031000-memory.dmp

Filesize
9.6MB

Download
memory/6036-7-0x000000001BA80000-0x000000001BF4E000-memory.dmp

Filesize
4.8MB

Download

Analysis

Sharing