orcus | 2c79679727444f53ecabaa6c6d588cefb54b9c118ef858bc7e1fdc913440086a

Analysis

max time kernel
111s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

913KB
MD5

3ec4232085e107853eb6787e80848efa
SHA1

3cc6617af32cd1da1b7ffc0996a1a32e1a171bf1
SHA256

2c79679727444f53ecabaa6c6d588cefb54b9c118ef858bc7e1fdc913440086a
SHA512

9b7f0d5f9d18b3c54d3c65eb7df0f95a799eaeccd383ef9aae44372896bac2e629d6a26c30c47d6ef839c91559a024a1083bd5f39a3187e63e817638f3d2a999
SSDEEP

24576:7Eqr4MROxnF25bHKTlQjrZlI0AilFEvxHiON:7EjMiwjrZlI0AilFEvxHi

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

23.160.168.165:7058

Mutex

eb4cdf8f2fdf48e2948ba799aa59ebe5

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000800000002424e-42.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x000800000002424e-42.dat	orcus
behavioral2/memory/4652-53-0x0000000000EC0000-0x0000000000FAA000-memory.dmp	orcus

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	test.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Orcus.exe

Executes dropped EXE 1 IoCs

pid	Process
4652	Orcus.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	test.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	test.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe.config	test.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	Orcus.exe
File created	C:\Program Files\Orcus\Orcus.exe	test.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	test.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	test.exe
File created	C:\Windows\assembly\Desktop.ini	test.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	test.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3576	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3576	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4652	Orcus.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4652	Orcus.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4652	Orcus.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 5788	1960	test.exe	89
PID 1960 wrote to memory of 5788	1960	test.exe	89
PID 5788 wrote to memory of 5428	5788	csc.exe	91
PID 5788 wrote to memory of 5428	5788	csc.exe	91
PID 1960 wrote to memory of 4652	1960	test.exe	93
PID 1960 wrote to memory of 4652	1960	test.exe	93
PID 4652 wrote to memory of 2908	4652	Orcus.exe	100
PID 4652 wrote to memory of 2908	4652	Orcus.exe	100
PID 2908 wrote to memory of 3576	2908	cmd.exe	102
PID 2908 wrote to memory of 3576	2908	cmd.exe	102
PID 2908 wrote to memory of 5256	2908	cmd.exe	103
PID 2908 wrote to memory of 5256	2908	cmd.exe	103
PID 2908 wrote to memory of 3924	2908	cmd.exe	104
PID 2908 wrote to memory of 3924	2908	cmd.exe	104
PID 2908 wrote to memory of 3172	2908	cmd.exe	105
PID 2908 wrote to memory of 3172	2908	cmd.exe	105
PID 2908 wrote to memory of 5244	2908	cmd.exe	106
PID 2908 wrote to memory of 5244	2908	cmd.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-yjk8y6r.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5788
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES569D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC569C.tmp"
    3⤵
    PID:5428
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{087877d5-e852-4a30-b3ef-d5d722eea722}.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo j "
      4⤵
      PID:5256
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" del "C:\Program Files\Orcus\Orcus.exe""
      4⤵
      PID:3924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo j "
      4⤵
      PID:3172
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" del C:\Users\Admin\AppData\Local\Temp\{087877d5-e852-4a30-b3ef-d5d722eea722}.bat"
      4⤵
      PID:5244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
913KB

MD5
3ec4232085e107853eb6787e80848efa

SHA1
3cc6617af32cd1da1b7ffc0996a1a32e1a171bf1

SHA256
2c79679727444f53ecabaa6c6d588cefb54b9c118ef858bc7e1fdc913440086a

SHA512
9b7f0d5f9d18b3c54d3c65eb7df0f95a799eaeccd383ef9aae44372896bac2e629d6a26c30c47d6ef839c91559a024a1083bd5f39a3187e63e817638f3d2a999

