MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9ad44b2a060ff9e8350a3cea2b178f7c384d6976f938f5248d16a2afa7ea426. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OrcusRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9ad44b2a060ff9e8350a3cea2b178f7c384d6976f938f5248d16a2afa7ea426
SHA3-384 hash: 9ad978050f464e338e7d76305bc55fbbff1edf6fd1b81749f8ee500b79f11037d95b1b970d6b5b92db81a10c3b928ded
SHA1 hash: 095768947de61b6d3e8a7cfe30d9f17d797dbe9c
MD5 hash: 2ffce162fbe99731f89bae751a8118a0
humanhash: diet-carpet-coffee-three
File name:c9ad44b2a060ff9e8350a3cea2b178f7c384d6976f938f5248d16a2afa7ea426
Download: download sample
Signature OrcusRAT
Create hunting rule
File size:742'912 bytes
First seen:2021-02-28 07:21:28 UTC
Last seen:2021-02-28 08:59:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:vrMXOQoepUanZi1oc8B3S29hF5Q71OHFIol/9NM9xQ7SC3ppjK:vUOQr3A1oc8B3S2vM71OHhln7SC3
Threatray 43 similar samples on MalwareBazaar
TLSH 48F423F2578DDEFDCA6F02B04ECF598DB971D012C59A58317A768609EC1818B89FAF40
Reporter JAMESWT_WT
Tags:OrcusRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'564
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c9ad44b2a060ff9e8350a3cea2b178f7c384d6976f938f5248d16a2afa7ea426
Verdict:
Suspicious activity
Analysis date:
2021-02-28 08:30:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f9313f90-9340-4fa7-9a64-61c9c60122c6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
OrcusRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/119916/
Detection(s):
SecuriteInfo.com.Variant.Barys.55548.13310.4440.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Creating a window
Searching for the window
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Sending a UDP request
Deleting a recently created file
Creating a file in the Windows subdirectories
Creating a service
Launching a service
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Connection attempt
Setting a keyboard event handler
Unauthorized injection to a recently created process
Enabling autorun for a service
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Orcus
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/620920
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to inject threads in other processes
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Yara detected Costura Assembly Loader
Yara detected Orcus RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 359452 Sample: 2DNzJWYbPy Startdate: 28/02/2021 Architecture: WINDOWS Score: 100 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for dropped file 2->69 71 Antivirus / Scanner detection for submitted sample 2->71 73 11 other signatures 2->73 9 2DNzJWYbPy.exe 6 2->9         started        12 svchost.exe 2->12         started        15 WindowsInput.exe 2 2->15         started        17 3 other processes 2->17 process3 dnsIp4 51 C:\Users\user\AppData\...\Cs Ghost 3.1.exe, PE32 9->51 dropped 53 C:\Users\user\AppData\...\CSGhost_v3.1.exe, PE32 9->53 dropped 55 C:\Users\user\AppData\...\2DNzJWYbPy.exe.log, ASCII 9->55 dropped 19 Cs Ghost 3.1.exe 23 9->19         started        23 CSGhost_v3.1.exe 9->23         started        65 192.168.2.1 unknown unknown 12->65 file5 process6 file7 43 C:\Windows\SysWOW64\WindowsInput.exe, PE32 19->43 dropped 45 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 19->45 dropped 47 C:\Windows\SysWOW64\WindowsInput.exe.config, XML 19->47 dropped 49 2 other malicious files 19->49 dropped 79 Drops executables to the windows directory (C:\Windows) and starts them 19->79 25 svchost.exe 5 19->25         started        30 WindowsInput.exe 2 4 19->30         started        32 csc.exe 3 19->32         started        81 Multi AV Scanner detection for dropped file 23->81 83 Contains functionality to inject threads in other processes 23->83 signatures8 process9 dnsIp10 63 31.220.4.216, 55551 HOSTHATCHUS Germany 25->63 57 C:\Users\user\AppData\Roaming\Svchost.exe, PE32 25->57 dropped 59 C:\Users\user\AppData\...