MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9fe52010982ccd3628a5a882c019556b361c3fa7c29cb8052ff66f02bd28490. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OrcusRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9fe52010982ccd3628a5a882c019556b361c3fa7c29cb8052ff66f02bd28490
SHA3-384 hash: 1364abfffd6b2890a2bc6087ae7175bfdea0048e0b28556510f1a8df0e41f6bf5d4f4c2847bc4ca664cafd4ecb1370f6
SHA1 hash: 8c8ce620ba717b150589e7d437e44f22935bcfc3
MD5 hash: 8493b27c45a9f36063b9c1e9411974b6
humanhash: mockingbird-steak-william-summer
File name:8493b27c45a9f36063b9c1e9411974b6
Download: download sample
Signature OrcusRAT
Create hunting rule
File size:3'292'800 bytes
First seen:2021-07-09 12:05:17 UTC
Last seen:2021-07-09 14:34:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:DsXVPVq5lL9eyZRyAzO1QJaF8jJ/oN4Ws4h0ab9qXiluS+ORrx09jtAB:AluQEMA3aajRgOA0kKipPJxT
Threatray 71 similar samples on MalwareBazaar
TLSH T168E512BBE997B47DD5223830EA01817DBB19FE33854D24B2799A3A8D06F717823B5134
Reporter zbetcheckin
Tags:32 exe OrcusRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'012
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8493b27c45a9f36063b9c1e9411974b6
Verdict:
Malicious activity
Analysis date:
2021-07-09 12:09:18 UTC
Tags:
rat orcus
Link:
https://app.any.run/tasks/e08cc34c-526d-47f0-8a0d-8da9c872ab60

