orcus

Sharing

Copy URL

Twitter E-mail

General

Target

backdoored.zip
Size

6.3MB
Sample

250404-tpjbaazydt
MD5

85a5b01d9d255807bc6880fe01935fbc
SHA1

e757e8d3baaa391156400dd0f4f3897c57dece65
SHA256

9ecafc8f4be7ece39b55c267992d8a97bd66c049fe72f729bdd64eb9c6cd1e4d
SHA512

e164e6c441e134823dbe94a191e961950b3b33c49df7ff69322d19be0c641be66eff49a6d0670db500a1b4585233cc11b4f0449399afccc372761f8561dbb104
SSDEEP

196608:WOhJWMovtjR4N/XdPZ2hHPZ2hTj2Vxah4:WWgJFR4FXdhuHhuTj2bN

Score

10^/10

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
5000

Extracted

Family

orcus

213.209.143.58:2095

Mutex

95c074471a264ae6acae057c3ed47a24

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programfiles%\Nirsoft\sihost.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Realtek Audio Driver
watchdog_path
AppData\winsvrc.exe

Targets

- Target
  
  BouncyCastle.Crypto.dll
- Size
  
  3.2MB
- MD5
  
  0cf454b6ed4d9e46bc40306421e4b800
- SHA1
  
  9611aa929d35cbd86b87e40b628f60d5177d2411
- SHA256
  
  e51721dc0647f4838b1abc592bd95fd8cb924716e8a64f83d4b947821fa1fa42
- SHA512
  
  85262f1bc67a89911640f59a759b476b30ca644bd1a1d9cd3213cc8aae16d7cc6ea689815f19b146db1d26f7a75772ceb48e71e27940e3686a83eb2cf7e46048
- SSDEEP
  
  49152:JIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9Y:6BbBWIgWljGxRB/LLY
Score

1^/10
behavioral1
- Target
  
  Client.exe
- Size
  
  3.1MB
- MD5
  
  53a45c6e7e2e587d7db12cfa4476906a
- SHA1
  
  57591dafa4fedc5c39e4f4047619c750605d237c
- SHA256
  
  220921f2f892a79118811e15d6cdd813776b3898bbc47911060be449bd3f9339
- SHA512
  
  d48eff26d1aed4e765793d98ee6061675c2c9249a9bcbcd52be4a115625c33c99b6e09b40b98fa8aa65cf77288ff39429d7b43d4e82a95a9a8e96c017ee432cc
- SSDEEP
  
  98304:/nY+y2FqZaVmN+PqlhU//vlL1YGWdT7x:P1Z1CXx
Score

10^/10

quasar spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
behavioral2
- Target
  
  Gma.System.MouseKeyHook.dll
- Size
  
  56KB
- MD5
  
  bfb3bd1cb571360435100bfa6ed2b997
- SHA1
  
  1325e8dd76180a165117e04da4ee4a020e996880
- SHA256
  
  a67a424013544c8270c12633e2e1e287cd5cf0b3f2e81e8d8204b37a03da59ef
- SHA512
  
  ae5a88a9e86b9e64b8c289213f814586dfa5fe5e0cc21bdbc3e48c36d81fa9e763c6e78f24e40df07696228270ad72f408846125e61e33cae867ef8ff88a3c15
- SSDEEP
  
  768:qYnDJGdu2oE3d7ltSl+Y8sCcm8Doi/L0CPw87qquEZ+r3FhuiFJ8G:VncoU48/AzPwYpNZ6rXJ8G
Score

1^/10
behavioral3
- Target
  
  Kira.exe
- Size
  
  3.3MB
- MD5
  
  35e41d1dc3e84b3eea60b9809199f3fa
- SHA1
  
  b8d2154bb56f0ad94effa5e8c57f4b51e345bf73
- SHA256
  
  dd3ee854f6f62c1c964b74dc71fce2da6d29bdf1b8320f5173b1bce54e7c3413
- SHA512
  
  a1cd7dc83a0304c46fdf0fe4855880f4d97a18fdef321674a4d00bade7afd8ea64530c55e1a9bd1e1ffce196ee7957f5227d42fdb9f33ecda8b8fae29d11c77a
- SSDEEP
  
