orcus | d9dc36b7bedf2632fe0a7ca99478b20406d288a69bd7b65e5da2c9d748a5b81f

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2025 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RamBoost.exe
Size

11.1MB
MD5

a5c93db4c83dab084d6d4ae80ce1e527
SHA1

e90866ae65781058b98cb155e35b7ce1445d6139
SHA256

d9dc36b7bedf2632fe0a7ca99478b20406d288a69bd7b65e5da2c9d748a5b81f
SHA512

e61fdcabc99dbef705ac83dfa347c5f12b584ceec8b4f2fa7997a3f12722944987e65620d2f8764174e2145e7b3e7cf31372f4a591a38e4fc4496063f03e35b7
SSDEEP

24576:CuQ4MROxnFD3+74S4xrZlI0AilFEvxHiVq7:CuzMiJxrZlI0AilFEvxHi4

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

dandev.us.to:1015

Mutex

33346576134e432b900bfc3fb9baec32

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%temp%\Updater.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\Watchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e64b-54.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e64b-54.dat	orcus
behavioral2/memory/516-64-0x0000000000F70000-0x0000000001088000-memory.dmp	orcus

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	RamBoost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Watchdog.exe

Executes dropped EXE 6 IoCs

pid	Process
3100	WindowsInput.exe
624	WindowsInput.exe
516	Updater.exe
4720	Updater.exe
2272	Watchdog.exe
3012	Watchdog.exe

Loads dropped DLL 1 IoCs

pid	Process
516	Updater.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	RamBoost.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RamBoost.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	RamBoost.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	RamBoost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	RamBoost.exe
File created	C:\Windows\assembly\Desktop.ini	RamBoost.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RamBoost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Watchdog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Watchdog.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
516	Updater.exe
516	Updater.exe
516	Updater.exe
3012	Watchdog.exe
3012	Watchdog.exe
3012	Watchdog.exe
516	Updater.exe
3012	Watchdog.exe
516	Updater.exe
3012	Watchdog.exe
516	Updater.exe
3012	Watchdog.exe
516	Updater.exe
3012	Watchdog.exe
516	Updater.exe
3012	Watchdog.exe
516	Updater.exe
3012	Watchdog.exe
516	Updater.exe
3012	Watchdog.exe
516	Updater.exe
3012	Watchdog.exe
516	Updater.exe
3012	Watchdog.exe
516	Updater.exe
3012	Watchdog.exe
516	Updater.exe
3012	Watchdog.exe
516	Updater.exe
3012	Watchdog.exe
516	Updater.exe
3012	Watchdog.exe
516	Updater.exe
3012	Watchdog.exe
516	Updater.exe
3012	Watchdog.exe
516	Updater.exe
3012	Watchdog.exe
516	Updater.exe
3012	Watchdog.exe
516	Updater.exe
3012	Watchdog.exe
516	Updater.exe
3012	Watchdog.exe
516	Updater.exe
3012	Watchdog.exe
516	Updater.exe
3012	Watchdog.exe
516	Updater.exe
3012	Watchdog.exe
516	Updater.exe
3012	Watchdog.exe
516	Updater.exe
3012	Watchdog.exe
516	Updater.exe
3012	Watchdog.exe
516	Updater.exe
3012	Watchdog.exe
516	Updater.exe
3012	Watchdog.exe
516	Updater.exe
3012	Watchdog.exe
516	Updater.exe
3012	Watchdog.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	516	Updater.exe
Token: SeDebugPrivilege	2272	Watchdog.exe
Token: SeDebugPrivilege	3012	Watchdog.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
516	Updater.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 4036	2104	RamBoost.exe	86
PID 2104 wrote to memory of 4036	2104	RamBoost.exe	86
PID 4036 wrote to memory of 860	4036	csc.exe	88
PID 4036 wrote to memory of 860	4036	csc.exe	88
PID 2104 wrote to memory of 3100	2104	RamBoost.exe	89
PID 2104 wrote to memory of 3100	2104	RamBoost.exe	89
PID 2104 wrote to memory of 516	2104	RamBoost.exe	91
PID 2104 wrote to memory of 516	2104	RamBoost.exe	91
PID 516 wrote to memory of 2272	516	Updater.exe	93
PID 516 wrote to memory of 2272	516	Updater.exe	93
PID 516 wrote to memory of 2272	516	Updater.exe	93
PID 2272 wrote to memory of 3012	2272	Watchdog.exe	94
PID 2272 wrote to memory of 3012	2272	Watchdog.exe	94
PID 2272 wrote to memory of 3012	2272	Watchdog.exe	94
PID 516 wrote to memory of 1496	516	Updater.exe	98
PID 516 wrote to memory of 1496	516	Updater.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\RamBoost.exe
"C:\Users\Admin\AppData\Local\Temp\RamBoost.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zsd9vi2x.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4036
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F12.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8F11.tmp"
    3⤵
    PID:860
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3100
- C:\Users\Admin\AppData\Local\Temp\Updater.exe
  "C:\Users\Admin\AppData\Local\Temp\Updater.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Users\Admin\AppData\Roaming\Watchdog.exe
    "C:\Users\Admin\AppData\Roaming\Watchdog.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Local\Temp\Updater.exe" 516 /protectFile
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Users\Admin\AppData\Roaming\Watchdog.exe
      "C:\Users\Admin\AppData\Roaming\Watchdog.exe" /watchProcess "C:\Users\Admin\AppData\Local\Temp\Updater.exe" 516 "/protectFile"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3012
- - C:\Windows\SYSTEM32\shutdown.exe
    "shutdown.exe" /l /t 0
    3⤵
    PID:1496

