MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5fa05263e53d8fee01ac12bb9dac350164d9594e0131f58a66baefa6f5ae0c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OrcusRAT


Vendor detections: 13


Intelligence 13 IOCs 2 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5fa05263e53d8fee01ac12bb9dac350164d9594e0131f58a66baefa6f5ae0c9
SHA3-384 hash: 0efe6e984328abee3feff32295a7cd4b653ba61edec47dc96c1bae798312d047822be9077e8f0451dcccdad398fd96da
SHA1 hash: f5ae73c1b7eaadc174fd5b1fa588782a693b55fe
MD5 hash: 39b730bb5f42dcd279483574a08dca4e
humanhash: coffee-timing-video-maryland
File name:39B730BB5F42DCD279483574A08DCA4E.exe
Download: download sample
Signature OrcusRAT
Create hunting rule
File size:12'268'544 bytes
First seen:2021-08-21 23:50:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 196608:Hm9t0n5I2VexPYioLSjkBB1xlZWDlqmYK8iR6Hpe0KKCuLeClp:Hmrt2ViBoL8DlzwQ0K0LTl
Threatray 65 similar samples on MalwareBazaar
TLSH T1B7C63301216082ADE23B6B32D1C65FB127674BD6ED7298F12FCA4A10EC5E613D1D2F9D
dhash icon e180ccfcc0c6e078 (1 x OrcusRAT)
Reporter abuse_ch
Tags:exe OrcusRAT


Avatar
abuse_ch
OrcusRAT C2:
93.108.180.0:4444

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
93.108.180.0:4444 https://threatfox.abuse.ch/ioc/192568/
94.60.124.63:4444 https://threatfox.abuse.ch/ioc/192569/

Intelligence

File Origin
# of uploads :
1
# of downloads :
914
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
39B730BB5F42DCD279483574A08DCA4E.exe
Verdict:
Malicious activity
Analysis date:
2021-08-21 23:54:03 UTC
Tags:
rat orcus
Link:
https://app.any.run/tasks/074bed9c-3d64-45b5-a4e7-da5661e8a365