  49152:gHBVPVP2ym8r2JdVTWRh1/6/R1I9AihZZ7WEqnXrtRI93iS5TChmqrjyBE3Hi8uy:iRAMBChm+jwE3HSOZssBs+H
Score

10^/10

orcus discovery rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus family
  orcus
- Orcurs Rat Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral4
- Target
  
  Microsoft.TestPlatform.AdapterUtilities.dll
- Size
  
  28KB
- MD5
  
  2e02f737baabda557d62c88443ae7c01
- SHA1
  
  a4f3a6a3b7c5d371474fbb9a4d51f0e75ecc0927
- SHA256
  
  2570cbe12e3f6c177362eaad630b42db3114c2bb74099a0baa2d3abd6bcb5303
- SHA512
  
  646c34a76dd20c808346e87bd68c6074fddc3194df0cfbab345e2e08d8d480fdecd6e544836a07f74898d4276fd7f30b964aa0fa260178492639913e7beab650
- SSDEEP
  
  384:MoGlVXd5QgRbo/cqR3gMdny654nKDdhUauvc//FyHRN76JVOY/wR9zmuyzy1:wDOgRcOIUarFu4/M9zmO1
Score

1^/10
behavioral5
- Target
  
  Microsoft.VisualStudio.CodeCoverage.Shim.dll
- Size
  
  15KB
- MD5
  
  b0f2e37dc0fbe6cf01672547f9e56e5b
- SHA1
  
  2673eb1ab737217e0dc63101d697697c82547185
- SHA256
  
  3a4ed9b3e4b5d706767ef614b52836250e8abfadb7b8e30e3706c2eb9d1c45e3
- SHA512
  
  8c5f91a0a7bcd44d3f4a61d7f37f9956f7aa0f1d3585460c2eb1f27bb28e6b959f1e3e7ace6b1fe2c39b06c121d024b6bd383ca3c403ab70dfbb94208476e6de
- SSDEEP
  
  192:LnIqrxCb3j0WZqnWSW1R7KOTYRHnhWgN7a8WqJ2sJact5equ/X01k9z3Amj7x+M:Ln98j0WZqnWlyHRN799Es56/R9zTjVP
Score

1^/10
behavioral6
- Target
  
  Microsoft.VisualStudio.TestPlatform.MSTest.TestAdapter.dll
- Size
  
  155KB
- MD5
  
  2ddc54871ff84b3692ad11ba4a5ff771
- SHA1
  
  c5310fea5760851117ec68b66363f65d5fae06a3
- SHA256
  
  cb1d59fd79a412b1b05a27b32c342cbc85f018a9f1e1d67b43ebe87e43fec0d1
- SHA512
  
  c4b6f1f0a1517b7669813f58ece0b10432dd85e1769584b5502cbb0bf0b440a56353b1b5142aa024886d0a4cabe9447c8ea6173887ca9c7562e5883deac07ef0
- SSDEEP
  
  3072:vIOjCZch+OpRvMKZNZ3hy3B5HZtdOu8uThF9hZlJ8jaoY:jGZc5HvMKZ73Y3B5HZtdOu8ShZlJ8+l
Score

1^/10
behavioral7
- Target
  
  Microsoft.VisualStudio.TestPlatform.MSTestAdapter.PlatformServices.Interface.dll
- Size
  
  18KB
- MD5
  
  f0bf68ced49e25d46f470d063b9b2532
- SHA1
  
  5826195d195ba3317b22fb726e60231e800571ec
- SHA256
  
  c4494b603ecb322627959b2cd782400405a58051229bd09b108861415b1845aa
- SHA512
  
  01eff16e40fadab3acc906c3d7b046363649157ff152a58babff0e7300861b16de8254237b6f39dc781bb2b0609f24ec8edbc816b1dda27bfa71d8816c3470c6
- SSDEEP
  
