orcus | 8112e3c36277f4a24e7f266009825f9ab66452c74d2c594e4d509a3d9521241e

Analysis

max time kernel
72s
max time network
74s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
07-06-2024 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dff.exe
Size

907KB
MD5

a5d851ce23b2727cfb5ee692d1f33362
SHA1

206df4f8da2a8f415f44fc3091efd6e554316605
SHA256

8112e3c36277f4a24e7f266009825f9ab66452c74d2c594e4d509a3d9521241e
SHA512

6e137d0448955783839f1963ff04b9fa0d56d5ff6c2f604a56b631d35c79efe8a283c75098b8b6e2f98ab7ddd0dfc97e1011ad17de48a67296b523a9c9e47a4e
SSDEEP

12288:4XBM21gsgPktzYX7dG1lFlWcYT70pxnnaaoawUjKgRRA5rZNrI0AilFEvxHvBMiQ:zuQ4MROxnFSgHWrZlI0AilFEvxHidB

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

lunassworld-50930.portmap.host:50930

Mutex

93eee5181ceb466997ce6ef64c64353f

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus main payload 1 IoCs

Processes:

resource yara_rule

C:\Program Files\Orcus\Orcus.exe family_orcus
Orcurs Rat Executable 2 IoCs

Processes:

resource yara_rule

C:\Program Files\Orcus\Orcus.exe orcus
behavioral3/memory/944-46-0x0000000000BC0000-0x0000000000CA8000-memory.dmp orcus
Executes dropped EXE 1 IoCs

Processes:

Orcus.exe

pid process

944 Orcus.exe
Drops desktop.ini file(s) 2 IoCs

Processes:

dff.exe

description ioc process

File created C:\Windows\assembly\Desktop.ini dff.exe
File opened for modification C:\Windows\assembly\Desktop.ini dff.exe
Drops file in Program Files directory 3 IoCs

Processes:

dff.exe

description ioc process

File created C:\Program Files\Orcus\Orcus.exe dff.exe
File opened for modification C:\Program Files\Orcus\Orcus.exe dff.exe
File created C:\Program Files\Orcus\Orcus.exe.config dff.exe
Drops file in Windows directory 3 IoCs

Processes:

dff.exe

description ioc process

File opened for modification C:\Windows\assembly dff.exe
File created C:\Windows\assembly\Desktop.ini dff.exe
File opened for modification C:\Windows\assembly\Desktop.ini dff.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

resource	yara_rule
C:\Program Files\Orcus\Orcus.exe	family_orcus

resource	yara_rule
C:\Program Files\Orcus\Orcus.exe	orcus
behavioral3/memory/944-46-0x0000000000BC0000-0x0000000000CA8000-memory.dmp	orcus

pid	process
944	Orcus.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	dff.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	dff.exe

description	ioc	process
File created	C:\Program Files\Orcus\Orcus.exe	dff.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	dff.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	dff.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	dff.exe
File created	C:\Windows\assembly\Desktop.ini	dff.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	dff.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

dff.execsc.exe

description	pid	process	target process
PID 4104 wrote to memory of 3568	4104	dff.exe	csc.exe
PID 4104 wrote to memory of 3568	4104	dff.exe	csc.exe
PID 3568 wrote to memory of 3724	3568	csc.exe	cvtres.exe
PID 3568 wrote to memory of 3724	3568	csc.exe	cvtres.exe
PID 4104 wrote to memory of 944	4104	dff.exe	Orcus.exe
PID 4104 wrote to memory of 944	4104	dff.exe	Orcus.exe

C:\Users\Admin\AppData\Local\Temp\dff.exe
"C:\Users\Admin\AppData\Local\Temp\dff.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bw1sowqz.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3568

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7706.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7705.tmp"
3⤵
PID:3724

C:\Program Files\Orcus\Orcus.exe
"C:\Program Files\Orcus\Orcus.exe"
2⤵
- Executes dropped EXE
PID:944

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe
Filesize
907KB

MD5
a5d851ce23b2727cfb5ee692d1f33362

SHA1
206df4f8da2a8f415f44fc3091efd6e554316605

SHA256
8112e3c36277f4a24e7f266009825f9ab66452c74d2c594e4d509a3d9521241e

SHA512
6e137d0448955783839f1963ff04b9fa0d56d5ff6c2f604a56b631d35c79efe8a283c75098b8b6e2f98ab7ddd0dfc97e1011ad17de48a67296b523a9c9e47a4e

Download Submit
C:\Program Files\Orcus\Orcus.exe.config
Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7706.tmp
Filesize
1KB

MD5
1b25e10a8363da346c7fd16a4463069f

SHA1
eb4618d5530aaf2dbaadaee9983d16ee048e26c1

SHA256
fb365fcf0949c0ea4c05afe1e76e2dc34e8902f7dca19b11747aa42f4e3707d9

SHA512
fa745c03ee201e9b2512b93281b17f13b1945d2cf1bd318922c75e9ece3b868c491685bfb72b0a87f5b212e9bfe155592db84ba01c7f6cce6efd7f01f4deb25c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bw1sowqz.dll
Filesize
76KB

