Overview

overview

10

Static

static

3

734f871a32...f9.dll

windows7-x64

7

734f871a32...f9.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-02-2025 15:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    734f871a3233c3cedc9ff22e0bdb889171ac464cfdb8a6b41ee2a2fe419602f9.dll

  • Size

    3.3MB

  • MD5

    009767e32fc980fdc21862e401dea611

  • SHA1

    69aaa8c81e383fee43f0b09f42a26dfe4afa70ca

  • SHA256

    734f871a3233c3cedc9ff22e0bdb889171ac464cfdb8a6b41ee2a2fe419602f9

  • SHA512

    447b834e04e86f39ab578aef1598673b6e3cbc732896f8db88530f879dae1a831743322407d498dd5cadb76c853290dd9785c8ae86fcf778e87e62c5df465fef

  • SSDEEP

    98304:lWI49Noj2V+HFZMYPgPhoVjgPmbcX6noKNe+:lWI43T+HgK9MmbtoKND

Score
10/10
orcusnew membersdiscoveryratspywarestealer

Malware Config

Extracted

Family

orcus

Botnet

new members

C2

31.44.184.52:54539

Mutex

sudo_a07a7kdh0lxw5evj0v7ftbb9yk0hrhbo

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    false

  • install_path

    %appdata%\temppythongeo\longpolllongpoll.exe

  • reconnect_delay

    10000

  • registry_keyname

    Sudik

  • taskscheduler_taskname

    sudik

  • watchdog_path

    AppData\aga.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus family
    orcus
  • Orcurs Rat Executable 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\734f871a3233c3cedc9ff22e0bdb889171ac464cfdb8a6b41ee2a2fe419602f9.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4540
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\734f871a3233c3cedc9ff22e0bdb889171ac464cfdb8a6b41ee2a2fe419602f9.dll,#1
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Users\Admin\AppData\Local\Temp\temADF3.tmp
        "C:\Users\Admin\AppData\Local\Temp\temADF3.tmp"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4964
        • C:\Users\Admin\AppData\Local\Temp\temADF3.tmp
          "C:\Users\Admin\AppData\Local\Temp\temADF3.tmp"
          4⤵
          • Executes dropped EXE
          PID:4868
        • C:\Users\Admin\AppData\Local\Temp\temADF3.tmp
          "C:\Users\Admin\AppData\Local\Temp\temADF3.tmp"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3064
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 824
          4⤵
          • Program crash
          PID:2512
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4964 -ip 4964
    1⤵
      PID:632

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\temADF3.tmp
      Filesize

      3.0MB

      MD5

      26d034e445c22951d395eadaf3803f08

      SHA1

      8c27f66cb3c4b6da6abe27aca7ca6ab17411635c

      SHA256

      ca12699339e187db1b1a73ec8510952652c6d03fa9ef90e96eafde13ca577438

      SHA512

      4d561384995b9414339a1742a249ee4311b32da16cc8593e77ae758b206b9f7e5b81679947467967c9188b242d47cd8205998ea0f5cb0d143e70f59c29cef1ef

      Download Submit

    • memory/3064-18-0x0000000006020000-0x0000000006038000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3064-26-0x00000000074B0000-0x00000000074FC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3064-20-0x0000000006AA0000-0x0000000006AAA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3064-19-0x0000000006070000-0x0000000006080000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3064-10-0x0000000000400000-0x00000000006FE000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/3064-12-0x0000000073D60000-0x0000000074510000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3064-13-0x0000000005620000-0x000000000562E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3064-14-0x00000000058A0000-0x00000000058FC000-memory.dmp

      Filesize

      368KB

      Download

    • memory/3064-16-0x0000000073D60000-0x0000000074510000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3064-15-0x0000000005B70000-0x0000000005C02000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3064-17-0x0000000005B60000-0x0000000005B72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3064-31-0x00000000087C0000-0x0000000008810000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3064-32-0x0000000073D60000-0x0000000074510000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3064-30-0x0000000007830000-0x00000000078CC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3064-29-0x0000000007600000-0x000000000760E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3064-22-0x00000000073A0000-0x0000000007406000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3064-23-0x0000000007A30000-0x0000000008048000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3064-24-0x0000000007410000-0x0000000007422000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3064-25-0x0000000007470000-0x00000000074AC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3064-28-0x0000000008050000-0x0000000008212000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3064-27-0x0000000007640000-0x000000000774A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4964-5-0x0000000000DB0000-0x00000000010BE000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/4964-8-0x0000000073D60000-0x0000000074510000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4964-6-0x0000000005F30000-0x00000000064D4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4964-4-0x0000000073D6E000-0x0000000073D6F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4964-21-0x0000000073D60000-0x0000000074510000-memory.dmp

      Filesize

      7.7MB

      Download