Overview

overview

10

Static

static

10

OrcusRAT/o...on.exe

windows10-2004-x64

3

OrcusRAT/o...on.exe

windows10-ltsc 2021-x64

3

OrcusRAT/o...on.exe

windows11-21h2-x64

3

OrcusRAT/s...er.exe

windows10-2004-x64

7

OrcusRAT/s...er.exe

windows10-ltsc 2021-x64

7

OrcusRAT/s...er.exe

windows11-21h2-x64

7

OrcusRAT/s...8a.dll

windows10-2004-x64

1

OrcusRAT/s...8a.dll

windows10-ltsc 2021-x64

1

OrcusRAT/s...8a.dll

windows11-21h2-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250217-en
  • resource tags

    arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10/03/2025, 14:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OrcusRAT/server/Orcus.Server.exe

  • Size

    3.2MB

  • MD5

    700a14ba55fb47f9b8a99ffa92267125

  • SHA1

    43ef6ab246ba72d39cd1a72dd83fee68aceba493

  • SHA256

    594f18a0b5b83c1c64c75830f8e9b2bd4d4629c9c5b9c70b3aa5f0f17b22789a

  • SHA512

    c4ab308a65f267edee887085d358df1ddf83e55fa8f3507209cebc5b44e755f17d583956d170e57e6644d70505a175d58a17f1cdaab13ba7431c4185594804b4

  • SSDEEP

    49152:VB+4yPRRGCvw2/986nZGeE9gwPs+vnEoXevXCdJsur8BF0xXIHnqww5VCkkhQIGa:VB+4mRF42/986wgzMEop+OxXIKZExc8

Score
7/10
discovery

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\OrcusRAT\server\Orcus.Server.exe
    "C:\Users\Admin\AppData\Local\Temp\OrcusRAT\server\Orcus.Server.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Costura\21E29AD7CD88FD3C37963FFA4C49AEB2\32\sqlite3.dll
    Filesize

    626KB

    MD5

    d8aec01ff14e3e7ad43a4b71e30482e4

    SHA1

    e3015f56f17d845ec7eef11d41bbbc28cc16d096

    SHA256

    da1d608be064555ab3d3d35e6db64527b8c44f3fa5ddd7c3ec723f80fc99736e

    SHA512

    f5b2f4bda0cc13e1d1c541fb0caea14081ee4daffd497e31a3d4d55d5f9d85a61158b4891a6527efe623b2f32b697ac912320d9be5c0303812ca98dcc8866fcf

    Download Submit

  • memory/4316-18-0x0000000008060000-0x0000000008090000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4316-37-0x0000000074BCE000-0x0000000074BCF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4316-7-0x0000000006010000-0x000000000604E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4316-8-0x0000000006270000-0x0000000006308000-memory.dmp

    Filesize

    608KB

    Download

  • memory/4316-9-0x0000000074BC0000-0x0000000075371000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4316-10-0x00000000068C0000-0x0000000006E66000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4316-11-0x00000000064A0000-0x0000000006736000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/4316-12-0x0000000007490000-0x0000000007AA8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4316-13-0x0000000006E70000-0x00000000071C7000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4316-14-0x0000000007AB0000-0x0000000007B42000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4316-15-0x0000000007B50000-0x0000000007BAC000-memory.dmp

    Filesize

    368KB

    Download

  • memory/4316-19-0x00000000080C0000-0x000000000810C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4316-1-0x0000000000FC0000-0x00000000012F8000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/4316-17-0x00000000088C0000-0x0000000008DEC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4316-16-0x00000000081C0000-0x0000000008382000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4316-21-0x0000000008150000-0x0000000008171000-memory.dmp

    Filesize

    132KB

    Download

  • memory/4316-20-0x0000000008490000-0x00000000084CC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4316-29-0x0000000009040000-0x000000000904A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4316-30-0x0000000074BC0000-0x0000000075371000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4316-31-0x0000000074BC0000-0x0000000075371000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4316-32-0x000000000B640000-0x000000000B65E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4316-33-0x000000000B7D0000-0x000000000B84C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/4316-35-0x000000000B690000-0x000000000B69A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4316-34-0x000000000B660000-0x000000000B66C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4316-0-0x0000000074BCE000-0x0000000074BCF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4316-38-0x0000000074BC0000-0x0000000075371000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4316-39-0x0000000060900000-0x0000000060992000-memory.dmp

    Filesize

    584KB

    Download