MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e137b49e941f89c91c7f2433047e818680b98a69e7f734f070bffa4c60bc1724. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OrcusRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e137b49e941f89c91c7f2433047e818680b98a69e7f734f070bffa4c60bc1724
SHA3-384 hash: 08d712466a9f670354ab2384edb66cf70e39636be758907238a465fea950b30d6af96520b975f50c1477f8ad03293e3f
SHA1 hash: e4f7828712b9aeee19072d866ba2f85212196066
MD5 hash: 0b9ce450733c66c244dfcd180c07f0ff
humanhash: earth-arkansas-autumn-music
File name:orcus.exe
Download: download sample
Signature OrcusRAT
Create hunting rule
File size:5'242'879 bytes
First seen:2022-03-08 18:26:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:Vhg4MROxnFp/iJ0rZlI0AilFEvxHirjdE3:VhDMifKKrZlI0AilFEvxHi/
Threatray 162 similar samples on MalwareBazaar
TLSH T1D436BF013FACBD07C1BE2A78B7731AC91BB8E9066052FB4E085851AD1DDB701BD563A7
Reporter adm1n_usa32
Tags:exe Orcus OrcusRAT RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'658
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
orcus
Create hunting rule
ID:
1
File name:
orcus.exe
Verdict:
Malicious activity
Analysis date:
2022-03-08 18:25:25 UTC
Tags:
rat orcus
Link:
https://app.any.run/tasks/2e5e3b29-c32c-4dc8-a993-3b832c929d64

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
OrcusRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/248458/
Detection(s):
Win.Packed.Passwordstealera-9803747-0
Create hunting rule

Win.Packed.Generic-9805849-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Creating a window
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm cmd.exe control.exe explorer.exe keylogger obfuscated orcus overlay packed rat regedit.exe remote.exe rundll32.exe stealer
Link:
https://www.filescan.io/uploads/62279ffcb94fb38cb43fe7e0/reports/be04dd20-7f17-451a-adcb-b58e0269bd36/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Orcus RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ef5695bf-c9c1-40ba-ac3f-4677cefe0e95
Result
Threat name:
Orcus
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/952878
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Contains functionality to disable the Task Manager (.Net Source)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Yara detected Costura Assembly Loader
Yara detected Orcus RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e137b49e941f89c91c7f2433047e818680b98a69e7f734f070bffa4c60bc1724/
Threat name:
ByteCode-MSIL.Worm.Ainslot
Create hunting rule
Status:
Malicious
First seen:
2021-12-25 18:29:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
36 of 42 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4e33jhuud6e4shd7eqzqi7ubq2altctj473tj4dqx75eyyf4c4sa._file
Verdict:
malicious
Similar samples:
2060ac076d0fc563f875a2256d6fc88d0b5609df077e8313388b12f6221a3a75
OrcusRAT
4fbe661cc28646ebb59e1b6e9369ed705150c5fa5ca9c001359feac41a5f6088
OrcusRAT
7bf8ffd612e903c781abab704e0f9aa5c736a50343f6cad3faf53c3b62cf80eb
OrcusRAT
9efca9fb9aadcdec3f3e23fda67899c67dda0d7178636a5691e15d6b62e01649
OrcusRAT
b9657cd9005b01b162ce90306ba1b7c7c3df3551fba5f008efd780086f461e72
OrcusRAT
d92ee183633151e24c7ab0e670f8cd15f41defcf9b927780176d9b7bbe3c97f1
OrcusRAT
e199b52c6e53f641ac035a22bc75963d32bfb70dfb8a64a2cbf7d3efc9c1358a
OrcusRAT
e66a6f2c8051d349a1510a246182d5771244813d38bd8c43cfb325b583895f7e
OrcusRAT
e7b94b42550145f6653edad5a47879f3bad1abe865f065d7036ca942c572e842
OrcusRAT
f7e7dfe0a2e59a746679694100b4549408a7e5513d3b1cf4bee0ba981f5e1703
OrcusRAT
+ 152 additional samples on MalwareBazaar
Result
Malware family:
orcus
Create hunting rule
Score:
  10/10
Tags:
family:orcus
Link:
https://tria.ge/reports/220308-w3qnmadcbl/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Malware Config
C2 Extraction:
6.tcp.ngrok.io:18058
Unpacked files
SH256 hash:
e137b49e941f89c91c7f2433047e818680b98a69e7f734f070bffa4c60bc1724
MD5 hash:
0b9ce450733c66c244dfcd180c07f0ff
SHA1 hash:
e4f7828712b9aeee19072d866ba2f85212196066
Link:
https://www.unpac.me/results/ba03767b-1c5d-49a8-8529-3714aef90861/
Malware family:
OrcusRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e137b49e941f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/e137b49e941f89c91c7f2433047e818680b98a69e7f734f070bffa4c60bc1724

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/2e5e3b29-c32c-4dc8-a993-3b832c929d64
Cape
Cape
https://www.capesandbox.com/analysis/248458/

Comments