\Svchost.exe.config, XML 25->59 dropped 85 Antivirus detection for dropped file 25->85 87 System process connects to network (likely due to code injection or exploit) 25->87 89 Multi AV Scanner detection for dropped file 25->89 91 3 other signatures 25->91 34 Svchost.exe 25->34         started        61 C:\Users\user\AppData\Local\...\7w4q0bfk.dll, PE32 32->61 dropped 37 conhost.exe 32->37         started        39 cvtres.exe 1 32->39         started        file11 signatures12 process13 signatures14 75 Antivirus detection for dropped file 34->75 77 Multi AV Scanner detection for dropped file 34->77 41 Svchost.exe 34->41         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c9ad44b2a060ff9e8350a3cea2b178f7c384d6976f938f5248d16a2afa7ea426/
Threat name:
ByteCode-MSIL.Trojan.Barys
Create hunting rule
Status:
Malicious
First seen:
2021-02-27 02:57:00 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
05bb212dd186eaa7c2fa17ad094fd56f55fa203f488f1e150532aa23c86c9bf8
OrcusRAT
0c3a1e4598b32bfcdf0226964c07af858c56e22c112fc4719f833738733958b8
OrcusRAT
4e963b9768467dcf18787fe4b197a1b9efe76a2108cdf0f73c6f81407c6dca95
OrcusRAT
4fbe661cc28646ebb59e1b6e9369ed705150c5fa5ca9c001359feac41a5f6088
OrcusRAT
74d6d0213855d53e4edad91ee620009558a9df2f6f925be9e81ba54df4b3b11d
OrcusRAT
7bf8ffd612e903c781abab704e0f9aa5c736a50343f6cad3faf53c3b62cf80eb
OrcusRAT
8a80a506f1a921b1af4b1b3fd6d37737622a3fd75e10efb44da9956b590cd185
OrcusRAT
9efca9fb9aadcdec3f3e23fda67899c67dda0d7178636a5691e15d6b62e01649
OrcusRAT
b9657cd9005b01b162ce90306ba1b7c7c3df3551fba5f008efd780086f461e72
OrcusRAT
f7e7dfe0a2e59a746679694100b4549408a7e5513d3b1cf4bee0ba981f5e1703
OrcusRAT
+ 33 additional samples on MalwareBazaar
Result
Malware family:
orcus
Create hunting rule
Score:
  10/10
Tags:
family:orcus rat spyware stealer
Link:
https://tria.ge/reports/210228-enbgrbrkpe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Drops desktop.ini file(s)
Loads dropped DLL
Executes dropped EXE
Orcus
Orcus Main Payload
Unpacked files
SH256 hash:
90e72b4e738e9da3ac1b7033fa099ede0554be96fcfa179526eec562d91291ac
MD5 hash:
372d83789a29dd9f04ffd4e8c9383e3d
SHA1 hash:
d01062c5d283e74f9ca3e2640ed9b6ed1932cc04
Link:
https://www.unpac.me/results/19408199-2f64-4172-8ca4-4d56599af129/
SH256 hash:
db3ca7be5b2bd49a1c69ae22a2eddabebe7f277b5e3b1f476497b8bbb39361c0
MD5 hash:
633d43f7b4e576511a3a04b0681af2b2
SHA1 hash:
45b730093e630e99698e2a53e12d53f1ea188b1d
Link:
https://www.unpac.me/results/19408199-2f64-4172-8ca4-4d56599af129/
SH256 hash:
dc1383dcf33b22cc3638b4c78f8e41e2895ef79878e96f3d6e1a16feb8fefcb5
MD5 hash:
7773dfc1db73c2a877bb78ee51c80b08
SHA1 hash:
95adbb23594248182ee061a51cf72a6198ef6729
Link:
https://www.unpac.me/results/19408199-2f64-4172-8ca4-4d56599af129/
SH256 hash:
f8d3f2982ceaecec5304585d5da80f1eb579861653504f3e0cc6a129defb1e3d
MD5 hash:
f65d17ce65db4c8fa22d4a1668c5048b
SHA1 hash:
7e362febba53e197e5455dbec59164a5676cded4
Link:
https://www.unpac.me/results/19408199-2f64-4172-8ca4-4d56599af129/
SH256 hash:
c9ad44b2a060ff9e8350a3cea2b178f7c384d6976f938f5248d16a2afa7ea426
MD5 hash:
2ffce162fbe99731f89bae751a8118a0
SHA1 hash:
095768947de61b6d3e8a7cfe30d9f17d797dbe9c
Link:
https://www.unpac.me/results/19408199-2f64-4172-8ca4-4d56599af129/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c9ad44b2a060ff9e8350a3cea2b178f7c384d6976f938f5248d16a2afa7ea426

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/119916/

Comments