MD5
47d4980d08446fa5a18828c142652da9

SHA1
4a5c1261290cb39688bff8e82ebb8e78a2978126

SHA256
3ec0bcab2709ac8c1a78971574523a3e1ed762f76c8719c92f77093a29746c52

SHA512
085d24d360e95b95124c07819e09076c2ac6726e4c48e3171b9f08b631eee0247234ebba50d149d7b3e480d46a7d2d36d52c596deb2435b2d023f8daf8ad5771

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC7705.tmp
Filesize
676B

MD5
82ad495f09beac56ec2aa8ed18f4e495

SHA1
3cbd1b3cadaaaa124eab3ab09107af5644b66bd5

SHA256
cc90a1db20a747380d5fa393d5674979d81b8619cb55200f2197a6afdcff0469

SHA512
7a99e9aab76d9be41e9fea09608d0b93ab0abb4db10aa66cd9350ba4775c168156b93064324947fc154bac29b3b348468c171517f00df012afa2c394e7f65388

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bw1sowqz.0.cs
Filesize
208KB

MD5
7b1548f1bc1292d4bf162f29e0b142c2

SHA1
9ba60c2891443dee8ad5dd289891f49914aa65a7

SHA256
81e995f75c6251102dae42697f3d708e013acb2a7d609d24fe4a3aa818edf3cd

SHA512
81ae6c92ddb96f18eb887e60fb320a9de3a713421aae71b09f2b3dec73d1d05cf2903a66c86712794d3d651621284b4325d77f1cffcc4e47523ffd5efbae082c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bw1sowqz.cmdline
Filesize
349B

MD5
28d3db0e04180f778818bb932ec0e276

SHA1
9a5bf5e1bcc0f0be13ac8067b97c142360f4bdd3

SHA256
fdc30610c4ad0f069193eb190885d76fdd8f64911e74ee4853a483c91ad6596b

SHA512
bc0cb53656b5eb5e7ac676a27b486bc1e7654bc482943c3353506a04abfd357c3bafb645eec2a2af37360c1fb462128b481b27fe2abd6b1e4dc1da0200f6bcec

Download Submit
memory/944-46-0x0000000000BC0000-0x0000000000CA8000-memory.dmp

Filesize
928KB

Download
memory/944-48-0x0000000002E90000-0x0000000002EA2000-memory.dmp

Filesize
72KB

Download
memory/944-49-0x0000000002EA0000-0x0000000002EB8000-memory.dmp

Filesize
96KB

Download
memory/944-50-0x0000000002E80000-0x0000000002E90000-memory.dmp

Filesize
64KB

Download
memory/3568-17-0x00007FFF3C6F0000-0x00007FFF3D091000-memory.dmp

Filesize
9.6MB

Download
memory/3568-21-0x00007FFF3C6F0000-0x00007FFF3D091000-memory.dmp

Filesize
9.6MB

Download
memory/4104-8-0x000000001CA70000-0x000000001CB0C000-memory.dmp

Filesize
624KB

Download
memory/4104-0-0x00007FFF3C9A5000-0x00007FFF3C9A6000-memory.dmp

Filesize
4KB

Download
memory/4104-25-0x00000000017F0000-0x0000000001802000-memory.dmp

Filesize
72KB

Download
memory/4104-26-0x00000000017C0000-0x00000000017C8000-memory.dmp

Filesize
32KB

Download
memory/4104-27-0x00007FFF3C6F0000-0x00007FFF3D091000-memory.dmp

Filesize
9.6MB

Download
memory/4104-28-0x00007FFF3C9A5000-0x00007FFF3C9A6000-memory.dmp

Filesize
4KB

Download
memory/4104-29-0x00007FFF3C6F0000-0x00007FFF3D091000-memory.dmp

Filesize
9.6MB

Download
memory/4104-23-0x000000001BF10000-0x000000001BF26000-memory.dmp

Filesize
88KB

Download
memory/4104-7-0x000000001C500000-0x000000001C9CE000-memory.dmp

Filesize
4.8MB

Download
memory/4104-6-0x00007FFF3C6F0000-0x00007FFF3D091000-memory.dmp

Filesize
9.6MB

Download
memory/4104-47-0x00007FFF3C6F0000-0x00007FFF3D091000-memory.dmp

Filesize
9.6MB

Download
memory/4104-5-0x000000001BED0000-0x000000001BEDE000-memory.dmp

Filesize
56KB

Download
memory/4104-2-0x000000001BDD0000-0x000000001BE2C000-memory.dmp

Filesize
368KB

Download
memory/4104-1-0x00007FFF3C6F0000-0x00007FFF3D091000-memory.dmp

Filesize
9.6MB

Download