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
OrcusRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/181148/
Detection(s):
SecuriteInfo.com.Variant.Razy.846709.29441.25388.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Sending a UDP request
DNS request
Connection attempt
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Putin Hook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c3ed9ff1-d966-4f55-a7fc-d8ad15cf2e31
Result
Threat name:
Orcus
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/836880
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Contains functionality to disable the Task Manager (.Net Source)
Detected VMProtect packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Csc.exe Source File Folder
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Orcus RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 469311 Sample: BEM6oSoge6.exe Startdate: 22/08/2021 Architecture: WINDOWS Score: 68 102 discord.com 2->102 118 Malicious sample detected (through community Yara rule) 2->118 120 Antivirus / Scanner detection for submitted sample 2->120 122 Multi AV Scanner detection for submitted file 2->122 124 10 other signatures 2->124 10 BEM6oSoge6.exe 7 2->10         started        13 svchost.exe 9 2 2->13         started        16 svchost.exe 1 2->16         started        18 6 other processes 2->18 signatures3 process4 dnsIp5 76 C:\Users\user\AppData\...\Sugfsqmlgl.exe, PE32 10->76 dropped 78 C:\Users\user\AppData\Local\...\Qsksbou.exe, PE32 10->78 dropped 80 C:\Users\user\AppData\Local\...\Miprbqjmw.exe, PE32 10->80 dropped 82 C:\Users\user\AppData\...\BEM6oSoge6.exe.log, ASCII 10->82 dropped 20 Miprbqjmw.exe 6 10->20         started        24 Qsksbou.exe 3 10->24         started        26 Sugfsqmlgl.exe 15 22 10->26         started        116 127.0.0.1 unknown unknown 13->116 file6 process7 dnsIp8 72 C:\Users\user\AppData\Local\...\server6.exe, PE32 20->72 dropped 74 C:\Users\user\AppData\Local\...\server1.exe, PE32 20->74 dropped 126 Multi AV Scanner detection for dropped file 20->126 128 Writes to foreign memory regions 20->128 130 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->130 29 server6.exe 20->29         started        33 RegAsm.exe 20->33         started        35 server1.exe 20->35         started        132 Injects a PE file into a foreign processes 24->132 37 RegAsm.exe 24->37         started        114 raw.githubusercontent.com 185.199.108.133, 443, 49708 FASTLYUS Netherlands 26->114 39 chrome.exe 26->39         started        file9 signatures10 process11 dnsIp12 92 C:\Windows\HC\svchost.exe, PE32 29->92 dropped 134 Multi AV Scanner detection for dropped file 29->134 136 Drops PE files with benign system names 29->136 42 csc.exe 29->42         started        94 C:\Windows\SysWOW64\WindowsInput.exe, PE32 33->94 dropped 96 C:\Windows\HV\svchost.exe, PE32 33->96 dropped 138 Drops executables to the windows directory (C:\Windows) and starts them 33->138 45 csc.exe 33->45         started        98 C:\Users\user\AppData\...\rrhdisnr.cmdline, UTF-8 35->98 dropped 47 csc.exe 35->47         started        49 csc.exe 37->49         started        110 192.168.2.1 unknown unknown 39->110 112 239.255.255.250 unknown Reserved 39->112 100 C:\Users\user\AppData\Local\...\000003.log, DOS 39->100 dropped 140 Writes to foreign memory regions 39->140 51 chrome.exe 39->51         started        54 chrome.exe 39->54         started        56 chrome.exe 39->56         started        file13 signatures14 process15 dnsIp16 84 C:\Users\user\AppData\Local\...\davcsqyl.dll, PE32 42->84 dropped 58 conhost.exe 42->58         started        60 cvtres.exe 42->60         started        86 C:\Users\user\AppData\Local\...\ub96eky_.dll, PE32 45->86 dropped 62 conhost.exe 45->62         started        64 cvtres.exe 45->64         started        88 C:\Users\user\AppData\Local\...\rrhdisnr.dll, PE32 47->88 dropped 66 conhost.exe 47->66         started        68 cvtres.exe 47->68         started        90 C:\Users\user\AppData\Local\...\sx28veue.dll, PE32 49->90 dropped 70 conhost.exe 49->70         started        104 googlehosted.l.googleusercontent.com 142.250.181.225, 443, 49753 GOOGLEUS United States 51->104 106 accounts.google.com 142.250.186.173, 443, 49714 GOOGLEUS United States 51->106 108 6 other IPs or domains 51->108 file17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b5fa05263e53d8fee01ac12bb9dac350164d9594e0131f58a66baefa6f5ae0c9/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-08-18 22:50:40 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wx5akjr6kpmp5ya2yev3twwdkale3fmu4ajr6wfgnoxpu3224deq._file
Verdict:
malicious
Similar samples:
05bb212dd186eaa7c2fa17ad094fd56f55fa203f488f1e150532aa23c86c9bf8
OrcusRAT
0c3a1e4598b32bfcdf0226964c07af858c56e22c112fc4719f833738733958b8
