MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81074c41b76fd86ce228d266821c33d86a7448f30f58966d7990b77ba321552e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OrcusRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81074c41b76fd86ce228d266821c33d86a7448f30f58966d7990b77ba321552e
SHA3-384 hash: 9aa37c4069177703ba8059332b6ea28f345378d4b9e054e712bdfda1ec4f20e10f843ffb6604c0a6a1a8a8351525a47b
SHA1 hash: a3eb185ac2d5b3103d6ef1d7d1c173c48368757d
MD5 hash: 8021e5c041aa213fc61651ebe4c1aec3
humanhash: uniform-asparagus-arkansas-tennis
File name:Loader_neverlose.exe
Download: download sample
Signature OrcusRAT
Create hunting rule
File size:9'476'096 bytes
First seen:2021-06-18 21:59:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d59a4a699610169663a929d37c90be43 (75 x DCRat, 22 x njrat, 15 x SalatStealer)
ssdeep 196608:nmEYXv1GVznCi1rEM3c6gTWk8nZNLEdbVs0e/oF1jnGfqlSYID7arA:nmEYfcznrqbWkAydbS0mzqavv
TLSH C0A6237532587A9CC03E85349D33FDC4A7F5A50E05B9E6EDB5EAA1D02F5FA00EA02706
Reporter Anonymous
Tags:exe Orcus OrcusRAT

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
18.117.142.49:2 https://threatfox.abuse.ch/ioc/136766/

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'997
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Loader_neverlose.exe
Verdict:
Malicious activity
Analysis date:
2021-06-18 22:03:34 UTC
Tags:
rat orcus
Link:
https://app.any.run/tasks/b9eaa21c-cffc-4c68-b9a2-2e9d4fc993c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
OrcusRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/166938/
Detection(s):
Win.Trojan.Injector-6297685-1
Create hunting rule

Win.Packed.Passwordstealera-9752380-0
Create hunting rule

Win.Packed.Passwordstealera-9803747-0
Create hunting rule

Win.Packed.Generic-9805849-0
Create hunting rule

Win.Trojan.Agent-345883
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Orcus RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/31002f4c-60c4-47e1-91ff-a5ba57b702ba
Result
Threat name:
Orcus
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/804599
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to disable the Task Manager (.Net Source)
Drops executables to the windows directory (C:\Windows) and starts them
Hides threads from debuggers
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect debuggers (CloseHandle check)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Uses dynamic DNS services
Yara detected Costura Assembly Loader
Yara detected Orcus RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 437010 Sample: Loader_neverlose.exe Startdate: 19/06/2021 Architecture: WINDOWS Score: 100 63 Multi AV Scanner detection for domain / URL 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Antivirus / Scanner detection for submitted sample 2->67 69 9 other signatures 2->69 7 Loader_neverlose.exe 3 2->7         started        10 WindowsInput.exe 2 2->10         started        12 Windowsdefender.exe 3 2->12         started        14 5 other processes 2->14 process3 file4 41 C:\Users\user\AppData\...\Loader_abema.exe, PE32+ 7->41 dropped 43 C:\Users\user\AppData\Local\Temp\123.exe, PE32 7->43 dropped 16 123.exe 9 7->16         started        20 Loader_abema.exe 17 7->20         started        process5 dnsIp6 33 C:\Windows\WindowsWD\Windowsdefender.exe, PE32 16->33 dropped 35 C:\Windows\SysWOW64\WindowsInput.exe, PE32 16->35 dropped 37 C:\Windows\...\Windowsdefender.exe.config, XML 16->37 dropped 39 C:\Windows\SysWOW64\WindowsInput.exe.config, XML 16->39 dropped 49 Antivirus detection for dropped file 16->49 51 Machine Learning detection for dropped file 16->51 53 Drops executables to the windows directory (C:\Windows) and starts them 16->53 23 Windowsdefender.exe 2 16->23         started        27 WindowsInput.exe 2 4 16->27         started        45 akrien.wtf 172.67.168.210, 443, 49737, 49738 CLOUDFLARENETUS United States 20->45 55 Multi AV Scanner detection for dropped file 20->55 57 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->57 59 Tries to evade analysis by execution special instruction which cause usermode exception 20->59 61 3 other signatures 20->61 29 conhost.exe 20->29         started        31 cmd.exe 1 20->31         started        file7 signatures8 process9 dnsIp10 47 orcustop4ik.duckdns.org 18.117.142.49, 2, 49742, 49750 MIT-GATEWAYSUS United States 23->47 71 Antivirus detection for dropped file 23->71 73 Machine Learning detection for dropped file 23->73 75 Installs a global keyboard hook 23->75 77 Multi AV Scanner detection for dropped file 27->77 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/81074c41b76fd86ce228d266821c33d86a7448f30f58966d7990b77ba321552e/
Threat name:
Win32.Trojan.Orcus
Create hunting rule
Status:
Malicious
First seen:
2021-06-18 22:00:17 UTC
AV detection:
40 of 46 (86.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qeduyqnxn7mgzyri2jtiehbt3bvhishtb5mjm3lzsc3xxizbkuxa._file
Verdict:
malicious
Result
Malware family:
orcus
Create hunting rule
Score:
  10/10
Tags:
family:orcus rat spyware stealer
Link:
https://tria.ge/reports/210618-tnyhbjlyws/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Detected Akrien Game Cheat
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Loads dropped DLL
Executes dropped EXE
Orcurs Rat Executable
Orcus
Orcus Main Payload
Unpacked files
SH256 hash:
81074c41b76fd86ce228d266821c33d86a7448f30f58966d7990b77ba321552e
MD5 hash:
8021e5c041aa213fc61651ebe4c1aec3
SHA1 hash:
a3eb185ac2d5b3103d6ef1d7d1c173c48368757d
Link:
https://www.unpac.me/results/4c9b6149-5747-4fd4-b9f9-6ee014026a7b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/81074c41b76fd86ce228d266821c33d86a7448f30f58966d7990b77ba321552e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/166938/

Comments