orcus | 2c79679727444f53ecabaa6c6d588cefb54b9c118ef858bc7e1fdc913440086a

Analysis

max time kernel
67s
max time network
128s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

913KB
MD5

3ec4232085e107853eb6787e80848efa
SHA1

3cc6617af32cd1da1b7ffc0996a1a32e1a171bf1
SHA256

2c79679727444f53ecabaa6c6d588cefb54b9c118ef858bc7e1fdc913440086a
SHA512

9b7f0d5f9d18b3c54d3c65eb7df0f95a799eaeccd383ef9aae44372896bac2e629d6a26c30c47d6ef839c91559a024a1083bd5f39a3187e63e817638f3d2a999
SSDEEP

24576:7Eqr4MROxnF25bHKTlQjrZlI0AilFEvxHiON:7EjMiwjrZlI0AilFEvxHi

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

23.160.168.165:7058

Mutex

eb4cdf8f2fdf48e2948ba799aa59ebe5

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00080000000186c3-31.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x00080000000186c3-31.dat	orcus
behavioral1/memory/2640-35-0x0000000000020000-0x000000000010A000-memory.dmp	orcus

Executes dropped EXE 1 IoCs

pid	Process
2640	Orcus.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	test.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	test.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	test.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2640	Orcus.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2640	Orcus.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2640	Orcus.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2260	1048	test.exe	29
PID 1048 wrote to memory of 2260	1048	test.exe	29
PID 1048 wrote to memory of 2260	1048	test.exe	29
PID 2260 wrote to memory of 2548	2260	csc.exe	31
PID 2260 wrote to memory of 2548	2260	csc.exe	31
PID 2260 wrote to memory of 2548	2260	csc.exe	31
PID 1048 wrote to memory of 2640	1048	test.exe	33
PID 1048 wrote to memory of 2640	1048	test.exe	33
PID 1048 wrote to memory of 2640	1048	test.exe	33

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ghgq1r_c.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB9A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCB99.tmp"
    3⤵
    PID:2548
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
913KB

MD5
3ec4232085e107853eb6787e80848efa

SHA1
3cc6617af32cd1da1b7ffc0996a1a32e1a171bf1

SHA256
2c79679727444f53ecabaa6c6d588cefb54b9c118ef858bc7e1fdc913440086a

SHA512
9b7f0d5f9d18b3c54d3c65eb7df0f95a799eaeccd383ef9aae44372896bac2e629d6a26c30c47d6ef839c91559a024a1083bd5f39a3187e63e817638f3d2a999

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCB9A.tmp

Filesize
1KB

MD5
7aa8344a02df5f828474f8da73326ba9

SHA1
4eaa92e395b20dac1225b830c7f79d19bff56ce2

SHA256
7104da1a4029fecfe3ecb67dceb2ffe42f08295832e5e12961880c670306c6be

SHA512
6b8e3974c8c86aa58a3a90cddbeec0016947ec558a157fe897473a17cc5a2ea238f20eaa3d723170ff3d7d3c5f97d0d0bb1844f3a083127939a947d05dab105a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7305.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghgq1r_c.dll

Filesize
76KB

MD5
1f8a8abf209cb9d8aed8f8bde94fa863

SHA1
96fa18faf3f0045c666a7f2fef11ddbe2d998049

SHA256
6fa450f260cd5f72a6422ecdbed7d90e879ae704e0c7d5b49fcbfde7c1c29c4e

SHA512
aac92f71b5d1de7729375495564a23a985cf163b563801b1609c945983b2dff15dc54aa59e1ecb42f39420c602f7e58a9dc02ab496ca1a7a4865e08c51c02666

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\err_eb4cdf8f2fdf48e2948ba799aa59ebe5.dat

Filesize
1KB

MD5
db2f944592d403b3419104278c8b4630

SHA1
aa08e6738c617e46f411130257ca62ffc5ad572a

SHA256
333092ecce60fbc0edc64438722cb6989289ab4ac4eed38726a9049098281bb7

SHA512
04a90d4f6da0851c825f3a1ed3a99162627aa90847869c2b5b54bd751302a09dcfdbe7c98fb5c9e91fd5eba68a34e673e6c35b819e6b1eb916a03ed147cebf5b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCCB99.tmp

Filesize
676B

MD5
dfdf572574816d0b46b35766b8c24ef2

SHA1
05cf10aaab78065568b67d475748bea6d491113f

SHA256
15dc10ee27a46d51c0471a10b2c44619848d3fb0dfd8e03770fa0d1a7af7c5b5

SHA512
e805900fbd50bacea3f87798c6494258be09be1f056cde3c48112bb9a01ed39c1efde93917bcdf635bc0275a728cc1dca0d0f9a31c97888fc1a3c41f183f544b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ghgq1r_c.0.cs

Filesize
208KB

MD5
c555d9796194c1d9a1310a05a2264e08

SHA1
82641fc4938680519c3b2e925e05e1001cbd71d7

SHA256
ccbb8fd27ab2f27fbbd871793886ff52ff1fbd9117c98b8d190c1a96b67e498a

SHA512
0b85ca22878998c7697c589739905b218f9b264a32c8f99a9f9dd73d0687a5de46cc7e851697ee16424baf94d301e411648aa2d061ac149a6d2e06b085e07090

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ghgq1r_c.cmdline

Filesize
349B

MD5
dc21116921b5eeb5f59254d2aa648aae

SHA1
eeebe64840d652ff349e24bc5f93017acfdbb0f2

SHA256
60bc5454362a5dd527854ad207c5596ba375820e90f3638f14e9099fc58f9d1f

SHA512
53e6f1e01c57962dd6c003220076c83c0efa099d6edf7dfb58b86c93ca90b5050d3956f407e0cf299184c0f06271c970af4dcdac5f4429ff4ac6b051182b0f47

Download Submit
memory/1048-0-0x000007FEF67BE000-0x000007FEF67BF000-memory.dmp

Filesize
4KB

Download
memory/1048-19-0x0000000000E30000-0x0000000000E46000-memory.dmp

Filesize
88KB

Download
memory/1048-4-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/1048-21-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/1048-22-0x0000000000D00000-0x0000000000D08000-memory.dmp

Filesize
32KB

Download
memory/1048-23-0x0000000000D10000-0x0000000000D18000-memory.dmp

Filesize
32KB

Download
memory/1048-24-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/1048-29-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/1048-3-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/1048-33-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/1048-2-0x00000000003A0000-0x00000000003AE000-memory.dmp

Filesize
56KB

Download
memory/1048-1-0x0000000000CA0000-0x0000000000CFC000-memory.dmp

Filesize
368KB

Download
memory/2260-10-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2260-17-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2640-36-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/2640-39-0x0000000000630000-0x0000000000648000-memory.dmp

Filesize
96KB

Download
memory/2640-40-0x0000000000660000-0x0000000000670000-memory.dmp

Filesize
64KB

Download
memory/2640-35-0x0000000000020000-0x000000000010A000-memory.dmp

Filesize
936KB

Download