orcus | 2c79679727444f53ecabaa6c6d588cefb54b9c118ef858bc7e1fdc913440086a

General

Target

test.exe
Size

913KB
MD5

3ec4232085e107853eb6787e80848efa
SHA1

3cc6617af32cd1da1b7ffc0996a1a32e1a171bf1
SHA256

2c79679727444f53ecabaa6c6d588cefb54b9c118ef858bc7e1fdc913440086a
SHA512

9b7f0d5f9d18b3c54d3c65eb7df0f95a799eaeccd383ef9aae44372896bac2e629d6a26c30c47d6ef839c91559a024a1083bd5f39a3187e63e817638f3d2a999
SSDEEP

24576:7Eqr4MROxnF25bHKTlQjrZlI0AilFEvxHiON:7EjMiwjrZlI0AilFEvxHi

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

23.160.168.165:7058

Mutex

eb4cdf8f2fdf48e2948ba799aa59ebe5

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000e0000000240e0-42.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x000e0000000240e0-42.dat	orcus
behavioral2/memory/2252-53-0x0000000000600000-0x00000000006EA000-memory.dmp	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	test.exe

Executes dropped EXE 1 IoCs

pid	Process
2252	Orcus.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	test.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	test.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	test.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	test.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	test.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	test.exe
File opened for modification	C:\Windows\assembly	test.exe
File created	C:\Windows\assembly\Desktop.ini	test.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2252	Orcus.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2252	Orcus.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2252	Orcus.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 5248	2488	test.exe	91
PID 2488 wrote to memory of 5248	2488	test.exe	91
PID 5248 wrote to memory of 5824	5248	csc.exe	93
PID 5248 wrote to memory of 5824	5248	csc.exe	93
PID 2488 wrote to memory of 2252	2488	test.exe	95
PID 2488 wrote to memory of 2252	2488	test.exe	95

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9o42nbva.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5248
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES788C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC788B.tmp"
    3⤵
    PID:5824
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
913KB

MD5
3ec4232085e107853eb6787e80848efa

SHA1
3cc6617af32cd1da1b7ffc0996a1a32e1a171bf1

SHA256
2c79679727444f53ecabaa6c6d588cefb54b9c118ef858bc7e1fdc913440086a

SHA512
9b7f0d5f9d18b3c54d3c65eb7df0f95a799eaeccd383ef9aae44372896bac2e629d6a26c30c47d6ef839c91559a024a1083bd5f39a3187e63e817638f3d2a999

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\9o42nbva.dll

Filesize
76KB

MD5
41c56ca9714c2d19a48923b0a974d194

SHA1
bbd2757875d3aad6b7e245358d916533205b335f

SHA256
5d69cee45939353b44ec6d33e0351453a197ce81aacf4b1e27d143cf66049379

SHA512
4b674565e0b05658d94ba8b440bd4fb73ee774342446d50ae296319f5ddc96ae75e3d6b60b9712c72b3fec99e94e7bab82310481ebb9d016b92c857a336a7c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES788C.tmp

Filesize
1KB

MD5
f90e7fbad863ccbc56ac190e3003967b

SHA1
d33f742e8b66b7fb9671c510aab4a80c3c54b24a

SHA256
393054b3098ea10b6515a07492e9b19ab86e7178a665b485ae2b44257c66592d

SHA512
29523317ef518bde05bd14f7a8c34c98f2942c5d3c42a8b8f1a2ddcf269008fba61a9907cad0906544b92de41b74251bc1fa1d98aa9173f520a29c86cb0b068f

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\err_eb4cdf8f2fdf48e2948ba799aa59ebe5.dat

Filesize
1KB

MD5
6c1d62d0708f73bb02eb439d182e5998

SHA1
b8f030e5e4b2407441a9e724ee1e7330afb1202c

SHA256
ec3186a2128e19a1f7c4a41ff1739d999eab0b0548b67f82fe672256d6cc4a1e

SHA512
80d009044e3ec6d0e96f37044580ba5556c24d14856e8ab20d6737fde98f347b08fbe996f6c3690fbb6aa7e3042036c8d077828c23f52f5a5a02abb36b9f4a44

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\9o42nbva.0.cs

Filesize
208KB

MD5
668c46780c1aa886bfbf6efcf0e00d96

SHA1
755aa968e9a4bff53013770831ff5182b4160649

SHA256
a46cb1c31ea80e10e376ba77f6f023eb906a12ee56cf385c952b6a7fd45eeb36

SHA512
81c94020baead9102f7a137db495fefd9f753d60c511c1eab787a1a8749c5b1b4cab2a063d42afa1f7e2b96544c1246ab2b2a2cb4f62865cd738be65cb813c61