  384:jFNFUt+ZDmwKCWKhyHRN7/FfsRmuTcR9zuskT:jF7kwDhutERmuU9zuR
Score

1^/10
behavioral8
- Target
  
  Microsoft.VisualStudio.TestPlatform.MSTestAdapter.PlatformServices.dll
- Size
  
  111KB
- MD5
  
  a07cd0c9f5b3308a0f2afe11d67fd60c
- SHA1
  
  3e35ffd0632c2ba0e12075f3a59a215bae4412de
- SHA256
  
  6536aba7c1f99cea9d373773cd0cacf130b0ddfbf47e2c8acaf4cd880e318045
- SHA512
  
  9fa70de6b0252e3f852b7caa6923b7e1221cef7bfbe9db10d34e07e2ee5366593621b9c5ea1c8e3e4ccb161cac128e778b4b38882f82f229a9e0d7c32db5529d
- SSDEEP
  
  1536:OCqy+HpgqVw2LexT+15prQSndipRELKihtj5yF6C3MNflzlrD7XdzgM7QgKAh8NQ:oJSYw3ip0aRKihtj5RCgzJxt8NYGi
Score

1^/10
behavioral9
- Target
  
  Microsoft.VisualStudio.TestPlatform.TestFramework.Extensions.dll
- Size
  
  33KB
- MD5
  
  e3306bf4a03b415eeaf5e3038245146c
- SHA1
  
  7c1287fb75cf863bf61d315a5dc6ac21bc224584
- SHA256
  
  8d1c36b6dced0b1315e71303ef205dbd01d157a4add72d874825e0f26c529aa5
- SHA512
  
  c1360bfd93a0aedbc06c58c79b3ffd6b5599d70b49f5f894bc793332f27f315ed6e3609984a269201064e73987517109fe6b720cecb38fc67ee08e1258cf843c
- SSDEEP
  
  768:cfuKfVp4MAfCQxA5Xm9nCSqu1LxWF//dj9zw:64nHI29dqudxWZzw
Score

1^/10
behavioral10
- Target
  
  Microsoft.VisualStudio.TestPlatform.TestFramework.dll
- Size
  
  72KB
- MD5
  
  81930cfe170acd3a8e7498fd706a93c9
- SHA1
  
  e1868f03638b3b94027afe2c4f1cda84d39c1054
- SHA256
  
  9dddb3c2958a276f6b6afd9fade11cca191e2f0635f29a39718c60f8f278a4c3
- SHA512
  
  1120633361c962a6828799898b2c43ef72402f6eec3d40761e875bf5fe08cea77cdef762f6b8840b6a747a534427af2f0b54ae906c39753a7facb17ff52949aa
- SSDEEP
  
  1536:CHXw2c75z0KqmKkONYfVmiCpmivfD7XXyAHHof0qokuUz2:u+75zamKXqfVmjnD7XXyAozo4i
Score

1^/10
behavioral11
- Target
  
  Mono.Cecil.Mdb.dll
- Size
  
  42KB
- MD5
  
  1c6aca0f1b1fa1661fc1e43c79334f7c
- SHA1
  
  ec0f591a6d12e1ea7dc8714ec7e5ad7a04ef455d
- SHA256
  
  411f8ed8c49738fa38a56ed8f991d556227d13602e83186e66ae1c4f821c940b
- SHA512
  
  1c59e939d108f15881d29fe4ced4e5fa4a4476394b58b6eb464da77192cb8fe9221b7cd780af4596914d4cce7c3fc53f1bb567f944c58829de8efbe1fd87be76
- SSDEEP
  