OrcusRAT
3e4ef7b0224b4601e28838ec6319634315025d824c1404a2a9e114139dbdbe21
OrcusRAT
4e963b9768467dcf18787fe4b197a1b9efe76a2108cdf0f73c6f81407c6dca95
OrcusRAT
74d6d0213855d53e4edad91ee620009558a9df2f6f925be9e81ba54df4b3b11d
OrcusRAT
7bf8ffd612e903c781abab704e0f9aa5c736a50343f6cad3faf53c3b62cf80eb
OrcusRAT
9efca9fb9aadcdec3f3e23fda67899c67dda0d7178636a5691e15d6b62e01649
OrcusRAT
c9ad44b2a060ff9e8350a3cea2b178f7c384d6976f938f5248d16a2afa7ea426
OrcusRAT
dc1717a5b1bf17a487bc61296bb5fd9ac3104dd20089ec84f1cb71a37f397760
OrcusRAT
f7e7dfe0a2e59a746679694100b4549408a7e5513d3b1cf4bee0ba981f5e1703
OrcusRAT
+ 55 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:orcus family:xmrig miner rat spyware stealer vmprotect
Link:
https://tria.ge/reports/210821-qeff3fwk5a/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops desktop.ini file(s)
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
VMProtect packed file
Orcurs Rat Executable
Orcus
Orcus Main Payload
xmrig
Malware Config
C2 Extraction:
93.108.180.0:4444
94.60.124.63:4444
Unpacked files
SH256 hash:
b0b85f30c5fe9f01ae3b644bfa3f0c64a51128b277fa57efabd78ff1d299b6f5
MD5 hash:
e1764c2acbc0f821e369e0718e1daaea
SHA1 hash:
8fa531eff4c8e7277781974527e0f3fcb8646005
Link:
https://www.unpac.me/results/b0a12ef8-90ff-4124-9b3c-922f23658244/
SH256 hash:
0e33d64d6f2bfad4145c4792d967192150f01ec7e7149fe13fddc4bb6d45619b
MD5 hash:
87725197cf3e0fe815ac8af42abcc595
SHA1 hash:
9b60442eae00354c611c1c084586617e893b3c40
Link:
https://www.unpac.me/results/b0a12ef8-90ff-4124-9b3c-922f23658244/
SH256 hash:
f0d44926c42a1f6c604eaee6b89b55f2203967dd69ad4bb6869118a233c6ad34
MD5 hash:
08e98f326e87e48b30a15c6ad12cc7c5
SHA1 hash:
c10907f819ae8f5c700a96edeee1ff3f9c75bba7
Link:
https://www.unpac.me/results/b0a12ef8-90ff-4124-9b3c-922f23658244/
SH256 hash:
88ecc1e5ac9aee8ec13fc8cb5957f5bbcc85c967f97cb136294797f459b77d2e
MD5 hash:
f66d486ee47ec021704cd27238a12f14
SHA1 hash:
ee0230079037a14d97195bfc182e80698717faa0
Link:
https://www.unpac.me/results/b0a12ef8-90ff-4124-9b3c-922f23658244/
SH256 hash:
994cce559ffe5ab07be72bd2ef2e0630b48ba214a11d38e5c14a64dca73b7e1f
MD5 hash:
37a447930e1e365e8f6bf6d96a18e8ca
SHA1 hash:
af2b0bb31c9ca6accf23839cc638c6540155476a
Link:
https://www.unpac.me/results/b0a12ef8-90ff-4124-9b3c-922f23658244/
SH256 hash:
36b237312e94c2773bce259b00c7eefe21cce6c269dec29eccaa8722de834697
MD5 hash:
94fbc61572cfdb5759cbaad036998f7a
SHA1 hash:
44d7c11dcfff727f6704068184f8f339871de267
Link:
https://www.unpac.me/results/b0a12ef8-90ff-4124-9b3c-922f23658244/
SH256 hash:
d3410d686ef243617eea7339e2b2067142d8e6335740615c9ff81daeb095f680
MD5 hash:
278deed0da52b1ca6c361bcf80b3f93f
SHA1 hash:
a6f0c41afad42226cfdb679ce7d8448d22c9fe21
Link:
https://www.unpac.me/results/b0a12ef8-90ff-4124-9b3c-922f23658244/
SH256 hash:
862d18c8f4e84350761fcf176e144b73b90667cc64fe62f0e0b40e97f02125ae
MD5 hash:
a6468940da5b48861196091aa6b1d007
SHA1 hash:
30c9a027e7769cf31b77a2e3bd9d02e395551840
Link:
https://www.unpac.me/results/b0a12ef8-90ff-4124-9b3c-922f23658244/
SH256 hash:
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
MD5 hash:
913967b216326e36a08010fb70f9dba3
SHA1 hash:
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
Link:
https://www.unpac.me/results/b0a12ef8-90ff-4124-9b3c-922f23658244/
SH256 hash:
e12b72a24d68d058f0eaaa7a415646079ac5fc030fd2dc4b1c0f154595cb67b1
MD5 hash:
87a08deedbe9493b5f1d8d918700b657
SHA1 hash:
5762d57101f3195ede11ac1f221fb6597e9657cd
Link:
https://www.unpac.me/results/b0a12ef8-90ff-4124-9b3c-922f23658244/
SH256 hash:
db3ca7be5b2bd49a1c69ae22a2eddabebe7f277b5e3b1f476497b8bbb39361c0
MD5 hash:
633d43f7b4e576511a3a04b0681af2b2
SHA1 hash:
45b730093e630e99698e2a53e12d53f1ea188b1d
Link:
https://www.unpac.me/results/b0a12ef8-90ff-4124-9b3c-922f23658244/
SH256 hash:
a60fa4ef1d5036b6b5848d97ee2aa4df11c497d84273a82594ecc1ead26bf6cb
MD5 hash:
4a84aea009f518b25d1757c2e43e4906
SHA1 hash:
1143052abb45771349950a9b1fc75ce43a27f74e
Link:
https://www.unpac.me/results/b0a12ef8-90ff-4124-9b3c-922f23658244/
SH256 hash:
48c1c8405be5f92c1f24c36a872d071177734ab3b3a438152e32cf68379c4cc3
MD5 hash:
9868e936b23d5d445a2e0ed7375c58eb
SHA1 hash:
a932e6d7335d8f8d11c99ee0780a5bb10f654583
Link:
https://www.unpac.me/results/b0a12ef8-90ff-4124-9b3c-922f23658244/
SH256 hash:
b5fa05263e53d8fee01ac12bb9dac350164d9594e0131f58a66baefa6f5ae0c9
MD5 hash:
39b730bb5f42dcd279483574a08dca4e
SHA1 hash:
f5ae73c1b7eaadc174fd5b1fa588782a693b55fe
Link:
https://www.unpac.me/results/b0a12ef8-90ff-4124-9b3c-922f23658244/
Malware family:
OrcusRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b5fa05263e53/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b5fa05263e53d8fee01ac12bb9dac350164d9594e0131f58a66baefa6f5ae0c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/181148/

Comments