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\-yjk8y6r.dll

Filesize
76KB

MD5
a57525e74c09bc9e4da48aaffc53a844

SHA1
2ef4c45a6d9704b89cc5045da5ce7d4d681562a4

SHA256
dc1c434e3131987360ec9739bde15bb7170f08aa7945380e237e0719e3a6ef4a

SHA512
7407d7389ef7b0e5f162300aa24bae0be65e9c1a7656cb76d80f191eeece007d1448f0f64f3c79401a0373331b3c72c78a87a7d92f860210a0aee51e866958d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES569D.tmp

Filesize
1KB

MD5
9eb89e2a6595a9dbcd75058f7e9c4365

SHA1
b013dbd6807e22c8a72cd81f68c19eae44f165ef

SHA256
8848ab1d784294f86e0a506dfd8a60e7f07838dde7e648a78455645fb17327a0

SHA512
3916173f6906695f41bafd5aeeace1e0fa62bd3cc49892406c6dc23be2d5f167b71312584382ce28af55f4db2b23d961ccefb5ae7f9b478c4a12c09336d3a4e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{087877d5-e852-4a30-b3ef-d5d722eea722}.bat

Filesize
171B

MD5
60b8414e9a1d5e780b54bd8a627d9941

SHA1
6fd8346a8e87a79f370441fdb03e9f3aabb20cb1

SHA256
b6937a6a1e4e6b9fc27660cdd707478256468024d896396b687eddbfaa249940

SHA512
7e41366bd7da483f8737f5f23d31844b83db87e6bb111e7585e48347188fe2db296079bb422d355e76676fb6c78f98932c801ad821bd93a71588f48b2643faec

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\err_eb4cdf8f2fdf48e2948ba799aa59ebe5.dat

Filesize
1KB

MD5
3bed3841183cbd9f04548eb0d6db3628

SHA1
51f6fac9a64b62ae4fbde2bf79e538ab85a4b059

SHA256
7317f98aa7bb9d535d0345289d35701a3e0eabadd088274184f0f1af399480bd

SHA512
e61054a6a5c2622cc70fedb3e7f320eae679536ad2b9b9eff9860aebceeec845b7cb29e1e957f4e7170e358e5f0948544407b86815a2c0d3bceba949757edb03

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\-yjk8y6r.0.cs

Filesize
208KB

MD5
14966372b7019dec4e6aa73e83cec804

SHA1
9f7b8bdeb48f4cd03f484b675370ae942ff593c3

SHA256
92d9ea0d1dd909a00ad7d05193079c52bee44e22fac3c994fb32334c7f080e67

SHA512
4638b06662313327a86ba3a9c25fdf38c25da1b62f19d0cd037e04b460c3cf37d4f9dc904227a4d8c90194ad2d02baf94a0f40e26b2ff08b698c1149b43b62dd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\-yjk8y6r.cmdline

Filesize
349B

MD5
163c31e423339c4a548d7adb7e55e787

SHA1
4cd2684c72e25f59100b547f9feb38b8bf2b31ca

SHA256
74a855b6e7223998fd113d893510870199e6d2fd92af54dc4de29b6c7403fe93

SHA512
7e9d5b0d1f06f17ee97a41cbd3e5e1745dd333e77c87aca9794d78140d6a8026e0c8d2daaa95792a64d2dfa66b816deb63df289a941d251e89936eefc5394711

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC569C.tmp

Filesize
676B

MD5
56608f95915b648e9585d9ce643df033

SHA1
69a9b94876624a85f3ab649b9edb53e8ad53ff54

SHA256
6955073dbcd850b9e05c96b0a795928aceb78dd51846362d9d2c1e537a2944e5

SHA512
ddc4c0d78e241a7dfafd7cc5d5914aa6985555a394499f2f957402993202a6cec2749d0de205ed4f00b10ff8ce40b0a7552d47dc88d61f59edf7f007734c378b

