orcus | b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d

Sharing

Copy URL

Twitter E-mail

General

Target

b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d
Size

3.4MB
MD5

f2c58894de1eb8486edc2520de080c74
SHA1

914d606bb7cb101beab92ecfdacd3782e28cce71
SHA256

b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d
SHA512

2e14c5411a19a692c65e057aaadc81043c6efae70f36777feea221e17e637e17f97e9b89b797a9b8e37d5096f5d5f4ba0549d5176e94adb92b2a43fec9c0510d
SSDEEP

98304:VBo8II1RTVQhfkOBzI1BIoA4FOjfU2TE6fqWq3q:VxII1RTVQhfkSEkH4FmMWqWq3q

Score

10^/10

rat orcus

Malware Config

Extracted

Family

orcus

Signatures

Orcus family
orcus

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d

Files

b3d7c8a2a2c7d51bf90a1924ab6b0d3e1b204af05e8c1adb5a3e803b98b8704d
.exe windows:6 windows x64 arch:x64

2bd340b83ba71ad7d37c3af1100d7aca

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

QueryPerformanceCounter
GetTickCount
MultiByteToWideChar
WideCharToMultiByte
MoveFileExW
WaitForSingleObjectEx
GetEnvironmentVariableA
GetFileType
ReadFile
PeekNamedPipe
WaitForMultipleObjects
GetCurrentProcessId
VerSetConditionMask
VerifyVersionInfoW
GetFileSizeEx
OutputDebugStringW
InitializeSListHead
GetSystemTimeAsFileTime
IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
WakeAllConditionVariable
EnterCriticalSection
InitializeCriticalSection
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
FormatMessageW
SetLastError
QueryFullProcessImageNameW
GetModuleHandleW
GetModuleHandleA
GetModuleFileNameW
UnmapViewOfFile
GetSystemInfo
CreateFileMappingW
VirtualProtect
CreateThread
GetCurrentProcess
DeleteCriticalSection
InitializeCriticalSectionEx
GetProcessHeap
HeapSize
HeapFree
HeapReAlloc
GetCurrentThreadId
SleepConditionVariableSRW
GetFileInformationByHandleEx
AreFileApisANSI
GetFileAttributesExW
FindFirstFileW
FindClose
CreateDirectoryW
GetCurrentDirectoryW
GetLocaleInfoEx
FormatMessageA
SleepEx
LoadLibraryW
GetProcAddress
FreeLibrary
GetSystemDirectoryW
QueryPerformanceFrequency
LocalFree
MapViewOfFile
LeaveCriticalSection
HeapAlloc
HeapDestroy
AddVectoredExceptionHandler
GetLastError
CloseHandle
CreateFileW
GlobalFindAtomA
GetConsoleWindow
Sleep
SetCurrentConsoleFontEx
GetStdHandle
SetConsoleTitleA
SetConsoleTextAttribute
GetConsoleScreenBufferInfo
GetModuleFileNameA

user32

MessageBoxA
GetWindowRect
SetWindowLongPtrA
GetWindowLongPtrA
ShowWindow
MoveWindow
SetLayeredWindowAttributes
GetClientRect

advapi32

AddAccessAllowedAce
GetLengthSid
GetTokenInformation
InitializeAcl
IsValidSid
RegCreateKeyExA
SetSecurityInfo
CopySid
ConvertSidToStringSidA
CryptAcquireContextW
CryptReleaseContext
CryptGetHashParam
CryptCreateHash
CryptHashData
CryptDestroyHash
SystemFunction036
CryptEncrypt
CryptImportKey
CryptDestroyKey
OpenProcessToken

shell32

ShellExecuteA

msvcp140

?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z
?iword@ios_base@std@@QEAAAEAJH@Z
?xalloc@ios_base@std@@SAHXZ
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
??7ios_base@std@@QEBA_NXZ
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
?_Xinvalid_argument@std@@YAXPEBD@Z
_Xtime_get_ticks
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?_Random_device@std@@YAIXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
_Query_perf_counter
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
_Cnd_do_broadcast_at_thread_exit
?_Syserror_map@std@@YAPEBDH@Z
?_Xlength_error@std@@YAXPEBD@Z
?id@?$ctype@D@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Xbad_function_call@std@@YAXXZ
?_Winerror_map@std@@YAHH@Z
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Xout_of_range@std@@YAXPEBD@Z
?_Xbad_alloc@std@@YAXXZ
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?uncaught_exception@std@@YA_NXZ
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Throw_Cpp_error@std@@YAXH@Z
?clog@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
??0_Lockit@std@@QEAA@H@Z
??1_Lockit@std@@QEAA@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
_Query_perf_frequency
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z

