orcus | 53ef45215a305cdeb6a25dcb51c691af9f4d545534d78e102d125536baa608b7

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2025 08:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tar.exe
Size

3.0MB
MD5

bf7895e063d2bc2e2df12a0808369f74
SHA1

c0b6158b47aee66cbe68885e582f20a388b0b146
SHA256

53ef45215a305cdeb6a25dcb51c691af9f4d545534d78e102d125536baa608b7
SHA512

e664d6a6e763c27738ef5472bab2fdf6334083756e2bbb8a92b43f29bac7f557e548f53a16c2f2d28df713744b3d9d88911ae75ca55acd8af24110641bbf1ffa
SSDEEP

49152:gAkDf7+QSLqZeM9/04zgaMWUljQfJgVXkKAypQxb0/o9JnCmYWncFf0I74gu3yM:gPyb2MnjQBEUNypSb6o9JCm

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

108.231.94.28:10134

Mutex

2c09a108509b4d9aa6f48e001c264c91

Attributes

autostart_method
Disable
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral2/memory/4312-1-0x000001F6B6980000-0x000001F6B6C7C000-memory.dmp	orcus
behavioral2/files/0x000a000000023b6c-37.dat	orcus

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	tar.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Orcus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	OrcusWatchdog.exe

Executes dropped EXE 6 IoCs

pid	Process
3860	WindowsInput.exe
3784	WindowsInput.exe
4876	Orcus.exe
3928	Orcus.exe
1540	OrcusWatchdog.exe
4972	OrcusWatchdog.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	tar.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	tar.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Orcus\Orcus.exe	tar.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	tar.exe
File created	C:\Program Files\Orcus\Orcus.exe	tar.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OrcusWatchdog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OrcusWatchdog.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4876	Orcus.exe
4876	Orcus.exe
4876	Orcus.exe
4972	OrcusWatchdog.exe
4972	OrcusWatchdog.exe
4972	OrcusWatchdog.exe
4876	Orcus.exe
4972	OrcusWatchdog.exe
4876	Orcus.exe
4972	OrcusWatchdog.exe
4876	Orcus.exe
4972	OrcusWatchdog.exe
4876	Orcus.exe
4972	OrcusWatchdog.exe
4876	Orcus.exe
4972	OrcusWatchdog.exe
4876	Orcus.exe
4972	OrcusWatchdog.exe
4876	Orcus.exe
4972	OrcusWatchdog.exe
4876	Orcus.exe
4972	OrcusWatchdog.exe
4876	Orcus.exe
4972	OrcusWatchdog.exe
4876	Orcus.exe
4972	OrcusWatchdog.exe
4876	Orcus.exe
4972	OrcusWatchdog.exe
4876	Orcus.exe
4972	OrcusWatchdog.exe
4876	Orcus.exe
4972	OrcusWatchdog.exe
4876	Orcus.exe
4972	OrcusWatchdog.exe
4876	Orcus.exe
4972	OrcusWatchdog.exe
4876	Orcus.exe
4972	OrcusWatchdog.exe
4876	Orcus.exe
4972	OrcusWatchdog.exe
4876	Orcus.exe
4972	OrcusWatchdog.exe
4876	Orcus.exe
4972	OrcusWatchdog.exe
4876	Orcus.exe
4972	OrcusWatchdog.exe
4876	Orcus.exe
4972	OrcusWatchdog.exe
4876	Orcus.exe
4972	OrcusWatchdog.exe
4876	Orcus.exe
4972	OrcusWatchdog.exe
4876	Orcus.exe
4972	OrcusWatchdog.exe
4876	Orcus.exe
4972	OrcusWatchdog.exe
4876	Orcus.exe
4972	OrcusWatchdog.exe
4876	Orcus.exe
4972	OrcusWatchdog.exe
4876	Orcus.exe
4972	OrcusWatchdog.exe
4876	Orcus.exe
4972	OrcusWatchdog.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4876	Orcus.exe
Token: SeDebugPrivilege	1540	OrcusWatchdog.exe
Token: SeDebugPrivilege	4972	OrcusWatchdog.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4876	Orcus.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4312 wrote to memory of 3860	4312	tar.exe	82
PID 4312 wrote to memory of 3860	4312	tar.exe	82
PID 4312 wrote to memory of 4876	4312	tar.exe	84
PID 4312 wrote to memory of 4876	4312	tar.exe	84
PID 4876 wrote to memory of 1540	4876	Orcus.exe	86
PID 4876 wrote to memory of 1540	4876	Orcus.exe	86
PID 4876 wrote to memory of 1540	4876	Orcus.exe	86
PID 1540 wrote to memory of 4972	1540	OrcusWatchdog.exe	87
PID 1540 wrote to memory of 4972	1540	OrcusWatchdog.exe	87
PID 1540 wrote to memory of 4972	1540	OrcusWatchdog.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tar.exe
"C:\Users\Admin\AppData\Local\Temp\tar.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3860
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
    "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 4876 /protectFile
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
      "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 4876 "/protectFile"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4972