Download Submit
memory/1960-30-0x000000001E4B0000-0x000000001E5A0000-memory.dmp

Filesize
960KB

Download
memory/1960-6-0x000000001C570000-0x000000001CA3E000-memory.dmp

Filesize
4.8MB

Download
memory/1960-8-0x00007FFD4AB20000-0x00007FFD4B4C1000-memory.dmp

Filesize
9.6MB

Download
memory/1960-1-0x00007FFD4AB20000-0x00007FFD4B4C1000-memory.dmp

Filesize
9.6MB

Download
memory/1960-7-0x000000001CAE0000-0x000000001CB7C000-memory.dmp

Filesize
624KB

Download
memory/1960-23-0x000000001D1A0000-0x000000001D1B6000-memory.dmp

Filesize
88KB

Download
memory/1960-25-0x000000001BE00000-0x000000001BE12000-memory.dmp

Filesize
72KB

Download
memory/1960-26-0x000000001BD70000-0x000000001BD78000-memory.dmp

Filesize
32KB

Download
memory/1960-27-0x000000001BE90000-0x000000001BE98000-memory.dmp

Filesize
32KB

Download
memory/1960-28-0x000000001D590000-0x000000001D5F2000-memory.dmp

Filesize
392KB

Download
memory/1960-29-0x000000001DEF0000-0x000000001E4AA000-memory.dmp

Filesize
5.7MB

Download
memory/1960-0-0x00007FFD4ADD5000-0x00007FFD4ADD6000-memory.dmp

Filesize
4KB

Download
memory/1960-31-0x000000001D6F0000-0x000000001D70E000-memory.dmp

Filesize
120KB

Download
memory/1960-32-0x000000001E5B0000-0x000000001E5F9000-memory.dmp

Filesize
292KB

Download
memory/1960-33-0x00007FFD4AB20000-0x00007FFD4B4C1000-memory.dmp

Filesize
9.6MB

Download
memory/1960-34-0x000000001E690000-0x000000001E700000-memory.dmp

Filesize
448KB

Download
memory/1960-35-0x00007FFD4AB20000-0x00007FFD4B4C1000-memory.dmp

Filesize
9.6MB

Download
memory/1960-2-0x000000001BEA0000-0x000000001BEFC000-memory.dmp

Filesize
368KB

Download
memory/1960-5-0x000000001C090000-0x000000001C09E000-memory.dmp

Filesize
56KB

Download
memory/1960-52-0x00007FFD4AB20000-0x00007FFD4B4C1000-memory.dmp

Filesize
9.6MB

Download
memory/4652-62-0x00007FFD47C43000-0x00007FFD47C45000-memory.dmp

Filesize
8KB

Download
memory/4652-53-0x0000000000EC0000-0x0000000000FAA000-memory.dmp

Filesize
936KB

Download
memory/4652-54-0x00000000031C0000-0x00000000031D2000-memory.dmp

Filesize
72KB

Download
memory/4652-55-0x000000001BB40000-0x000000001BB52000-memory.dmp

Filesize
72KB

Download
memory/4652-56-0x000000001BFC0000-0x000000001BFFC000-memory.dmp

Filesize
240KB

Download
memory/4652-57-0x000000001C110000-0x000000001C21A000-memory.dmp

Filesize
1.0MB

Download
memory/4652-60-0x000000001C320000-0x000000001C338000-memory.dmp

Filesize
96KB

Download
memory/4652-61-0x000000001C100000-0x000000001C110000-memory.dmp

Filesize
64KB

Download
memory/4652-51-0x00007FFD47C43000-0x00007FFD47C45000-memory.dmp

Filesize
8KB

Download
memory/4652-65-0x000000001CF50000-0x000000001D112000-memory.dmp

Filesize
1.8MB

Download
memory/4652-68-0x000000001C880000-0x000000001C8CE000-memory.dmp

Filesize
312KB

Download
memory/5788-16-0x00007FFD4AB20000-0x00007FFD4B4C1000-memory.dmp

Filesize
9.6MB

Download
memory/5788-21-0x00007FFD4AB20000-0x00007FFD4B4C1000-memory.dmp

Filesize
9.6MB

Download