orcus | eaae55454ba3a037f6fc934d38fd9574da848fa7b6bfc0dcf986f9b43ea1e224

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2025 23:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

asynced.exe
Size

3.0MB
MD5

e9ef5e3e933bde251efc8782a144a914
SHA1

65391af972f53b83c3a25d01474908e247d29af9
SHA256

eaae55454ba3a037f6fc934d38fd9574da848fa7b6bfc0dcf986f9b43ea1e224
SHA512

c902c713e3c750ddd02c6d67efa7c12500acaf956ea69cb5bf6ea0dcdb0436d8b09971ef2ca47a39771bb20aa59b9a7072428d531eb519fa3fbf0b4d39841546
SSDEEP

49152:eNODf7+QSLqZeM9/04zgaMWUljQfJgVXkKAypQxb0/o9JnCmsWncFf0I74gu3zM:egyb2MnjQBEUNypSb6o9JCm

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

192.168.1.240:10134

Mutex

77864a0839f04e838299ef8d362eb706

Attributes

autostart_method
Disable
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral2/memory/1316-1-0x000001D6C5C20000-0x000001D6C5F18000-memory.dmp	orcus
behavioral2/files/0x0007000000023d5b-13.dat	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	asynced.exe

Executes dropped EXE 1 IoCs

pid	Process
5036	Orcus.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	asynced.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	asynced.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	asynced.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5036	Orcus.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5036	Orcus.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 5036	1316	asynced.exe	86
PID 1316 wrote to memory of 5036	1316	asynced.exe	86

C:\Users\Admin\AppData\Local\Temp\asynced.exe
"C:\Users\Admin\AppData\Local\Temp\asynced.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
3.0MB

MD5
e9ef5e3e933bde251efc8782a144a914

SHA1
65391af972f53b83c3a25d01474908e247d29af9

SHA256
eaae55454ba3a037f6fc934d38fd9574da848fa7b6bfc0dcf986f9b43ea1e224

SHA512
c902c713e3c750ddd02c6d67efa7c12500acaf956ea69cb5bf6ea0dcdb0436d8b09971ef2ca47a39771bb20aa59b9a7072428d531eb519fa3fbf0b4d39841546

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
349B

MD5
89817519e9e0b4e703f07e8c55247861

SHA1
4636de1f6c997a25c3190f73f46a3fd056238d78

SHA256
f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

SHA512
b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

Download Submit
memory/1316-22-0x00007FFA763E0000-0x00007FFA76EA1000-memory.dmp

Filesize
10.8MB

Download
memory/1316-1-0x000001D6C5C20000-0x000001D6C5F18000-memory.dmp

Filesize
3.0MB

Download
memory/1316-2-0x000001D6C7B40000-0x000001D6C7B9C000-memory.dmp

Filesize
368KB

Download
memory/1316-3-0x000001D6C62A0000-0x000001D6C62AE000-memory.dmp

Filesize
56KB

Download
memory/1316-4-0x00007FFA763E0000-0x00007FFA76EA1000-memory.dmp

Filesize
10.8MB

Download
memory/1316-5-0x000001D6C6480000-0x000001D6C6492000-memory.dmp

Filesize
72KB

Download
memory/1316-0-0x00007FFA763E3000-0x00007FFA763E5000-memory.dmp

Filesize
8KB

Download
memory/5036-23-0x00007FFA763E0000-0x00007FFA76EA1000-memory.dmp

Filesize
10.8MB

Download
memory/5036-24-0x00007FFA763E0000-0x00007FFA76EA1000-memory.dmp

Filesize
10.8MB

Download
memory/5036-25-0x0000026F533D0000-0x0000026F533E2000-memory.dmp

Filesize
72KB

Download
memory/5036-26-0x0000026F6BC50000-0x0000026F6BC68000-memory.dmp

Filesize
96KB

Download
memory/5036-27-0x0000026F6C1A0000-0x0000026F6C362000-memory.dmp

Filesize
1.8MB

Download
memory/5036-28-0x0000026F533E0000-0x0000026F533F0000-memory.dmp

Filesize
64KB

Download
memory/5036-29-0x00007FFA763E0000-0x00007FFA76EA1000-memory.dmp

Filesize
10.8MB

Download