orcus | 7a6299c1f92c23741b546f6445655d2b28d5ec591719d7c55f942316c867f21c

General

Target

2342.exe
Size

907KB
MD5

840aae69e0ade8737af46709b0e70a12
SHA1

7cd1b72849c21e22e00677350565eee5fd004cb9
SHA256

7a6299c1f92c23741b546f6445655d2b28d5ec591719d7c55f942316c867f21c
SHA512

873798481adbeddb4011b43e1dfda20f73d4cc30cda5c964504f60fc42c71aa486b10da9330f4d90c2c457b758e0c14e8274a1b3c920ed166b60a9b523f51092
SSDEEP

12288:foHWszy2LkjKgEX0pq5g7dG1lFlWcYT70pxnnaaoawvjKgRRAYrZNrI0AilFEvxH:Deu4MROxnFDgHLrZlI0AilFEvxHidE

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

147.185.221.24:35724

Mutex

5e7767f2db524439a050fdf054bd5f58

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000800000001e547-31.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x000800000001e547-31.dat	orcus
behavioral2/memory/3192-41-0x0000000000B50000-0x0000000000C38000-memory.dmp	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	2342.exe

Executes dropped EXE 1 IoCs

pid	Process
3192	Orcus.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	2342.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	2342.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	2342.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	2342.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	2342.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	2342.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	2342.exe
File opened for modification	C:\Windows\assembly	2342.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3192	Orcus.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 1352	3372	2342.exe	86
PID 3372 wrote to memory of 1352	3372	2342.exe	86
PID 1352 wrote to memory of 3476	1352	csc.exe	88
PID 1352 wrote to memory of 3476	1352	csc.exe	88
PID 3372 wrote to memory of 3192	3372	2342.exe	89
PID 3372 wrote to memory of 3192	3372	2342.exe	89

C:\Users\Admin\AppData\Local\Temp\2342.exe
"C:\Users\Admin\AppData\Local\Temp\2342.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\6fo464bo.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9CFC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9CEC.tmp"
    3⤵
    PID:3476
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
907KB

MD5
840aae69e0ade8737af46709b0e70a12

SHA1
7cd1b72849c21e22e00677350565eee5fd004cb9

SHA256
7a6299c1f92c23741b546f6445655d2b28d5ec591719d7c55f942316c867f21c

SHA512
873798481adbeddb4011b43e1dfda20f73d4cc30cda5c964504f60fc42c71aa486b10da9330f4d90c2c457b758e0c14e8274a1b3c920ed166b60a9b523f51092

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\6fo464bo.dll

Filesize
76KB

MD5
12f85431ef3da4a71e86058a00d33e5f

SHA1
0bc0aec6bc90502c073c0d4b187431be71723c35

SHA256
061710d87e378f6349998075537760e92b185d4d361a6d280a5b64a5b9d2f6de

SHA512
c7c55f2b1e94742108b2919527c53b2a66d6f07eded823c46732bee69520167b193f3d8d5edf8c389aa290157411ca180223ad1732bbbf2025fef95d0f87414e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9CFC.tmp

Filesize
1KB

MD5
0a794af2a7bfbefddada3874872c5021

SHA1
148e60299a037b55bc219700a94bcadadd34fd17

SHA256
25e54ad813825a30750666f18ef17f1b385d1d11c48eff3d45ccf9ef344a5020

SHA512
0fff4ac0c8f91d9e3aae50da5f3fc111e5b5771f9867a6b61ad810f00078f7ec1dff081075118448f4b238b7f553b88b36713d8ff7c3727ef6e4b52d5952ae3f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\6fo464bo.0.cs

Filesize
208KB

MD5
884d5e8eee26da5361fb68a52d74c753

SHA1
e732862f2c64182eb280cfc28f06aa7d6376f39e

SHA256
af2875a3c0c328f2226efb94c669712fbf19bfa2b27cdf426f0961ffa09847b6

SHA512
62746193a60835a7c9466184269232283892999cc4c91a982ad73d897b7d78d83cfcfef5236a9aeb6209dffdbdc7718cb4c67ddfaf1b11fd1de080a986015fd8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\6fo464bo.cmdline

Filesize
349B

MD5
f1374469cedee06c8e2e1a7008fa3456

SHA1
ab19e28a64d34f61ccba7dfdddfd3f00f9e2d9d6

SHA256
e927a9f18b08c3eef41c5954e979dd1dfd161db4245c54adfbe126353ece7477

SHA512
5f3f5cd37ed22a4a310dee53acf23ab3f4d7e906b2df8f5f8f8ef33c3a04fd86112f29ca6bccf95c35b4ce120b5f345a8773d31dfcea2c372b8ba9f0b1698add

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9CEC.tmp

Filesize
676B

MD5
5ba60b016429e193c6307117e756ffbf

SHA1
2d0aa1835dbd8539b514f087d5c3441a13123441

SHA256
938f97f3dc77d4635d080ef3cf7efd5a9ff750803909d4c2b8c7c67fc1bfd155

SHA512
c006007131c8b3ddb2daf1b3c0770db871eb2dec665b201f6e29ac22144a8e902b10c4b4736ba2490b7584b205f3dc31c6d87e0bb48a0749b4c64adfe0549bd5

Download Submit
memory/1352-17-0x00007FF953380000-0x00007FF953D21000-memory.dmp

Filesize
9.6MB

Download
memory/1352-21-0x00007FF953380000-0x00007FF953D21000-memory.dmp

Filesize
9.6MB

Download
memory/3192-40-0x00007FF9504F3000-0x00007FF9504F5000-memory.dmp

Filesize
8KB

Download
memory/3192-41-0x0000000000B50000-0x0000000000C38000-memory.dmp

Filesize
928KB

Download
memory/3192-45-0x0000000002E90000-0x0000000002EA0000-memory.dmp

Filesize
64KB

Download
memory/3192-44-0x0000000002EC0000-0x0000000002ED8000-memory.dmp

Filesize
96KB

Download
memory/3192-43-0x0000000002EB0000-0x0000000002EC2000-memory.dmp

Filesize
72KB

Download
memory/3372-23-0x000000001D390000-0x000000001D3A6000-memory.dmp

Filesize
88KB

Download
memory/3372-25-0x000000001BFE0000-0x000000001BFF2000-memory.dmp

Filesize
72KB

Download
memory/3372-2-0x000000001C080000-0x000000001C0DC000-memory.dmp

Filesize
368KB

Download
memory/3372-1-0x00007FF953380000-0x00007FF953D21000-memory.dmp

Filesize
9.6MB

Download
memory/3372-0-0x00007FF953635000-0x00007FF953636000-memory.dmp

Filesize
4KB

Download
memory/3372-5-0x000000001C180000-0x000000001C18E000-memory.dmp

Filesize
56KB

Download
memory/3372-42-0x00007FF953380000-0x00007FF953D21000-memory.dmp

Filesize
9.6MB

Download
memory/3372-7-0x000000001CD60000-0x000000001CDFC000-memory.dmp

Filesize
624KB

Download
memory/3372-6-0x000000001C7F0000-0x000000001CCBE000-memory.dmp

Filesize
4.8MB

Download
memory/3372-8-0x00007FF953380000-0x00007FF953D21000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing