MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7e7d51e82941b9eb56f82854e9682dc7a8593185ce6216082d5f795ceace582. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OrcusRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7e7d51e82941b9eb56f82854e9682dc7a8593185ce6216082d5f795ceace582
SHA3-384 hash: 0d9ca340438d5338fced772812b2f792cb71ed0165ac98ca45a2eae3dc912d31d42b9c1ef2dba96b73b3a40c123cf6fc
SHA1 hash: ba47b57ff5b0c6d02ea5a1b80e96cee5387b03de
MD5 hash: 52ee41a4329c6874df19851ac928c8e8
humanhash: hamper-hawaii-mobile-december
File name:52EE41A4329C6874DF19851AC928C8E8.exe
Download: download sample
Signature OrcusRAT
Create hunting rule
File size:920'576 bytes
First seen:2021-07-12 14:01:02 UTC
Last seen:2021-07-12 14:49:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:I6Tqa5yUdR6LjjxsDzX2W0HIsV0tRxewUzHChFBd3X3:IbFUmPwH0osV0Tx/UzOBdH3
Threatray 56 similar samples on MalwareBazaar
TLSH T16515234A3252F99FC37BC17596E44E29E6607A778B9F81076423108D7E8D697DF002B3
Reporter abuse_ch
Tags:exe OrcusRAT


Avatar
abuse_ch
OrcusRAT C2:
3.137.146.78:6666

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
3.137.146.78:6666 https://threatfox.abuse.ch/ioc/159812/

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'007
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
52EE41A4329C6874DF19851AC928C8E8.exe
Verdict:
No threats detected
Analysis date:
2021-07-12 14:20:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d6c30055-6b85-40f3-ad12-6455339249b4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171138/
Detection(s):
PUA.Win.Packed.ConfuserEx-6582917-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Orcus RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/860dac09-037c-49c6-bd60-05e180949d49
Result
Threat name:
Orcus
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/814921
Signature
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Uses dynamic DNS services
Yara detected Costura Assembly Loader
Yara detected Orcus RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 447332 Sample: uptkFVzchM.exe Startdate: 12/07/2021 Architecture: WINDOWS Score: 100 49 clientconfig.passport.net 2->49 53 Multi AV Scanner detection for domain / URL 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 8 other signatures 2->59 8 uptkFVzchM.exe 5 2->8         started        12 svchost.exe 2->12         started        14 svchost.exe 2 2->14         started        16 13 other processes 2->16 signatures3 process4 dnsIp5 41 C:\Users\user\Desktop\WinRarUnzipper.exe, PE32 8->41 dropped 43 C:\Users\user\AppData\...\uptkFVzchM.exe.log, ASCII 8->43 dropped 69 Detected unpacking (overwrites its own PE header) 8->69 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->71 19 WinRarUnzipper.exe 9 8->19         started        73 Changes security center settings (notifications, updates, antivirus, firewall) 12->73 23 MpCmdRun.exe 12->23         started        75 Query firmware table information (likely to detect VMs) 14->75 45 127.0.0.1 unknown unknown 16->45 47 192.168.2.1 unknown unknown 16->47 file6 signatures7 process8 file9 33 C:\Windows\SysWOW64\WindowsInput.exe, PE32 19->33 dropped 35 C:\Users\user\AppData\...\UnzipManager.exe, PE32 19->35 dropped 37 C:\Windows\SysWOW64\WindowsInput.exe.config, XML 19->37 dropped 39 C:\Users\user\...\UnzipManager.exe.config, XML 19->39 dropped 61 Antivirus detection for dropped file 19->61 63 Multi AV Scanner detection for dropped file 19->63 65 Machine Learning detection for dropped file 19->65 67 Drops executables to the windows directory (C:\Windows) and starts them 19->67 25 WindowsInput.exe 2 4 19->25         started        28 UnzipManager.exe 2 19->28         started        31 conhost.exe 23->31         started        signatures10 process11 dnsIp12 77 Antivirus detection for dropped file 25->77 79 Multi AV Scanner detection for dropped file 25->79 51 orcustop4ik.duckdns.org 3.137.146.78, 49722, 49736, 6666 AMAZON-02US United States 28->51 81 Installs a global keyboard hook 28->81 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7e7d51e82941b9eb56f82854e9682dc7a8593185ce6216082d5f795ceace582/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-07-10 20:43:23 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=47t5khucsqnz5nlpqkcu5fuc3r5ileyylttccyec2x3zltvm4wba._file
Verdict:
malicious
Similar samples:
28027fae1edf2324a8165c9f1a82273f958385c4947e8750a6bdcf29ec2e4906
OrcusRAT
3e40414d3d75b88373027c33bbe22e90a6ef7fdf7c98b8b6e8a8e51b4b781a56
OrcusRAT
50c1c541f9daea24b578ac94fd709b1214207a38cbc2ba3b36b2b0e81d0e4ee1
OrcusRAT
53943895601cbc79561cb30c9957715400d82a255d97ce36fe1b383bf3c240da
OrcusRAT
5fe03c646fcc7a7b912b2266fe54c645f203d22bfae171bf5f089e9934711dbb
OrcusRAT
81074c41b76fd86ce228d266821c33d86a7448f30f58966d7990b77ba321552e
OrcusRAT
ba381e6d45fa8afdd935d625f596fdf7fa87ef463a34135b43bf361e9f377f2e
OrcusRAT
bf5d5c28bec7bdcf41fad771fd465ba6bb9a56e053c9470a6e10293466109d3c
OrcusRAT
d7f7b600a0291f227e18c700916cbd7552aeb595e51a1ab918e164255cc29b1b
OrcusRAT
da027d0065fa09308efb93370437a0495a3bcec56325fb9846d807066a9abf86
OrcusRAT
+ 46 additional samples on MalwareBazaar
Result
Malware family:
orcus
Create hunting rule
Score:
  10/10
Tags:
family:orcus rat spyware stealer
Link:
https://tria.ge/reports/210712-dxqvwcddfn/
Behaviour
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Orcurs Rat Executable
Orcus
Orcus Main Payload
Unpacked files
SH256 hash:
e12b72a24d68d058f0eaaa7a415646079ac5fc030fd2dc4b1c0f154595cb67b1
MD5 hash:
87a08deedbe9493b5f1d8d918700b657
SHA1 hash:
5762d57101f3195ede11ac1f221fb6597e9657cd
Link:
https://www.unpac.me/results/d542824e-f6f9-4a64-9a3a-eb84899e6d3c/
SH256 hash:
496e7339e2d36429b392d592c818a4751ae731b98f6b0523623f2fee92409fc5
MD5 hash:
1766a0ee0777ad87df3df9bb3d4c448e
SHA1 hash:
4c138ce2d2c95cf1d3be1aad202fba464bc1cb64
Link:
https://www.unpac.me/results/d542824e-f6f9-4a64-9a3a-eb84899e6d3c/
SH256 hash:
0c52d8a203ba92de6f937a7d458c24854951761ccbbc8d3961bc2b7923239c7c
MD5 hash:
c2a974c1e5972d8772207ef8f9c5e39c
SHA1 hash:
11e2bcc91e20b982e7967c164053f57a2840fcb6
Link:
https://www.unpac.me/results/d542824e-f6f9-4a64-9a3a-eb84899e6d3c/
SH256 hash:
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
MD5 hash:
e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 hash:
c7691731583ab7890086635cb7f3e4c22ca5e409
Link:
https://www.unpac.me/results/d542824e-f6f9-4a64-9a3a-eb84899e6d3c/
SH256 hash:
db3ca7be5b2bd49a1c69ae22a2eddabebe7f277b5e3b1f476497b8bbb39361c0
MD5 hash:
633d43f7b4e576511a3a04b0681af2b2
SHA1 hash:
45b730093e630e99698e2a53e12d53f1ea188b1d
Link:
https://www.unpac.me/results/d542824e-f6f9-4a64-9a3a-eb84899e6d3c/
SH256 hash:
a60fa4ef1d5036b6b5848d97ee2aa4df11c497d84273a82594ecc1ead26bf6cb
MD5 hash:
4a84aea009f518b25d1757c2e43e4906
SHA1 hash:
1143052abb45771349950a9b1fc75ce43a27f74e
Link:
https://www.unpac.me/results/d542824e-f6f9-4a64-9a3a-eb84899e6d3c/
SH256 hash:
91b06c753fe837ec3a54349da00ab6591693f4359178e60ca07b1b529aadc733
MD5 hash:
f0075dada3792fe0bb97245bad765d29
SHA1 hash:
9b9c0f6e495672fc4ed7cde6964d51368ec7f50a
Link:
https://www.unpac.me/results/d542824e-f6f9-4a64-9a3a-eb84899e6d3c/
SH256 hash:
e7e7d51e82941b9eb56f82854e9682dc7a8593185ce6216082d5f795ceace582
MD5 hash:
52ee41a4329c6874df19851ac928c8e8
SHA1 hash:
ba47b57ff5b0c6d02ea5a1b80e96cee5387b03de
Link:
https://www.unpac.me/results/d542824e-f6f9-4a64-9a3a-eb84899e6d3c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7e7d51e82941b9eb56f82854e9682dc7a8593185ce6216082d5f795ceace582

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_NET_NAME_ConfuserEx
Create hunting rule
Author:Arnim Rupp
Description:Detects ConfuserEx packed file
Reference:https://github.com/yck1509/ConfuserEx

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171138/

Comments