Overview

overview

10

Static

static

10

Solara Boo...er.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    505s
  • max time network
    512s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250313-en
  • resource tags

    arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    29/03/2025, 08:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Solara Bootstrapper.exe

  • Size

    916KB

  • MD5

    f24b0f78c8be241de211f2a7329c31d0

  • SHA1

    c94c0bb146040ed400a80d754f6f7ed5003328ef

  • SHA256

    4dbeefad08420db91ab0faa7bafebbd58a74fde562f97eaa2f2faedc56c1baae

  • SHA512

    d6d969b6729206d4cf50519053109bff6ee6f84dd09e1900e03606ad150490db38881076e6a62f0dca02e2fa0e93221c0e86fe6534dd2fbec813d6c6a46ae8a6

  • SSDEEP

    24576:dcI4MROxnFD3w74S4xrZlI0AilFEvxHiaZ:dcrMiJTrZlI0AilFEvxHi

Score
10/10
orcuspersistenceratspywarestealer

Malware Config

Extracted

Family

orcus

C2

192.168.0.25:10134

Mutex

a5447eba215c43b98853781f7d6d0b95

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\Windows

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus family
    orcus
  • Orcus main payload 1 IoCs
  • Orcurs Rat Executable 2 IoCs
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 62 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Solara Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara Bootstrapper.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ce5wyomm.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1532
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB41E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB41D.tmp"
        3⤵
          PID:1436
      • C:\Windows\SysWOW64\WindowsInput.exe
        "C:\Windows\SysWOW64\WindowsInput.exe" --install
        2⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        PID:1900
      • C:\Program Files\Orcus\Orcus.exe
        "C:\Program Files\Orcus\Orcus.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies registry class
        PID:3140
    • C:\Windows\SysWOW64\WindowsInput.exe
      "C:\Windows\SysWOW64\WindowsInput.exe"
      1⤵
      • Executes dropped EXE
      PID:220
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Program Files\Orcus\Orcus.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:724
      • C:\Program Files\Orcus\Orcus.exe
        "C:\Program Files\Orcus\Orcus.exe"
        2⤵
        • Executes dropped EXE
        PID:1576
    • C:\Program Files\Orcus\Orcus.exe
      "C:\Program Files\Orcus\Orcus.exe"
      1⤵
      • Executes dropped EXE
      PID:332
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2040
    • C:\Program Files\Orcus\Orcus.exe
      "C:\Program Files\Orcus\Orcus.exe"
      1⤵
      • Executes dropped EXE
      PID:232

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Orcus\Orcus.exe
      Filesize

      916KB

      MD5

      f24b0f78c8be241de211f2a7329c31d0

      SHA1

      c94c0bb146040ed400a80d754f6f7ed5003328ef

      SHA256

      4dbeefad08420db91ab0faa7bafebbd58a74fde562f97eaa2f2faedc56c1baae

      SHA512

      d6d969b6729206d4cf50519053109bff6ee6f84dd09e1900e03606ad150490db38881076e6a62f0dca02e2fa0e93221c0e86fe6534dd2fbec813d6c6a46ae8a6

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Orcus.exe.log
      Filesize

      1KB

      MD5

      9666dac81545c9074f4da5ceac101f52

      SHA1

      ea515e0b8895f3d75a949851a360f8082637017b

      SHA256

      1dc357977659fdb0474ba61f6e34053669875581f8ef70fa397a31d1b2a81e3c

      SHA512

      6e4a99b1b27b61973ae79fdfd4dd9831aabb6d64177a1e9081977b5bf8fdf7e9d0c071dd5e229484c3db6f66271f91247d48f086dc6bd43566553ccdc9ac5670

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RESB41E.tmp
      Filesize

      1KB

      MD5

      8b2ae7e97bf26b5c22475c2178875428

      SHA1

      bbefa09f65491a1a8936c37e7aed36c686a7a788

      SHA256

      db3e0b75a283f9a68d12744b204887e5e5aa269d1f847741e811f9a5b105bdf6

      SHA512

      efa1c1caeb06f749a3b0ce8e39857ddb4d5a3002e27adaa68c2863d1ea7fc0f463c0aa00296f3963f28ff00f6d672cdf2aa81e9ae615e41b042136c1aab60698

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ce5wyomm.dll
      Filesize

      76KB

      MD5

      5bc0012018e6447e73f990eda84be58d

      SHA1

      5a34c2d5bba0e0da51c6c37effbbc6f657e06534

      SHA256

      cf64484f73d11d5227d986a8bb47201f75c0dd501a2a23311208aa4ef8b24edf

      SHA512

      3b4d36cf1182cae2aad777ff7a13d92665b705ad9763948834a57b4e67429c998443437584acdc6bc730c3e9da47e74335a2bc39b63a50a5f37df969c251e679

      Download Submit

    • C:\Windows\SysWOW64\WindowsInput.exe
      Filesize

      21KB

      MD5

      e6fcf516d8ed8d0d4427f86e08d0d435

      SHA1

      c7691731583ab7890086635cb7f3e4c22ca5e409

      SHA256

      8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

      SHA512

      c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

      Download Submit

    • C:\Windows\SysWOW64\WindowsInput.exe.config
      Filesize

      357B

      MD5

      a2b76cea3a59fa9af5ea21ff68139c98

      SHA1

      35d76475e6a54c168f536e30206578babff58274

      SHA256

      f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

      SHA512

      b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\CSCB41D.tmp
      Filesize

      676B

      MD5

      45015b0c5b1cb85f777510e544ddc73e

      SHA1

      db0590325cf27c45e92ef508376e6e37a00d50ab

      SHA256

      0cab498f79402d52a554071dbe1de8ae81431eaf72442a72499846846da58526

      SHA512

      5fca80c923b48efbaf7b22a52bb2df5368efaeae7ccdab055af35761345aff140a7024523486c6013895f1b1f36a6fcc03c68a71549fa18b4782b578381e1d73

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\ce5wyomm.0.cs
      Filesize

      208KB

      MD5

      ac00098954fd8ecae4dd42f4dc7a9e07

      SHA1

      a0e05f28576717b0730bf7ae77a5d2c86c647f43

      SHA256

      de633a917db1936adbe8066bce2fe0e610bde9e6abfd8097bf15d74e138700c4

      SHA512

      d4856ecf39c213b3ff891c6ecd24d7606a2e0e86bdf8cdad25a4035bb0aebba8789dd3e93ad8b46da9daa5b41838f1f6f6d8aac1118e55f05910eb07637571f7

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\ce5wyomm.cmdline
      Filesize

      349B

      MD5

      303f120d074695cebb0b6f48666c4898

      SHA1

      89a949496dd26dd4222eccb701fd257e9a96b433

      SHA256

      282e4a8e50dec26936f723e5f4abe50678b3afb9d6dfa14982edae698ab1fecb

      SHA512

      9f177425e8d9969a8d8ab284d19c0c6cd0cbf9f9ea7fe8d9cf3ddfdc6071457ec4c29344e55f4de40320dfb9320ed56592e7ddbee54f2f2df7ec3ea9875af3d3

      Download Submit

    • memory/220-48-0x000000001A1C0000-0x000000001A2CA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1204-64-0x00007FFC469B0000-0x00007FFC47351000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1204-0-0x00007FFC46C65000-0x00007FFC46C66000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1204-23-0x000000001C2C0000-0x000000001C2D6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1204-1-0x00007FFC469B0000-0x00007FFC47351000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1204-7-0x000000001BCB0000-0x000000001C17E000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/1204-25-0x0000000000FC0000-0x0000000000FD2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1204-26-0x000000001CC20000-0x000000001CC40000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1204-6-0x00007FFC469B0000-0x00007FFC47351000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1204-5-0x000000001B690000-0x000000001B69E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1204-2-0x000000001B5A0000-0x000000001B5FC000-memory.dmp

      Filesize

      368KB

      Download

    • memory/1204-8-0x000000001C220000-0x000000001C2BC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/1532-17-0x00007FFC469B0000-0x00007FFC47351000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1532-21-0x00007FFC469B0000-0x00007FFC47351000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1900-42-0x00000000030F0000-0x0000000003102000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1900-41-0x0000000000FD0000-0x0000000000FDC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1900-43-0x000000001BC60000-0x000000001BC9C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1900-40-0x00007FFC445B3000-0x00007FFC445B5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3140-63-0x0000000000110000-0x00000000001FA000-memory.dmp

      Filesize

      936KB

      Download

    • memory/3140-66-0x000000001ADF0000-0x000000001AE3E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/3140-65-0x00000000023E0000-0x00000000023F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3140-68-0x000000001AE60000-0x000000001AE78000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3140-70-0x000000001AE80000-0x000000001AE90000-memory.dmp

      Filesize

      64KB

      Download