  768:Ar5EYZep98C87KHeBUZwrEzsEAnbF+em50KktmM4CRIcZwMRTIzMAtpw:Ar59g98C87KHeBUb5AnZG+zdwMRTzAtS
Score

1^/10
behavioral12
- Target
  
  Mono.Cecil.Pdb.dll
- Size
  
  87KB
- MD5
  
  6d5eb860c2be5dbeb470e7d3f3e7dda4
- SHA1
  
  80c76660b87c52127b1a7da48e27700f75362041
- SHA256
  
  447ede1984bb4acd73bd97c0ec57a11c079cee8301c91fb199ca98c1906d3cc4
- SHA512
  
  64cf4fe7de68a35720d2b9338ba9cf182e127d95d72d2ccf7ff5c73a368133663e70c988a460825fa87b2d03717a4447948d5262f56aceb7c3bf1cb3ab5a41a5
- SSDEEP
  
  1536:2OCAsdBo+am5OMwr5IlALYKXgAJGsZhTjrjvjCXeO:ZCjta0OMuIlArVJGqT/jveXeO
Score

1^/10
behavioral13
- Target
  
  Mono.Cecil.Rocks.dll
- Size
  
  27KB
- MD5
  
  6e7f0f4fff6c49e3f66127c23b7f1a53
- SHA1
  
  14a529f8c7ee9f002d1e93dcf8ff158ab74c7e1a
- SHA256
  
  2e2623319bdc362974a78ea4a43f4893011ec257884d24267f4594142fcd436e
- SHA512
  
  0c773da6717dd6919cd6241d3cee26ab00bb61ea2dbeff24844a067af4c87ff5cbdb2fe3ada5db4707cee921b3fb353bd12ee22b8490597d4f67ad39bace235e
- SSDEEP
  
  384:70ve8JOuJ5iC7n2NwxEXCni+VXcMeDz8PmR1ugLoaeuLMBG9UphJAprjE3uFLHa9:7+m4iCyrXOhG8uRssveum1pMFLHFBvd
Score

1^/10
behavioral14
- Target
  
  Mono.Cecil.dll
- Size
  
  350KB
- MD5
  
  de69bb29d6a9dfb615a90df3580d63b1
- SHA1
  
  74446b4dcc146ce61e5216bf7efac186adf7849b
- SHA256
  
  f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc
- SHA512
  
  6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015
- SSDEEP
  
  6144:jIevdbLPNYe8bikm98KXPHhOWY/fFREomhUFD3z:se1PNL+QRfBg/f/EWFD
Score

1^/10
behavioral15
- Target
  
  Open.Nat.dll
- Size
  
  68KB
- MD5
  
  cc6f6503d29a99f37b73bfd881de8ae0
- SHA1
  
  92d3334898dbb718408f1f134fe2914ef666ce46
- SHA256
  
  0b1e0d8f87f557b52315d98c1f4727e539f5120d20b4ca9edba548983213fbb5
- SHA512
  
  7f4c0a35b612b864ad9bc6a46370801ed7433424791622bf77bf47d6a776cb6a49e4977b34725ead5d0feaa1c9516db2ca75cb8872c77a8f2fab6c37740b681f
- SSDEEP
  
  768:sF6vHHLFkywkNh5qtHMjkCifoydVXw5FxusiolecziijiSvD+ZGFa4Pw6OdrGHUm:8GmyJNh0tbt3MLQ9W2rG0Ydd
Score

1^/10
behavioral16
- Target
  
  Quasar.Common.Tests.dll
- Size
  
  6KB
- MD5
  
  80f6ad73b7e99271de1eb4ec8432fff0
- SHA1
  
  3c812b1cb349612c8b7551cb4881569f58348a3c
- SHA256
  
  713cc97507e5b745227a6f1d194c7ae32855fb378b9573ed4819f8b73aeb3ebf
- SHA512
  
  645df198a6712b163de602142ec59b342ddd73af02f4631e74e9db090dae537e969b3ef722d1de3f2344ce8893e5c1c438803e3d1bbefb04fd107984588b5920
- SSDEEP
  
  96:PW2zmDjGTY4XpEGD/pzLrSS/B4uhCd0oivAJvt:eyTYiEMFSS/B7hCd0Rg
Score

1^/10
behavioral17
- Target
  
  Quasar.Common.dll
- Size
  
  62KB
- MD5
  
  f5764b65319c3a677c958dc2d098aa4a
- SHA1
  
  02f1ae1b72101ed70117c9f09d05b99954147ef1
- SHA256
  
  185b01c397b92186b32243cb8395124eb58d59386d86f3a25431c584a3d5b84b
- SHA512
  
  27b01c400cbf95f5c39133cf4d5f6526e7e06754612a46d5ae64e3ce3851a1c26bd62418ed1a00570e32b04edc9f30eb6b3ee6319d2499ed66b23b745d160b34
- SSDEEP
  
  768:UiF6Vg9HIxFMu9brfp0kUEb9k/pUHRfp0YDpb4rILMgYY44YYXINk6I+QyIFLwSd:k9UlJf0fh9YkEtIa8I0p
Score

1^/10
behavioral18
- Target
  
  Vestris.ResourceLib.dll
- Size
  
  76KB
- MD5
  
  944ce5123c94c66a50376e7b37e3a6a6
- SHA1
  
  a1936ac79c987a5ba47ca3d023f740401f73529b
- SHA256
  
  7da3f0e77c4dddc82df7c16c8c781fade599b7c91e3d32eefbce215b8f06b12a
- SHA512
  
  4c034ff51cc01567f3cb0796575528ca44623b864eb606266bcf955a9259ed26b20bec0086d79038158d3a5af2ada0a90f59d7c6aae9e545294fe77825dbe08b
- SSDEEP
  
  1536:CSSYikTF0Z+sFGu11tIcyI1MtI9eDG3fL7:CJYD0Z9FGu11teI1r9ea3
Score

1^/10
behavioral19
- Target
  
  client.bin
- Size
  
  3.1MB
- MD5
  
  53a45c6e7e2e587d7db12cfa4476906a
- SHA1
  
  57591dafa4fedc5c39e4f4047619c750605d237c
- SHA256
  
  220921f2f892a79118811e15d6cdd813776b3898bbc47911060be449bd3f9339
- SHA512
  
  d48eff26d1aed4e765793d98ee6061675c2c9249a9bcbcd52be4a115625c33c99b6e09b40b98fa8aa65cf77288ff39429d7b43d4e82a95a9a8e96c017ee432cc
- SSDEEP
  
  98304:/nY+y2FqZaVmN+PqlhU//vlL1YGWdT7x:P1Z1CXx
Score

10^/10

quasar spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
behavioral20
- Target
  
  protobuf-net.dll
- Size
  
  282KB
- MD5
  
  abc82ae4f579a0bbfa2a93db1486eb38
- SHA1
  
  faa645b92e3de7037c23e99dd2101ef3da5756e5
- SHA256
  
  ca6608346291ec82ee4acf8017c90e72db2ee7598015f695120c328d25319ec6
- SHA512
  
  e06ee564fdd3fe2e26b0dec744a969a94e4b63a2e37692a7dcc244cb7949b584d895e9d3766ea52c9fe72b7a31dacf4551f86ea0d7c987b80903ff43be9faed3
- SSDEEP
  
  3072:yRAISQ1tRSVB3zpKTEPn6Rc0qus/6GMzzeSXLifsE2s58IB7aoqng5YnDBzs39AH:yRFD1niy6n6KwhO5mIYpnNzgGD0u
Score

1^/10
behavioral21

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Quasar RAT

Quasar family

Quasar payload

Orcus family

Orcurs Rat Executable

Checks computer location settings

Executes dropped EXE

Quasar RAT

Quasar family

Quasar payload

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21