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:3784

C:\Program Files\Orcus\Orcus.exe
"C:\Program Files\Orcus\Orcus.exe"
1⤵
- Executes dropped EXE
PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
3.0MB

MD5
bf7895e063d2bc2e2df12a0808369f74

SHA1
c0b6158b47aee66cbe68885e582f20a388b0b146

SHA256
53ef45215a305cdeb6a25dcb51c691af9f4d545534d78e102d125536baa608b7

SHA512
e664d6a6e763c27738ef5472bab2fdf6334083756e2bbb8a92b43f29bac7f557e548f53a16c2f2d28df713744b3d9d88911ae75ca55acd8af24110641bbf1ffa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OrcusWatchdog.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

Filesize
9KB

MD5
dee9d0fe14b2c0426ab9dec8a38ce4b9

SHA1
692bb4d3af30b03d368892e76291896565d5bc4b

SHA256
a5a2e90c471b394ea725c868580e2461a40be7a567ed917fc15cde1766239c5f

SHA512
84ce407731f13ab272e1a98c5c56c968f17b342c89cf525b1506af35c2096e249cf7929e3fc143a670f7d3c5b87e52d9349025f95ce993349e6ebc572d25a29c

Download Submit
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe.config

Filesize
157B

MD5
7efa291047eb1202fde7765adac4b00d

SHA1
22d4846caff5e45c18e50738360579fbbed2aa8d

SHA256
807fb6eeaa7c77bf53831d8a4422a53a5d8ccd90e6bbc17c655c0817460407b6

SHA512
159c95eb1e817ba2d281f39c3939dd963ab62c0cd29bf66ca3beb0aff53f4617d47f48474e58319130ae4146a044a42fc75f63c343330c1b6d2be7034b9fa724

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
c849d33051fa1082063ea849eb073017

SHA1
9ad0af3cf679778aca3fd0b33b112aef80190eae

SHA256
a270d21a6abcf2c1178e73838d9ca9acf2cc36b174821a679fae759bc51ad500

SHA512
74742cca96531afe004ddfbeb1c6850e9698848b6beec24fd90b52c2c5084b289172eaf593b4491bcdfd9b2da5ea82f5adfb90ef2dcdad2443dbb23492c84a9a

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
349B

MD5
89817519e9e0b4e703f07e8c55247861

SHA1
4636de1f6c997a25c3190f73f46a3fd056238d78

SHA256
f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

SHA512
b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

Download Submit
memory/1540-66-0x0000000000330000-0x0000000000338000-memory.dmp

Filesize
32KB

Download
memory/3784-31-0x0000021C4DB10000-0x0000021C4DC1A000-memory.dmp

Filesize
1.0MB

Download
memory/3860-25-0x00007FFA2AAA0000-0x00007FFA2B561000-memory.dmp

Filesize
10.8MB

Download
memory/3860-23-0x0000028D6B110000-0x0000028D6B122000-memory.dmp

Filesize
72KB

Download
memory/3860-24-0x0000028D6B1A0000-0x0000028D6B1DC000-memory.dmp

Filesize
240KB

Download
memory/3860-29-0x00007FFA2AAA0000-0x00007FFA2B561000-memory.dmp

Filesize
10.8MB

Download
memory/3860-21-0x0000028D69370000-0x0000028D6937C000-memory.dmp

Filesize
48KB

Download
memory/3860-22-0x00007FFA2AAA0000-0x00007FFA2B561000-memory.dmp

Filesize
10.8MB

Download
memory/4312-4-0x00007FFA2AAA0000-0x00007FFA2B561000-memory.dmp

Filesize
10.8MB

Download
memory/4312-0-0x00007FFA2AAA3000-0x00007FFA2AAA5000-memory.dmp

Filesize
8KB

Download
memory/4312-5-0x000001F6B8930000-0x000001F6B8942000-memory.dmp

Filesize
72KB

Download
memory/4312-46-0x00007FFA2AAA0000-0x00007FFA2B561000-memory.dmp

Filesize
10.8MB

Download
memory/4312-1-0x000001F6B6980000-0x000001F6B6C7C000-memory.dmp

Filesize
3.0MB

Download
memory/4312-2-0x000001F6D1270000-0x000001F6D12CC000-memory.dmp

Filesize
368KB

Download
memory/4312-3-0x000001F6B87D0000-0x000001F6B87DE000-memory.dmp

Filesize
56KB

Download
memory/4876-47-0x000002A273D10000-0x000002A273D22000-memory.dmp

Filesize
72KB

Download
memory/4876-52-0x000002A274CE0000-0x000002A274EA2000-memory.dmp

Filesize
1.8MB

Download
memory/4876-51-0x000002A274B00000-0x000002A274B10000-memory.dmp

Filesize
64KB

Download
memory/4876-50-0x000002A2745D0000-0x000002A2745E8000-memory.dmp

Filesize
96KB

Download
memory/4876-48-0x000002A274960000-0x000002A2749B8000-memory.dmp

Filesize
352KB

Download