crypt32

CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertGetNameStringW
CertFindExtension
CertAddCertificateContextToStore
CertFreeCertificateChain
PFXImportCertStore
CryptStringToBinaryW
CertFreeCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertCloseStore
CertOpenStore
CryptDecodeObjectEx

ws2_32

recvfrom
freeaddrinfo
getaddrinfo
sendto
ioctlsocket
WSAWaitForMultipleEvents
listen
htonl
select
__WSAFDIsSet
WSAIoctl
socket
setsockopt
recv
htons
getsockname
getpeername
connect
bind
WSACleanup
WSAStartup
inet_ntop
WSASetLastError
ntohs
inet_pton
WSAGetLastError
closesocket
WSAResetEvent
WSAEventSelect
WSAEnumNetworkEvents
WSACreateEvent
WSACloseEvent
send
getsockopt
gethostname
accept

shlwapi

PathFindFileNameW

psapi

GetModuleInformation

userenv

UnloadUserProfile

bcrypt

BCryptGenRandom

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memcmp
memcpy
memmove
memset
strchr
memchr
strstr
wcschr
__C_specific_handler
__current_exception
__current_exception_context
_CxxThrowException
strrchr
__std_exception_copy
__std_exception_destroy
__std_terminate

api-ms-win-crt-runtime-l1-1-0

_initialize_onexit_table
_register_onexit_function
_crt_atexit
_cexit
_seh_filter_exe
_set_app_type
_configure_narrow_argv
_get_initial_narrow_environment
_initterm
_initterm_e
_exit
_invalid_parameter_noinfo_noreturn
__p___argc
__p___argv
_c_exit
_register_thread_local_exe_atexit_callback
_errno
terminate
system
_beginthreadex
abort
exit
_resetstkoflw
__sys_errlist
_invalid_parameter_noinfo
__sys_nerr
_initialize_narrow_environment

api-ms-win-crt-stdio-l1-1-0

fgetpos
_close
_write
_read
fputc
__acrt_iob_func
fputs
fflush
fclose
feof
fseek
_popen
_pclose
fgets
__p__commode
_set_fmode
ftell
_lseeki64
_isatty
_get_stream_buffer_pointers
__stdio_common_vsscanf
_fseeki64
fread
fsetpos
ungetc
setvbuf
fgetc
_wopen
__stdio_common_vsprintf
_wfopen
fwrite
_fileno

api-ms-win-crt-heap-l1-1-0

free
_set_new_mode
malloc
calloc
_callnewh
realloc

api-ms-win-crt-math-l1-1-0

_dsign
_dclass
_fdopen
__setusermatherr

api-ms-win-crt-convert-l1-1-0

wcstombs
strtoll
strtol
strtoul
strtod
atoi
strtoull

api-ms-win-crt-filesystem-l1-1-0

_lock_file
remove
_unlock_file
_wstat64
_fstat64
_unlink

api-ms-win-crt-locale-l1-1-0

localeconv
___lc_codepage_func
_configthreadlocale

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-time-l1-1-0

_localtime64
strftime
_time64
_gmtime64

api-ms-win-crt-string-l1-1-0

strcmp
wcsncmp
strspn
strpbrk
wcspbrk
wcsncpy
_wcsdup
strcspn
strncmp
_strdup

api-ms-win-crt-utility-l1-1-0

qsort

Sections

.text
Size: 708KB - Virtual size: 708KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 192KB - Virtual size: 191KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2.3MB - Virtual size: 2.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 30KB - Virtual size: 29KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 197KB - Virtual size: 197KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

2bd340b83ba71ad7d37c3af1100d7aca

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

shell32

msvcp140

crypt32

ws2_32

shlwapi

psapi

userenv

bcrypt

vcruntime140_1

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-utility-l1-1-0

Sections

.text Size: 708KB - Virtual size: 708KB

.rdata Size: 192KB - Virtual size: 191KB

.data Size: 2.3MB - Virtual size: 2.3MB

.pdata Size: 30KB - Virtual size: 29KB

.rsrc Size: 197KB - Virtual size: 197KB

.reloc Size: 3KB - Virtual size: 2KB

.text
Size: 708KB - Virtual size: 708KB

.rdata
Size: 192KB - Virtual size: 191KB

.data
Size: 2.3MB - Virtual size: 2.3MB

.pdata
Size: 30KB - Virtual size: 29KB

.rsrc
Size: 197KB - Virtual size: 197KB

.reloc
Size: 3KB - Virtual size: 2KB