MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a95a31549b0ce73fc61664173ebab87da541094d8749894f05c707e543cbe1e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OrcusRAT


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a95a31549b0ce73fc61664173ebab87da541094d8749894f05c707e543cbe1e
SHA3-384 hash: 2dc82c74742f96fe38aad869cac0202f244d6689618859a020dedf741937743262545e8d45f29d158f6fbaf14bd0fdf4
SHA1 hash: f17ebaee1a0084c5e9c5877f607d56c495339b73
MD5 hash: 981eb6dbd0a4eb2e33f04b0ffac69944
humanhash: august-autumn-oxygen-jig
File name:981EB6DBD0A4EB2E33F04B0FFAC69944.exe
Download: download sample
Signature OrcusRAT
Create hunting rule
File size:1'756'160 bytes
First seen:2021-07-12 16:01:41 UTC
Last seen:2021-07-12 16:38:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e5467cba76f44a088d39f78c5e807b6 (131 x DCRat, 112 x njrat, 80 x RedLineStealer)
ssdeep 49152:3hilQaVMSbkad5Jha688XBrvcvN/P9bnbGhJtjh:RilQaVlt5KLAvK35bGhL
Threatray 7 similar samples on MalwareBazaar
TLSH T1BA8533C4F2A67AD4F810ADB36ABD6D856C52EC971F72521A078C6FCBC61F605326320D
Reporter abuse_ch
Tags:exe OrcusRAT


Avatar
abuse_ch
OrcusRAT C2:
3.137.146.78:777

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
3.137.146.78:777 https://threatfox.abuse.ch/ioc/159861/

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'017
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
981EB6DBD0A4EB2E33F04B0FFAC69944.exe
Verdict:
Malicious activity
Analysis date:
2021-07-12 16:03:09 UTC
Tags:
rat orcus
Link:
https://app.any.run/tasks/b57a1b9a-a5f5-47bd-8804-14ad51f68940

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
OrcusRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171166/
Detection(s):
PUA.Win.Packer.EnigmaProtector-19
Create hunting rule

PUA.Win.Packer.EnigmaProtector-1
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Orcus RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dc16f3e5-8b65-474c-901e-f96d5efdcfec
Result
Threat name:
Orcus
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/815026
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Hides threads from debuggers
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Tries to evade analysis by execution special instruction which cause usermode exception
Uses dynamic DNS services
Yara detected Costura Assembly Loader
Yara detected Orcus RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 447437 Sample: glk3M5FU5d.exe Startdate: 12/07/2021 Architecture: WINDOWS Score: 100 37 Multi AV Scanner detection for domain / URL 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus / Scanner detection for submitted sample 2->41 43 6 other signatures 2->43 6 glk3M5FU5d.exe 10 2->6         started        10 Windowsdefender.exe 3 2->10         started        12 Windowsdefender.exe 2 2->12         started        14 4 other processes 2->14 process3 dnsIp4 23 C:\Windows\WindowsWD\Windowsdefender.exe, PE32 6->23 dropped 25 C:\Windows\SysWOW64\WindowsInput.exe, PE32 6->25 dropped 27 C:\...\Windowsdefender.exe:Zone.Identifier, ASCII 6->27 dropped 29 3 other malicious files 6->29 dropped 53 Detected unpacking (changes PE section rights) 6->53 55 Detected unpacking (overwrites its own PE header) 6->55 57 Drops executables to the windows directory (C:\Windows) and starts them 6->57 59 Tries to evade analysis by execution special instruction which cause usermode exception 6->59 17 Windowsdefender.exe 2 6->17         started        21 WindowsInput.exe 2 4 6->21         started        61 Hides threads from debuggers 10->61 35 127.0.0.1 unknown unknown 14->35 file5 signatures6 process7 dnsIp8 31 orcustop4ik.duckdns.org 3.137.146.78, 49726, 49731, 777 AMAZON-02US United States 17->31 33 192.168.2.1 unknown unknown 17->33 45 Antivirus detection for dropped file 17->45 47 Multi AV Scanner detection for dropped file 17->47 49 Detected unpacking (changes PE section rights) 17->49 51 5 other signatures 17->51 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6a95a31549b0ce73fc61664173ebab87da541094d8749894f05c707e543cbe1e/
Threat name:
ByteCode-MSIL.Trojan.Downeks
Create hunting rule
Status:
Malicious
First seen:
2021-07-09 01:42:00 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nkk2gfkjwdhhh7dbmzaxh25lq7nfieeu3b2jrfhqlryh4vb4xypa._file
Verdict:
malicious
Similar samples:
45e9959441e6e30c4c7a4dd8b3d56b88ad09d2ad253851ea79be62ec9c1c8f68
OrcusRAT
4ce7656c38f73b3580594e7850ccc1723340ba789b233c248861b0e08e52d8d4
OrcusRAT
50c1c541f9daea24b578ac94fd709b1214207a38cbc2ba3b36b2b0e81d0e4ee1
OrcusRAT
5907f265be010c299b5e22d766d0fa3ee6ad2936b96dc40d8ef328cf3d388160
OrcusRAT
79e0a26bc2c9c902744c618ad7af045e5b1ced50f98ca066a33df44218f84702
OrcusRAT
7fa09dedce556fe7faaf343f399c45b53cc20e54eedb187692de8897e8b50e7a
OrcusRAT
df8d26f897c26aa4051e4ed01b4b747a3cd0db41d1818726ea63fabfef008a00
OrcusRAT
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210712-x4qg8e99ln/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
6a95a31549b0ce73fc61664173ebab87da541094d8749894f05c707e543cbe1e
MD5 hash:
981eb6dbd0a4eb2e33f04b0ffac69944
SHA1 hash:
f17ebaee1a0084c5e9c5877f607d56c495339b73
Link:
https://www.unpac.me/results/54207372-3a0d-4845-bb83-c15e1a9e44da/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6a95a31549b0ce73fc61664173ebab87da541094d8749894f05c707e543cbe1e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_smominru_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.smominru.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171166/

Comments