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
OrcusRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170666/
Detection(s):
SecuriteInfo.com.Variant.Ursu.819174.9712.27612.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Orcus RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/15a93c87-30fd-4e6d-8156-196aa91dbb82
Result
Threat name:
Orcus
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813974
Signature
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Yara detected Costura Assembly Loader
Yara detected Orcus RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 446385 Sample: 51JDkLqWt1 Startdate: 09/07/2021 Architecture: WINDOWS Score: 100 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Detected unpacking (changes PE section rights) 2->39 41 9 other signatures 2->41 6 51JDkLqWt1.exe 10 2->6         started        10 Broker.exe 3 2->10         started        12 Broker.exe 2 2->12         started        14 6 other processes 2->14 process3 dnsIp4 23 C:\Windows\SysWOW64\WindowsInput.exe, PE32 6->23 dropped 25 C:\Program Files (x86)\Broker\Broker.exe, PE32 6->25 dropped 27 C:\Windows\SysWOW64\WindowsInput.exe.config, XML 6->27 dropped 29 3 other malicious files 6->29 dropped 53 Detected unpacking (changes PE section rights) 6->53 55 Drops executables to the windows directory (C:\Windows) and starts them 6->55 57 Tries to evade analysis by execution special instruction which cause usermode exception 6->57 59 Tries to detect virtualization through RDTSC time measurements 6->59 17 Broker.exe 1 2 6->17         started        21 WindowsInput.exe 2 4 6->21         started        61 Hides threads from debuggers 10->61 63 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->63 33 192.168.2.1 unknown unknown 14->33 file5 signatures6 process7 dnsIp8 31 74.208.235.52, 27016, 49764, 49783 ONEANDONE-ASBrauerstrasse48DE United States 17->31 43 Protects its processes via BreakOnTermination flag 17->43 45 Hides threads from debuggers 17->45 47 Tries to detect sandboxes / dynamic malware analysis system (registry check) 17->47 49 Antivirus detection for dropped file 21->49 51 Multi AV Scanner detection for dropped file 21->51 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a9fe52010982ccd3628a5a882c019556b361c3fa7c29cb8052ff66f02bd28490/
Threat name:
Win32.Trojan.Sorcurat
Create hunting rule
Status:
Malicious
First seen:
2021-07-09 12:06:13 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
136eddfd86a8ee4a6e6c8ed4d82bc78e795e5f02ff5e347dd95893a9b011222f
OrcusRAT
38b951946943714900dc29bb01ce025a84e0f52f095e2901e74a509b9499f2c6
OrcusRAT
4dd51b22d5ee046670f8b082ff67450740dd0825f0f544e243313fe07f8400bd
OrcusRAT
5c7291c8c0c9aae91453faabe543abd6da50a2600ba74cd9fd1faa18a939cd4b
OrcusRAT
864e6ddd9c09a95df11b80abbaa0b1a9a4fb890cb27ad21883f44853094bb0cd
OrcusRAT
8e76055823664f0cabcd8fdd17ccdef01f0dcc584346b59d8c0dfbfefa547ab2
OrcusRAT
997e83ecf17b2ea03da19ee8897457445263f9a6daecc750b6430f952fe0e60c
OrcusRAT
9e4ef8eeb8d7eeab54ac5d61c175c32c82a9b7f4e6a28b1b776e789edffcfbbb
OrcusRAT
ada1c5359c35e6b70c5a2d5533f9d725f86a1e155c8486bfd2941c9b40478ea2
OrcusRAT
f07c61b593733b1a8d2b35f0667a3d39988917f0ceaa73b474f9a559beddf992
OrcusRAT
+ 61 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/210709-h9mcx8sw6e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks BIOS information in registry
Identifies Wine through registry keys
Loads dropped DLL
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
e12b72a24d68d058f0eaaa7a415646079ac5fc030fd2dc4b1c0f154595cb67b1
MD5 hash:
87a08deedbe9493b5f1d8d918700b657
SHA1 hash:
5762d57101f3195ede11ac1f221fb6597e9657cd
Link:
https://www.unpac.me/results/a308739b-cdd4-4514-af36-f449da30253d/
SH256 hash:
b8bd7d02b10d7f83bc90cf3d4c5b6e69a2557829454c40a461828e2b76c35732
MD5 hash:
52730e661299e2f3b8ed319481f8a8a7
SHA1 hash:
2945adfd5d5c5f1612e129a573a56aa899c72abf
Link:
https://www.unpac.me/results/a308739b-cdd4-4514-af36-f449da30253d/
SH256 hash:
0c52d8a203ba92de6f937a7d458c24854951761ccbbc8d3961bc2b7923239c7c
MD5 hash:
c2a974c1e5972d8772207ef8f9c5e39c
SHA1 hash:
11e2bcc91e20b982e7967c164053f57a2840fcb6
Link:
https://www.unpac.me/results/a308739b-cdd4-4514-af36-f449da30253d/
SH256 hash:
dd8a42b43b826318befeb7b9b30a5d5eef3ea49bd805cc79744c973f071267b5
MD5 hash:
4dc4a94fed979a74263d791b97e029f2
SHA1 hash:
c9e667c6a2e22e25d7b09cf866fdf4acf20e6ef5
Link:
https://www.unpac.me/results/a308739b-cdd4-4514-af36-f449da30253d/
SH256 hash:
db3ca7be5b2bd49a1c69ae22a2eddabebe7f277b5e3b1f476497b8bbb39361c0
MD5 hash:
633d43f7b4e576511a3a04b0681af2b2
SHA1 hash:
45b730093e630e99698e2a53e12d53f1ea188b1d
Link:
https://www.unpac.me/results/a308739b-cdd4-4514-af36-f449da30253d/
SH256 hash:
410be669b418c10f8b87fa95e01fb06fe157c4b22e3fce917b4de8df80b007d1
MD5 hash:
8ae873d989a19081e1411fb63dc9fb9e
SHA1 hash:
36b08d816e9a7c7ff866180bb43b0d33cf39170e
Link:
https://www.unpac.me/results/a308739b-cdd4-4514-af36-f449da30253d/
SH256 hash:
a60fa4ef1d5036b6b5848d97ee2aa4df11c497d84273a82594ecc1ead26bf6cb
MD5 hash:
4a84aea009f518b25d1757c2e43e4906
SHA1 hash:
1143052abb45771349950a9b1fc75ce43a27f74e
Link:
https://www.unpac.me/results/a308739b-cdd4-4514-af36-f449da30253d/
SH256 hash:
a9fe52010982ccd3628a5a882c019556b361c3fa7c29cb8052ff66f02bd28490
MD5 hash:
8493b27c45a9f36063b9c1e9411974b6
SHA1 hash:
8c8ce620ba717b150589e7d437e44f22935bcfc3
Link:
https://www.unpac.me/results/a308739b-cdd4-4514-af36-f449da30253d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a9fe52010982ccd3628a5a882c019556b361c3fa7c29cb8052ff66f02bd28490

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

OrcusRAT

Executable exe a9fe52010982ccd3628a5a882c019556b361c3fa7c29cb8052ff66f02bd28490

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1438662/
Cape
Cape
https://www.capesandbox.com/analysis/170666/

Comments


Avatar
zbet commented on 2021-07-09 12:05:18 UTC

url : hxxps://download.kameleo.cf/orc.exe