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:624

C:\Users\Admin\AppData\Local\Temp\Updater.exe
C:\Users\Admin\AppData\Local\Temp\Updater.exe
1⤵
- Executes dropped EXE
PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Watchdog.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8F12.tmp

Filesize
1KB

MD5
311e420b91787ef888a4e01880365de3

SHA1
70bc7ce364bd8cab8be1a8d0b8d643bb5f274402

SHA256
ea24c3570b17e3ced39aea6f081b00b6447bf086dbbef7464eea6dca034575fa

SHA512
2a2e7c4d52438365df849d2e8fdc935f5937f5041b8a1b795290f67511154ea80acb787b769e903afcada07504f42dfb6a1813c265f0ff31b36796c3a39bfe88

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updater.exe

Filesize
11.1MB

MD5
a5c93db4c83dab084d6d4ae80ce1e527

SHA1
e90866ae65781058b98cb155e35b7ce1445d6139

SHA256
d9dc36b7bedf2632fe0a7ca99478b20406d288a69bd7b65e5da2c9d748a5b81f

SHA512
e61fdcabc99dbef705ac83dfa347c5f12b584ceec8b4f2fa7997a3f12722944987e65620d2f8764174e2145e7b3e7cf31372f4a591a38e4fc4496063f03e35b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zsd9vi2x.dll

Filesize
76KB

MD5
e7875cbdbd78653e051c29bdf85a156a

SHA1
1a80394edf73165c033890983cd2d08254f9143b

SHA256
d9b069606e9506d7ac55c98726fb67e42e8729e9fc5a936dc16b2b0975b05a1e

SHA512
77644264d97601d8d53b408a1f2e073e2b667ab78cd6a0d46e94f1284b4da2aeeb0294e9e0b99540ac0316524cd3f7fc1fe244d575510ca19b84ae5f510abaec

Download Submit
C:\Users\Admin\AppData\Roaming\RamBoost\lib_33346576134e432b900bfc3fb9baec32\x64\turbojpeg.dll

Filesize
662KB

MD5
b36cc7f7c7148a783fbed3493bc27954

SHA1
44b39651949a00cf2a5cbba74c3210b980ae81b4

SHA256
c1ce9a872d33fb8757c59b5cd1f26c93b9eeec3e3cf57162c29a0783e6222a38

SHA512
c987c689ecc2cc57350c74ee22b66cb543535bc17b790016ec6407c3d02c539a727f5c38e1451a201e8e7ccfcb4d4639780b6e68cd38b7e67b1b28034ad738a2

Download Submit
C:\Users\Admin\AppData\Roaming\Watchdog.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8F11.tmp

Filesize
676B

MD5
4e188cca06fb8b996835dca991c23f06

SHA1
51a990bd25cf7354d5372437fa81b4d5bf8c2a79

SHA256
ff192fc3b277a4b3c26feaa3484d5313d7e05e5753cccf3710dbcaaaf0d97667

SHA512
206f0682040bdc086fb965a6a250d8cef2ca08843d68131d11f3dac4eaeeda4896a270e0fb3c501bddaea1409752d3ac28b3f25bb3b3a62c292cbfef5e6506c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zsd9vi2x.0.cs

Filesize
208KB

MD5
9d73b1d8cec7c2480c8a06d5b8405f3e

SHA1
6058c355a73133f80bc10f162b77d0a9968137a1

SHA256
8fbc5c88eb32acdce163dea7eea20e823d3ccad7f03e48f647ce061c24542265

SHA512
19591cb83932432f17a1e20fd300d3e66d11e2406d8a6e62078b38c42dbb3e57e8473fbb44708fe7b712ab3b7637cd64bde556209e302dd72db339fd4238b075