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\9o42nbva.cmdline

Filesize
349B

MD5
ad25c0142aa90a9179481ac37323964e

SHA1
468072fee903b7f77cd5f52a8c6ec94fcc37a915

SHA256
196186e60353a20ca040fcbd7b23f097e7c674d9cddee22f509fbb92224b9e7a

SHA512
b5cdc4621b0b743e2e2cfca02eb1ce2e01352f72181a40225b495f5d2412845d9c23216e94f1678bd22c2a06eeb187049474287b3bbaa5a94964fbe22412aa98

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC788B.tmp

Filesize
676B

MD5
f41838798f397dd70557b3da7492db76

SHA1
6ea64b77887ec4fd5937cdd659a8752d2b2d7398

SHA256
182f13a38eb344bab06035339b1af47c2bfe5b04c2ce739dcfe8ee20d53ed73b

SHA512
6d78b9cf74aae39f9e5ac87d24cdbfd42d94ecaae49ec28667eb575bc153284966900425e25a4fde85040f66fe48bb51663dbc3183e15f74ca11b3f2b313e4ed

Download Submit
memory/2252-53-0x0000000000600000-0x00000000006EA000-memory.dmp

Filesize
936KB

Download
memory/2252-51-0x00007FF9AC673000-0x00007FF9AC675000-memory.dmp

Filesize
8KB

Download
memory/2252-67-0x00007FF9AC673000-0x00007FF9AC675000-memory.dmp

Filesize
8KB

Download
memory/2252-64-0x000000001C8D0000-0x000000001CA92000-memory.dmp

Filesize
1.8MB

Download
memory/2252-61-0x000000001B450000-0x000000001B460000-memory.dmp

Filesize
64KB

Download
memory/2252-60-0x000000001B430000-0x000000001B448000-memory.dmp

Filesize
96KB

Download
memory/2252-57-0x000000001B8D0000-0x000000001B9DA000-memory.dmp

Filesize
1.0MB

Download
memory/2252-56-0x000000001B3F0000-0x000000001B42C000-memory.dmp

Filesize
240KB

Download
memory/2252-55-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

Filesize
72KB

Download
memory/2252-54-0x0000000000FA0000-0x0000000000FB2000-memory.dmp

Filesize
72KB

Download
memory/2488-33-0x00007FF9B01D0000-0x00007FF9B0B71000-memory.dmp

Filesize
9.6MB

Download
memory/2488-28-0x000000001D410000-0x000000001D472000-memory.dmp

Filesize
392KB

Download
memory/2488-30-0x000000001E340000-0x000000001E430000-memory.dmp

Filesize
960KB

Download
memory/2488-31-0x000000001D570000-0x000000001D58E000-memory.dmp

Filesize
120KB

Download
memory/2488-32-0x000000001E440000-0x000000001E489000-memory.dmp

Filesize
292KB

Download
memory/2488-8-0x000000001C9A0000-0x000000001CA3C000-memory.dmp

Filesize
624KB

Download
memory/2488-34-0x000000001E520000-0x000000001E590000-memory.dmp

Filesize
448KB

Download
memory/2488-35-0x00007FF9B01D0000-0x00007FF9B0B71000-memory.dmp

Filesize
9.6MB

Download
memory/2488-3-0x000000001BD30000-0x000000001BD8C000-memory.dmp

Filesize
368KB

Download
memory/2488-2-0x00007FF9B01D0000-0x00007FF9B0B71000-memory.dmp

Filesize
9.6MB

Download
memory/2488-52-0x00007FF9B01D0000-0x00007FF9B0B71000-memory.dmp

Filesize
9.6MB

Download
memory/2488-29-0x000000001DD80000-0x000000001E33A000-memory.dmp

Filesize
5.7MB

Download
memory/2488-0-0x00007FF9B0485000-0x00007FF9B0486000-memory.dmp

Filesize
4KB

Download
memory/2488-27-0x00000000017F0000-0x00000000017F8000-memory.dmp

Filesize
32KB

Download
memory/2488-26-0x0000000001620000-0x0000000001628000-memory.dmp

Filesize
32KB

Download
memory/2488-25-0x0000000001640000-0x0000000001652000-memory.dmp

Filesize
72KB

Download
memory/2488-6-0x000000001BE20000-0x000000001BE2E000-memory.dmp

Filesize
56KB

Download
memory/2488-1-0x00007FF9B01D0000-0x00007FF9B0B71000-memory.dmp

Filesize
9.6MB

Download
memory/2488-23-0x000000001D030000-0x000000001D046000-memory.dmp

Filesize
88KB

Download
memory/2488-7-0x000000001C430000-0x000000001C8FE000-memory.dmp

Filesize
4.8MB

Download
memory/5248-21-0x00007FF9B01D0000-0x00007FF9B0B71000-memory.dmp

Filesize
9.6MB

Download
memory/5248-14-0x00007FF9B01D0000-0x00007FF9B0B71000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing