MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e877ee10428a6a81a83caaa9222466efbc4635a719613d63f813d8dc49baef8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OrcusRAT


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e877ee10428a6a81a83caaa9222466efbc4635a719613d63f813d8dc49baef8f
SHA3-384 hash: eafa8cd0dc2eaa2cae64e052088edba50b4668a6b3f3a9d55b147dee61a5f89a7ee518369fbd03333f05ab364a4481e3
SHA1 hash: fe5cc9871ae75de0e96103fd072987d18ea6e2ec
MD5 hash: b24c7f70337242e9b04e6f7a03f420fb
humanhash: fanta-blue-foxtrot-london
File name:b24c7f70337242e9b04e6f7a03f420fb.exe
Download: download sample
Signature OrcusRAT
Create hunting rule
File size:745'121 bytes
First seen:2022-02-18 17:45:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4d17be67c8d0394c5c1b8e725359ed89 (5 x Adware.Generic, 4 x njrat, 3 x NanoCore)
ssdeep 12288:9xNLQ9qGhGG1cYbgrWccT70eMKnnRaoPLg5vzGg5ERTsVlpoiejD7y5C3Zt:29js41rn3VnxLivyg5ERSlu/jK5C3Zt
Threatray 116 similar samples on MalwareBazaar
TLSH T17EF4023191E1C594E70A14B0EBE592F584EC8D7ECC93060BC26F7E65B6748DDDC2A28B
File icon (PE):PE icon
dhash icon 80273d312b332380 (1 x OrcusRAT)
Reporter abuse_ch
Tags:exe OrcusRAT


Avatar
abuse_ch
OrcusRAT C2:
122.186.23.243:10134

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
122.186.23.243:10134 https://threatfox.abuse.ch/ioc/388653/

Intelligence

File Origin
# of uploads :
1
# of downloads :
688
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://anonfiles.com/r7H6AbI4xf/RDP_HACKING_TOOLS_PACK_rar
Verdict:
Malicious activity
Analysis date:
2022-02-18 18:05:25 UTC
Tags:
rat orcus trojan
Link:
https://app.any.run/tasks/e2ebb41f-ec18-4af4-b612-919a200eca23

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
OrcusRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/242570/
Detection(s):
SecuriteInfo.com.Variant.Adware.BrowseFox.62.UNOFFICIAL
Create hunting rule

Win.Packed.Passwordstealera-9803747-0
Create hunting rule

Win.Packed.Generic-9805849-0
Create hunting rule

SecuriteInfo.com.PSW.Generic8.CDKL.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Creating a file in the Windows directory
Creating a file
Setting a keyboard event handler
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe orcus overlay packed shell32.dll virus
Link:
https://www.filescan.io/uploads/620fdb63a2660f3bb9fd91dd/reports/4c16446e-1327-451c-9f81-ee4d62a8335a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Orcus RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9908426c-ac17-44e1-a2e6-5221e6a6b04f
Result
Threat name:
Orcus
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/942388
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to disable the Task Manager (.Net Source)
Creates an autostart registry key pointing to binary in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Yara detected Costura Assembly Loader
Yara detected Orcus RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 574866 Sample: pEIJ6Lu2py.exe Startdate: 18/02/2022 Architecture: WINDOWS Score: 100 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus detection for URL or domain 2->36 38 Antivirus detection for dropped file 2->38 40 11 other signatures 2->40 7 pEIJ6Lu2py.exe 10 2->7         started        10 Desktop Window Manager.exe 2 2->10         started        12 Desktop Window Manager.exe 2 2->12         started        process3 file4 24 C:\Users\user\AppData\Local\Temp\Mass.exe, PE32 7->24 dropped 26 C:\Users\user\...\Desktop Window Manager.exe, PE32 7->26 dropped 14 Desktop Window Manager.exe 6 7->14         started        18 Mass.exe 2 7->18         started        process5 file6 28 C:\Windows\Desktop Window Manager.exe, PE32 14->28 dropped 30 C:\...\Desktop Window Manager.exe.config, XML 14->30 dropped 48 Drops executables to the windows directory (C:\Windows) and starts them 14->48 20 Desktop Window Manager.exe 1 2 14->20         started        50 Antivirus detection for dropped file 18->50 52 Multi AV Scanner detection for dropped file 18->52 signatures7 process8 dnsIp9 32 122.186.23.243, 10134, 49757, 49779 BBIL-APBHARTIAirtelLtdIN India 20->32 42 Protects its processes via BreakOnTermination flag 20->42 44 Creates an autostart registry key pointing to binary in C:\Windows 20->44 46 Installs a global keyboard hook 20->46 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e877ee10428a6a81a83caaa9222466efbc4635a719613d63f813d8dc49baef8f/
Threat name:
ByteCode-MSIL.Trojan.OrcusRAT
Create hunting rule
Status:
Malicious
First seen:
2022-02-15 09:01:21 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
35 of 43 (81.40%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5b364eccrjvidkb4vkusejdg566emnnhdfqt2y7ycpmnysn256hq._file
Verdict:
malicious
Similar samples:
030de3a6ac5f11501e8a9492846e393fc8be584f4dd68355bc54a70bb35ac4a7
OrcusRAT
3573aef05e6255e2579fc47d55765871702a351b9d7362a9d855ee92ed28aadb
OrcusRAT
50c1c541f9daea24b578ac94fd709b1214207a38cbc2ba3b36b2b0e81d0e4ee1
OrcusRAT
5fe03c646fcc7a7b912b2266fe54c645f203d22bfae171bf5f089e9934711dbb
OrcusRAT
6a95a31549b0ce73fc61664173ebab87da541094d8749894f05c707e543cbe1e
OrcusRAT
6b2bc89a82c41241a24f0a8c7972b563e30303bf7c277d767ac5766510e8f03e
OrcusRAT
e21d43df96e42ae29354ecf4b21e803c0c3bfd9a706f5f7ee334b1893ae92c6a
OrcusRAT
e467fbf52c4dc6e1b5cd1fa9a60dd230672581884b05381378a0a953d81f533b
OrcusRAT
+ 106 additional samples on MalwareBazaar
Result
Malware family:
orcus
Create hunting rule
Score:
  10/10
Tags:
family:orcus botnet:new persistence rat spyware stealer
Link:
https://tria.ge/reports/220218-wcb3jsdfbp/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Orcurs Rat Executable
Orcus
Orcus Main Payload
Malware Config
C2 Extraction:
122.186.23.243:10134
Unpacked files
SH256 hash:
e12b72a24d68d058f0eaaa7a415646079ac5fc030fd2dc4b1c0f154595cb67b1
MD5 hash:
87a08deedbe9493b5f1d8d918700b657
SHA1 hash:
5762d57101f3195ede11ac1f221fb6597e9657cd
Link:
https://www.unpac.me/results/d76636b1-a7cd-47ec-83a0-5b97f49b414d/
SH256 hash:
09765bc1c675be5e9824c919f6c23dab2c5a06743cdb301604e438163e058ed4
MD5 hash:
ae7213ddef6381831486a05c53d5cd0c
SHA1 hash:
41bdfa1cfcc13cf45286e64f832cbef499eb4cda
Link:
https://www.unpac.me/results/d76636b1-a7cd-47ec-83a0-5b97f49b414d/
SH256 hash:
0c52d8a203ba92de6f937a7d458c24854951761ccbbc8d3961bc2b7923239c7c
MD5 hash:
c2a974c1e5972d8772207ef8f9c5e39c
SHA1 hash:
11e2bcc91e20b982e7967c164053f57a2840fcb6
Link:
https://www.unpac.me/results/d76636b1-a7cd-47ec-83a0-5b97f49b414d/
SH256 hash:
970ddecc7c081a3affbffff9bddd489e012556350a3555fa6f0e7f9c3cb90270
MD5 hash:
e19a52cd5876e004ff8ef81744544b22
SHA1 hash:
d867460eef70830867f2a5c4c9f675cbaf3837ce
Link:
https://www.unpac.me/results/d76636b1-a7cd-47ec-83a0-5b97f49b414d/
SH256 hash:
4337b8c7f0e4dcdcfac91da7da51d571c7fae5701897dde891a4de2f1a6ccc17
MD5 hash:
ff139f0dcdaaf0aa2e02c71f0b727518
SHA1 hash:
9dc56be0f8e0ba6a4e1c57d97f27c772dfdb74b3
Link:
https://www.unpac.me/results/d76636b1-a7cd-47ec-83a0-5b97f49b414d/
SH256 hash:
db3ca7be5b2bd49a1c69ae22a2eddabebe7f277b5e3b1f476497b8bbb39361c0
MD5 hash:
633d43f7b4e576511a3a04b0681af2b2
SHA1 hash:
45b730093e630e99698e2a53e12d53f1ea188b1d
Link:
https://www.unpac.me/results/d76636b1-a7cd-47ec-83a0-5b97f49b414d/
SH256 hash:
a60fa4ef1d5036b6b5848d97ee2aa4df11c497d84273a82594ecc1ead26bf6cb
MD5 hash:
4a84aea009f518b25d1757c2e43e4906
SHA1 hash:
1143052abb45771349950a9b1fc75ce43a27f74e
Link:
https://www.unpac.me/results/d76636b1-a7cd-47ec-83a0-5b97f49b414d/
SH256 hash:
e877ee10428a6a81a83caaa9222466efbc4635a719613d63f813d8dc49baef8f
MD5 hash:
b24c7f70337242e9b04e6f7a03f420fb
SHA1 hash:
fe5cc9871ae75de0e96103fd072987d18ea6e2ec
Link:
https://www.unpac.me/results/d76636b1-a7cd-47ec-83a0-5b97f49b414d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e877ee10428a6a81a83caaa9222466efbc4635a719613d63f813d8dc49baef8f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/242570/

Comments