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zsd9vi2x.cmdline

Filesize
349B

MD5
17d1d65bdeee6c8b8a3b8a1c7f3ac31f

SHA1
1fac349461b2aacecded02882fd7c584839103c2

SHA256
93e637717eba82b87e9e591ebe40c94ee76c2a4012700212745136f2474ab5fd

SHA512
0bbbe85c34d5d841281c06312c4959943aeb2c4fd54c0adc899145c75037af747868b4cb51149d2b24c3faa4ee9d52d30c32707e7b8f9c6d46fbc3415ac44315

Download Submit
memory/516-128-0x000000001D1F0000-0x000000001D240000-memory.dmp

Filesize
320KB

Download
memory/516-102-0x000000001C1F0000-0x000000001C234000-memory.dmp

Filesize
272KB

Download
memory/516-97-0x0000000001700000-0x0000000001716000-memory.dmp

Filesize
88KB

Download
memory/516-92-0x00000000016D0000-0x00000000016DC000-memory.dmp

Filesize
48KB

Download
memory/516-71-0x000000001C320000-0x000000001C330000-memory.dmp

Filesize
64KB

Download
memory/516-70-0x000000001C510000-0x000000001C6D2000-memory.dmp

Filesize
1.8MB

Download
memory/516-69-0x000000001C1D0000-0x000000001C1E8000-memory.dmp

Filesize
96KB

Download
memory/516-65-0x000000001BBD0000-0x000000001BBE2000-memory.dmp

Filesize
72KB

Download
memory/516-122-0x000000001D500000-0x000000001D654000-memory.dmp

Filesize
1.3MB

Download
memory/516-117-0x0000000001720000-0x0000000001746000-memory.dmp

Filesize
152KB

Download
memory/516-112-0x000000001D140000-0x000000001D19A000-memory.dmp

Filesize
360KB

Download
memory/516-107-0x000000001C240000-0x000000001C28A000-memory.dmp

Filesize
296KB

Download
memory/516-64-0x0000000000F70000-0x0000000001088000-memory.dmp

Filesize
1.1MB

Download
memory/516-66-0x000000001BBE0000-0x000000001BC2E000-memory.dmp

Filesize
312KB

Download
memory/624-48-0x000000001A350000-0x000000001A45A000-memory.dmp

Filesize
1.0MB

Download
memory/2104-2-0x000000001B760000-0x000000001B7BC000-memory.dmp

Filesize
368KB

Download
memory/2104-6-0x000000001B950000-0x000000001B95E000-memory.dmp

Filesize
56KB

Download
memory/2104-67-0x00007FFF6A370000-0x00007FFF6AD11000-memory.dmp

Filesize
9.6MB

Download
memory/2104-7-0x000000001BE30000-0x000000001C2FE000-memory.dmp

Filesize
4.8MB

Download
memory/2104-26-0x000000001CAA0000-0x000000001CAC0000-memory.dmp

Filesize
128KB

Download
memory/2104-25-0x00000000010E0000-0x00000000010F2000-memory.dmp

Filesize
72KB

Download
memory/2104-5-0x00007FFF6A370000-0x00007FFF6AD11000-memory.dmp

Filesize
9.6MB

Download
memory/2104-0-0x00007FFF6A625000-0x00007FFF6A626000-memory.dmp

Filesize
4KB

Download
memory/2104-1-0x00007FFF6A370000-0x00007FFF6AD11000-memory.dmp

Filesize
9.6MB

Download
memory/2104-8-0x000000001C3A0000-0x000000001C43C000-memory.dmp

Filesize
624KB

Download
memory/2104-23-0x000000001CA60000-0x000000001CA76000-memory.dmp

Filesize
88KB

Download
memory/2272-85-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/3100-43-0x0000000002230000-0x000000000226C000-memory.dmp

Filesize
240KB

Download
memory/3100-42-0x0000000000BB0000-0x0000000000BC2000-memory.dmp

Filesize
72KB

Download
memory/3100-41-0x0000000000140000-0x000000000014C000-memory.dmp

Filesize
48KB

Download
memory/3100-40-0x00007FFF674F3000-0x00007FFF674F5000-memory.dmp

Filesize
8KB

Download
memory/4036-21-0x00007FFF6A370000-0x00007FFF6AD11000-memory.dmp

Filesize
9.6MB

Download
memory/4036-17-0x00007FFF6A370000-0x00007FFF6AD11000-memory.dmp

Filesize
9.6MB

Download